When working with Microsoft Azure, it’s crucial to understand the organizational hierarchy that Azure uses to manage and organize resources. This hierarchy comprises resource groups, subscriptions, and management groups: each layer possesses its own unique set of responsibilities and functions which contribute to the overall control, distribution, and implementation of resources.
1. Resource Groups
A resource group in Azure is a logical construct which holds related resources for an Azure solution. These related resources could collectively form a single project or service. Some examples include virtual machines, storage accounts, and web applications. It’s also important to clarify that all resources must be part of a resource group.
Resource groups also serve as the axis point for user access control: Azure Active Directory can create and manage identities linked to resource groups, thereby enabling or restricting accessibility to certain resources.
2. Subscriptions
A level higher than resource groups are subscriptions. A subscription associates user accounts and the resources that were created by these user accounts. Every resource group is housed under a subscription. Subscriptions are crucial for billing as they help keep track of costs, and they also let you organize resources to suit your billing, management, or configuration needs.
Multiple subscriptions can be organized into a hierarchy for better management. For instance, an enterprise can have different subscriptions for each department. It provides the users with an isolated environment within Azure to work and manage resources.
3. Management Groups
At the top of the hierarchy is the management group. Management groups provide a way to manage access, policies, and compliance across multiple Azure subscriptions. If your organization has many subscriptions, you can organize them into a hierarchy in Azure by using management groups.
As an example, imagine a corporation with numerous departments, each having a separate subscription. Simultaneously, this corporation has defined a set of Azure Policy definitions that apply to the entire organization. Rather than assigning these policies to each subscription, it can define the policies once at the root level management group, and they apply to each subscription below that management group.
Below is a tabular representation for more clarity:
Rank | Construct | Function |
---|---|---|
1 | Management Group | Used for policy and access management across multiple subscriptions. |
2 | Subscription | Binds user accounts and the resources created by these user accounts. Also organizes resources for billings and management |
3 | Resource groups | Houses related resources for an Azure solution, serves as control point for user access. |
Understanding the hierarchy of resource groups, subscriptions, and management groups will help you make the most of Azure’s structure and is a critical concept in managing resources in Azure. This knowledge is particularly helpful for the AZ-900 Microsoft Azure Fundamentals exam as it forms the basis of other advanced aspects of using Azure.
Practice Test
True or False: A Resource Group in Azure does not need to contain resources that reside in the same region.
- True
- False
Answer: True.
Explanation: A Resource Group in Azure is not tied to a specific region. Instead, it serves as a way to organize resources in your subscription.
Single Select: From top to bottom, what is the correct order of the Azure hierarchy?
- a) Subscriptions, Management Groups, Resource Groups
- b) Management Groups, Subscriptions, Resource Groups
- c) Resource Groups, Subscriptions, Management Groups
- d) Subscriptions, Resource Groups, Management Groups
Answer: b) Management Groups, Subscriptions, Resource Groups.
Explanation: The Azure hierarchy, from top to bottom, is Management Groups, Subscriptions, and then Resource Groups.
True or False: Each Azure subscription is associated with only one Azure directory.
- True
- False
Answer: True.
Explanation: One Azure directory is associated with each subscription and the directory can have multiple subscriptions associated with it.
Single Select: What is a function of Azure Management Groups?
- a) To manage access, policy, and compliance.
- b) To act as a storage unit for resources.
- c) To help with networking and communication.
- d) None of the above.
Answer: a) To manage access, policy, and compliance.
Explanation: Azure Management Groups are used for providing access control, policy, and compliance management for multiple subscriptions.
True or False: You cannot have multiple resource groups in a single subscription.
- True
- False
Answer: False.
Explanation: A subscription can contain multiple resource groups, and each resource group can contain multiple resources.
Single Select: The maximum number of management groups in a single directory is?
- a) 10,000
- b) 1,000
- c) 5,000
- d) Unlimited
Answer: a) 10,000
Explanation: An Azure Active Directory tenant can have up to 10,000 management groups.
True or False: Management groups must always have resources.
- True
- False
Answer: False.
Explanation: Management groups don’t directly contain resources. Instead, they help manage access, policies, and compliance for the subscriptions and resource groups that are their children.
True or False: A single resource can be part of multiple resource groups.
- True
- False
Answer: False.
Explanation: A resource in Azure can only be part of a single resource group, though it can interact with resources in other resource groups.
Multiple Select: The resource groups in an Azure subscription..
- a) Can contain resources from different Regions.
- b) Must contain resources from the same Region.
- c) Is a way to organize resources in your subscription.
- d) Is for billing aggregation.
Answer: a) Can contain resources from different Regions. c) Is a way to organize resources in your subscription.
Explanation: Resource groups can contain resources that reside in different regions and they are a way to organize resources in your subscription.
True or False: Each subscription in Azure can be associated with a different Azure Directory.
- True
- False
Answer: True.
Explanation: Each Azure subscription is associated with a single Azure AD directory. However, each directory can have multiple subscriptions associated with it.
Single Select: Azure Management Groups allow for:
- a) Scalability of authorization and policy enforcement.
- b) Network traffic control.
- c) Administering billing for groups of subscriptions.
- d) a and c.
Answer: d) a and c.
Explanation: Azure Management Groups help scale access control and policy enforcement and can help administer billing across multiple subscriptions.
True or False: A single subscription can contain resources that reside within different resource groups.
- True
- False
Answer: True.
Explanation: An Azure subscription can contain multiple resource groups, which in turn can contain multiple resources.
Multiple Select: In Azure hierarchy,…
- a) Management Groups are at the highest level.
- b) Subscriptions are at the lowest level.
- c) Resource Groups are at the highest level.
- d) Resource Groups are at the lowest level.
Answer: a) Management Groups are at the highest level. d) Resource Groups are at the lowest level.
Explanation: In the Azure hierarchy, Management Groups are at the highest level, followed by Subscriptions, with Resource Groups at the lowest level.
True or False: An Azure directory can be associated with multiple subscriptions.
- True
- False
Answer: True.
Explanation: An Azure directory can be associated with multiple subscriptions, but each subscription is associated with only one directory.
Single Select: Which of the following is not true about resource groups in Azure?
- a) They help to group resources that share a similar life cycle.
- b) They are bound to a specific region.
- c) They can contain resources from different regions.
- d) They are a unit of management for resources in a subscription.
Answer: b) They are bound to a specific region.
Explanation: Resource groups in Azure are not specific to any region. They are primarily containers that hold related resources for an Azure solution.
Interview Questions
What is a resource group in Azure?
A resource group in Azure is a logical container for resources deployed on Azure. It holds related resources for an Azure solution. The resource group could include all the resources for a solution, or only those resources that are logically grouped together.
What is a subscription in Azure?
Subscription in Azure is an agreement with Microsoft to use one or more Microsoft cloud services. As part of signing up for a subscription, you agree to pay a monthly fee to use the services.
How are Azure resources grouped?
Azure resources are grouped in Azure using Resource Groups. A resource group is a logical container where Azure resources are deployed and managed.
How are subscriptions and resource groups related in Azure?
A resource group is within an Azure subscription and each resource can only be a part of one resource group. Subscriptions help manage costs and resources created by users, teams, or projects and they act as a way to control and organize resources in Azure.
What are management groups in Azure?
Management groups in Azure are containers that help you manage access, policy, and compliance across multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied at the management group level.
Can a resource group exist without a subscription in Azure?
No, a resource group in Azure cannot exist without a subscription. A resource group is a part of a single Azure subscription.
What is the hierarchy of resources in Azure?
The hierarchy of resources in Azure is as follows: Management groups sit at the top level in the hierarchy, followed by subscriptions. Each subscription contains one or more resource groups, and a resource group contains one or more resources.
How many management groups can a single directory have?
A single directory can have up to 10,000 management groups.
What is the use of Resource subscriptions in Azure?
Resource subscriptions are used to create and manage resources in Azure, organize access to resources, and control and manage billing in Azure.
How many levels of nesting can Azure Management Groups support?
Azure Management Groups can support up to six levels of nesting.
Can you move resources from one resource group to another?
Yes, you can move resources from one resource group to another in the same subscription.
Can you move a subscription from one management group to another management group?
Yes, you can move a subscription from one management group to another management group.
Can a subscription have multiple resource groups?
Yes, a subscription can have multiple resource groups. Each resource group is used to manage and organize resources within a single Azure subscription.
Can a resource group span subscriptions?
No, a resource group cannot span subscriptions. Each resource group is contained within a single subscription.
How is a management group different from a resource group?
A resource group is a container that holds related resources for an Azure solution, while a management group is a container for managing access, policies, and compliance across multiple subscriptions.