Azure management groups and subscriptions

In our previous 2 articles of this azure tutorial, we discussed Azure resource groups and the benefits they provide. In this article, we will discuss azure management groups and subscriptions.

If there are only a few subscriptions in your organisation, then it's relatively simple to manage them independently. However, in an organisation there are usually many employees and may be, many applications. If all these employees are provided azure subscriptions and if they start creating azure resources at will, it may soon become difficult to control, manage and track who is creating what and eventually the costs may go out of control. So, Azure has four levels of management-scope to organize, secure, manage and track the costs. The following image from MSDN shows the four levels of management-scope and the relationship between them.

azure management scopes

Management groups

Management group is at the top of the hierarchy. All subscriptions in a management group automatically inherit the conditions or settings specified at the management group level. So, a management group is like a container for all your subscriptions. Just like how there can be multiple subscriptions, there can also be multiple management groups in an organisation.

The following image is from MSDN, and it shows, how we can build a flexible structure of management groups and subscriptions to organize our resources into a hierarchy for unified policy and access management. 

azure management scopes

For whatever reason, let's say, in our organisation, we want to allow azure resources to be created only in the East US region. One easy way to do this is to create such a policy at the IT Management Group level. This policy is then automatically enforced on all the Management Groups and Subscriptions that are descendants of the IT management group. The descendants will not be able to alter this security policy in any way and it is also applicable to all resources under those subscriptions. So, obviously governance becomes much easier.

Management settings like policies and role-based access control can be applied at any of the management levels. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to a subscription, that policy is also applied to all resource groups and resources in that subscription. In general, it makes sense to apply critical settings at higher levels and project-specific settings at lower levels.


A subscription sits under a management group. It associates user accounts and the resources that were created by those user accounts. Each subscription has limits or quotas on the amount of resources you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.

Resource groups

A resource group, as the name implies, is a group of related azure resources. It is basically a logical container into which Azure resources like web apps, databases, and storage accounts are deployed and managed. We discussed resource groups in detail in Parts 5 and 6 of this azure tutorial.


An azure resource is any service instance that you create. For example, virtual machine, Azure sql database, storage account etc.

Azure tutorial for beginners

© 2020 Pragimtech. All Rights Reserved.