What is Azure management groups and subscription?

In this article I will quickly explain what What is Azure management groups and subscription.

Azure subscriptions

You must have a subscription to take advantage of Azure’s cloud-based services. It acts as a single Azure resource billing unit in which a subscription is paid for services used in Azure. A single account is connected to an Azure subscription, the one that was used to establish the subscription and is used for billing purposes. Resources can be provided as examples of the various Azure products and services inside the subscription.

A subscription gives you authenticated and registered access to products and services from Azure. It also facilitates the availability of services for you. An Azure subscription is a logical Azure service unit that links to an Azure account that is an Azure Active Directory (Azure AD) identity or a directory that is trusted by Azure AD

There are three main forms of free, pay-as-you-go and member offers available for subscriptions.

An account can have one subscription or several subscriptions with different billing models and different access-management policies to which you apply. To define boundaries around Azure products, programs, and resources, you can use Azure subscriptions. There are two forms of boundary subscriptions that you can use:

• Billing boundary: This form of subscription defines how to charge an Azure account for using Azure. For various types of billing conditions, you can build several subscriptions. For each subscription, Azure produces different billing reports and invoices so that you can organize and handle costs.
• Access control boundary: At the subscription level, Azure implements access management policies, and you can create different subscriptions to represent various organizational structures. An example is that you have different divisions within a company, to which you apply separate Azure subscription policies. This billing model helps you to monitor and control access to the services that unique subscriptions provide users with.

Create additional Azure subscriptions

For resource or billing management purposes, you may want to build additional subscriptions.

• Environments: You can choose to build subscriptions to set up different environments for creation and testing, protection, or to isolate data for compliance purposes when managing your resources. This design is especially useful since regulation of resource access exists at the subscription stage.
• Organizational structures: Subscriptions can be generated to represent various organizational structures. For instance, while giving the IT department a wide range, you might restrict a team to lower-cost resources. Inside could subscription, this design help you to monitor and control access to the services that users have.
• Billing: For billing purposes, you may want to build additional subscriptions as well. You may want to build subscriptions to control and monitor costs based on your needs, since costs are first aggregated at the subscription stage.
• Subscription Limits: Subscriptions are subject to certain challenging restrictions. The maximum number of Azure ExpressRoute circuits per subscription, for instance, is 10. When you build subscriptions on your account, certain limits should be considered.

Customize billing to meet your needs

You can organize these into invoice sections if you have several subscriptions. Each portion of the invoice is a line item on the invoice that illustrates the charges incurred that month. For instance, for your company, you might need a single invoice but want to arrange fees by department, team, or project.

You can set up several invoices under the same billing account, depending on your needs. Build additional billing profiles to do this. Per billing profile has its own monthly invoice and mode of payment. 

A summary of how billing is organized is shown in the following diagram. Your billing may be set up differently if you’ve already signed up for Azure or if your company has an Enterprise Agreement.

Azure management groups

You may need a way to manage access, policies, and enforcement effectively for those subscriptions if your company has several subscriptions. Management groups at Azure have a scope standard above subscriptions. You organize subscriptions into containers called “management groups” and submit to the management groups the governance conditions.

The criteria applied to the management group are immediately inherited by all subscriptions within the management group. Management groups offer you a broad scale of enterprise-grade management, regardless of what kind of subscriptions you may have. The same Azure Active Directory tenant must be trusted by all subscriptions within a single management community.

For example, a management group that restricts the regions available for virtual machine (VM) development can be added to policies.

Hierarchy of management groups and subscriptions

To organize your resources into a hierarchy for unified policy and access control, you can create a versatile system of management groups and subscriptions. An instance of building a hierarchy for governance using management groups is seen in the following diagram.

For example, you can build a hierarchy that applies a policy that restricts VM locations in the category called “Production” to the US West Zone. All Enterprise Agreement (EA) subscriptions that are descendants of that management community will be inherited by this policy which will extend to all VMs under those subscriptions. The resource or subscription owner that allows for enhanced governance does not change this security policy.

The provision of user rights to several subscriptions is another example where you can use management groups. You may build one Azure task assignment for the Management Group by moving multiple subscriptions under that Management Group, which will inherit access to all subscriptions. Instead of scripting Azure RBAC over multiple subscriptions, one management group assignment will allow users to access anything they need.

Facts and Summary

• In a single directory, 10,000 azure management groups can be supported.
• Up to six levels of depth can be provided by a Management Community tree. The root level or the subscription level may not have this cap.
• Only one parent will support each management group and the subscription.
• There could be several kids in each management department.
• In any directory, all subscriptions and management groups are within a single hierarchy.