2.2.2. π‘ First Principle: Subscriptions and Management Groups
First Principle: Azure's management hierarchy provides a structured way to organize, govern, and control cloud resources at scale. Its core purpose is to enable consistent policy enforcement, centralized management, and clear billing boundaries.
What It Is: This refers to the logical containers used to manage access, policies, and costs across an Azure environment.
- Azure Subscriptions: A Subscription is a logical container for your resources and a boundary for billing. All resources must be deployed into a subscription.
- Use Case: Often used to separate environments (dev, test, prod), departments, or projects for billing and access control purposes.
- Management Groups: Management Groups are containers for managing access, policy, and compliance across multiple subscriptions.
- Use Case: An enterprise can create a management group hierarchy to apply governance policies (e.g., restricting which regions resources can be deployed to) across all their subscriptions efficiently.
Scenario: A large enterprise has multiple departments, each with its own IT budget and projects. The central IT team needs to enforce a global security policy across all departments but wants to allow each department to manage its own costs.
Reflection Question: How does the use of Management Groups (for global policies) and Subscriptions (for departmental billing and access) allow this enterprise to achieve both centralized governance and decentralized management?
π‘ Tip: The hierarchy is: Management Groups -> Subscriptions -> Resource Groups -> Resources. Policies and access rights applied at a higher level are inherited by the levels below.
