0
0
Azurecloud~15 mins

Subscriptions and management groups in Azure - Deep Dive

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Overview - Subscriptions and management groups
What is it?
Subscriptions and management groups are ways to organize and control access to resources in Azure. A subscription is like a container that holds resources such as virtual machines and databases. Management groups are higher-level containers that group multiple subscriptions together for easier management and policy enforcement. They help keep large cloud environments organized and secure.
Why it matters
Without subscriptions and management groups, managing many resources and teams in Azure would be chaotic and risky. You would struggle to control who can do what, and it would be hard to apply rules consistently. These tools solve the problem of scale and security by providing clear boundaries and centralized control. This means better cost tracking, security, and compliance for businesses.
Where it fits
Before learning this, you should understand basic cloud concepts like resources and accounts. After this, you can learn about Azure role-based access control (RBAC), policies, and cost management. This topic is a foundation for managing large Azure environments effectively.
Mental Model
Core Idea
Subscriptions are containers for resources, and management groups are containers for subscriptions, creating a hierarchy to organize and control Azure resources at scale.
Think of it like...
Think of subscriptions as individual apartments where people live, and management groups as apartment buildings that hold many apartments. Managing rules and access at the building level is easier than doing it for each apartment separately.
Azure Hierarchy:

┌─────────────────────────────┐
│      Management Group       │
│  ┌───────────────┐          │
│  │ Subscription 1│          │
│  └───────────────┘          │
│  ┌───────────────┐          │
│  │ Subscription 2│          │
│  └───────────────┘          │
└─────────────────────────────┘

Each subscription contains resources like VMs, databases, and networks.
Build-Up - 6 Steps
1
FoundationUnderstanding Azure Subscriptions
🤔
Concept: Learn what an Azure subscription is and its role as a resource container.
An Azure subscription is like a billing and management container. It holds all your Azure resources such as virtual machines, storage accounts, and databases. Each subscription has its own billing and access control settings. You can think of it as your personal cloud space where you create and manage resources.
Result
You understand that subscriptions group resources and define billing boundaries.
Knowing that subscriptions are the basic unit of resource grouping helps you organize and track cloud usage effectively.
2
FoundationWhat Are Management Groups?
🤔
Concept: Introduce management groups as a way to organize multiple subscriptions.
Management groups sit above subscriptions in Azure's hierarchy. They let you group subscriptions together to apply policies and access controls at a higher level. For example, you can create a management group for all subscriptions used by your finance team. This way, you manage rules once for all those subscriptions instead of individually.
Result
You see how management groups simplify managing many subscriptions.
Understanding management groups helps you scale governance and security across large Azure environments.
3
IntermediateHierarchy and Policy Inheritance
🤔Before reading on: Do you think policies set on management groups apply to all subscriptions inside them? Commit to your answer.
Concept: Learn how policies and access controls flow down the hierarchy from management groups to subscriptions and resources.
Policies and role assignments set on a management group automatically apply to all subscriptions and resources inside it. This inheritance means you can enforce rules like security standards or cost limits centrally. If you set a policy to block certain resource types at the management group level, no subscription inside can create those resources.
Result
You understand that management groups control policies and permissions for all nested subscriptions.
Knowing policy inheritance prevents mistakes where rules are inconsistently applied across subscriptions.
4
IntermediateSubscription Limits and Management Group Scope
🤔Before reading on: Can a subscription belong to multiple management groups at once? Commit to your answer.
Concept: Understand the limits on subscriptions and how management groups define scope boundaries.
Each subscription can belong to only one management group at a time, but management groups can have many subscriptions. Azure allows up to six levels of management groups above subscriptions. This structure helps keep your cloud organized but also means you must plan your hierarchy carefully to avoid complexity.
Result
You know the structural limits and how to plan your Azure organization.
Understanding these limits helps you design a clear and manageable cloud governance model.
5
AdvancedUsing Management Groups for Cost and Security
🤔Before reading on: Do you think management groups can help track costs across subscriptions? Commit to your answer.
Concept: Explore how management groups help with cost management and security compliance.
Management groups allow you to group subscriptions by department, project, or environment. This grouping helps track costs centrally and apply security policies consistently. For example, you can block risky resource types or enforce encryption policies across all subscriptions in a management group. This reduces manual work and errors.
Result
You see how management groups improve financial and security oversight.
Knowing this helps you leverage management groups to reduce cloud waste and security risks.
6
ExpertComplex Hierarchies and Policy Conflicts
🤔Before reading on: What happens if two policies conflict at different management group levels? Commit to your answer.
Concept: Understand how Azure resolves policy conflicts in deep management group hierarchies.
When multiple policies apply from different management group levels, Azure evaluates all and enforces the strictest rules. If one policy allows a resource and another blocks it, the block wins. This behavior ensures security but can cause unexpected denials if not planned carefully. Experts design hierarchies and policies to avoid conflicts and confusion.
Result
You grasp how policy conflicts are resolved and why careful planning is critical.
Understanding conflict resolution prevents costly mistakes and downtime in production environments.
Under the Hood
Azure organizes resources in a tree-like hierarchy where management groups are nodes above subscriptions. Policies and role assignments propagate down this tree. When a user requests an action, Azure checks permissions and policies starting from the resource up through subscription and management group levels. This layered check ensures consistent enforcement of rules and access control.
Why designed this way?
This design allows centralized governance at scale. Early Azure versions managed resources only at subscription level, which became hard to maintain for large organizations. Management groups were introduced to provide a scalable, hierarchical model that supports enterprise needs for compliance, security, and cost control.
Azure Resource Hierarchy:

┌─────────────────────────────┐
│      Management Group       │
│  ┌───────────────┐          │
│  │ Subscription 1│          │
│  │  ┌─────────┐  │          │
│  │  │Resource │  │          │
│  │  └─────────┘  │          │
│  └───────────────┘          │
│  ┌───────────────┐          │
│  │ Subscription 2│          │
│  └───────────────┘          │
└─────────────────────────────┘

Policy and access checks flow down and up this tree.
Myth Busters - 4 Common Misconceptions
Quick: Can a subscription belong to multiple management groups at the same time? Commit to yes or no.
Common Belief:A subscription can be part of many management groups simultaneously for flexible organization.
Tap to reveal reality
Reality:Each subscription can belong to only one management group at a time.
Why it matters:Trying to assign a subscription to multiple groups causes confusion and breaks policy inheritance, leading to governance gaps.
Quick: Do policies set on subscriptions override those on management groups? Commit to yes or no.
Common Belief:Policies on subscriptions override management group policies because they are closer to the resources.
Tap to reveal reality
Reality:Policies from management groups and subscriptions combine, and the strictest policy applies.
Why it matters:Misunderstanding this can cause unexpected resource denials or security holes.
Quick: Does creating many management groups always improve cloud management? Commit to yes or no.
Common Belief:More management groups always mean better organization and control.
Tap to reveal reality
Reality:Too many management groups create complexity and confusion, making management harder.
Why it matters:Overcomplicating the hierarchy can lead to mistakes and slow down operations.
Quick: Can management groups be used to directly deploy resources? Commit to yes or no.
Common Belief:You can deploy resources directly into management groups.
Tap to reveal reality
Reality:Resources can only be deployed inside subscriptions, not management groups.
Why it matters:Trying to deploy to management groups causes deployment failures and wasted effort.
Expert Zone
1
Management groups support up to six levels of hierarchy, but deeper nesting can cause policy evaluation delays and complexity.
2
Role assignments at management group level cascade down but can be overridden by deny assignments at subscription or resource level.
3
Azure locks and resource locks interact with management group policies, requiring careful coordination to avoid conflicts.
When NOT to use
Avoid using management groups for very small environments with few subscriptions; simpler subscription-level management suffices. For fine-grained access control, combine management groups with Azure RBAC and resource groups. Use Azure Policy for compliance enforcement instead of relying solely on management groups.
Production Patterns
Enterprises create management groups by department, environment (dev/test/prod), or geography to centralize policy and cost management. They use automation scripts to assign subscriptions to groups and apply policies consistently. Monitoring tools track policy compliance across the hierarchy to prevent drift.
Connections
Role-Based Access Control (RBAC)
Builds-on
Understanding management groups helps grasp how RBAC permissions can be assigned at different levels for scalable access control.
Organizational Hierarchies in Business
Same pattern
Management groups mirror company structures, showing how hierarchical organization simplifies governance and responsibility.
File System Directories
Similar structure
Like folders containing files and subfolders, management groups contain subscriptions and resources, helping visualize inheritance and containment.
Common Pitfalls
#1Trying to deploy resources directly into a management group.
Wrong approach:az deployment group create --management-group-id mg1 --template-file template.json
Correct approach:az deployment group create --subscription sub1 --resource-group rg1 --template-file template.json
Root cause:Misunderstanding that resources must be deployed inside subscriptions and resource groups, not management groups.
#2Assigning a subscription to multiple management groups.
Wrong approach:Assign subscription 'sub1' to management group 'mg1' and also to 'mg2' simultaneously.
Correct approach:Assign subscription 'sub1' to only one management group at a time, e.g., 'mg1'.
Root cause:Believing subscriptions can belong to multiple management groups for flexibility, which Azure does not allow.
#3Setting conflicting policies without planning hierarchy.
Wrong approach:Apply a policy allowing resource type A at subscription level and a blocking policy for the same resource at management group level without coordination.
Correct approach:Plan policies so that higher-level management group policies do not conflict with subscription-level policies.
Root cause:Not understanding how Azure enforces the strictest policy in case of conflicts.
Key Takeaways
Azure subscriptions are containers for resources and define billing and access boundaries.
Management groups organize subscriptions into a hierarchy for centralized policy and access management.
Policies and permissions set at management group level inherit down to subscriptions and resources, enforcing consistent governance.
Each subscription can belong to only one management group, and careful planning of the hierarchy prevents conflicts and complexity.
Understanding this hierarchy is essential for managing large Azure environments securely and efficiently.