Azure Resource Hierarchy

Quick Answer: Azure resources are organized in four levels: Management Groups (top) → Subscriptions → Resource Groups → Resources (bottom). Policies and access controls applied at a higher level are inherited by all levels below.

The Four Levels of Azure Resource Organization

Azure uses a hierarchical structure to organize and manage resources. Understanding this hierarchy is critical for the AZ-900:

Level 1: Management Groups

Management Groups are the highest level of organization in Azure. They provide a scope for applying governance policies (Azure Policy) and access control (RBAC) across multiple subscriptions.

• A tenant (your Azure Active Directory) has a single root management group
• Management groups can be nested up to six levels deep
• Policies and RBAC applied to a management group are inherited by all subscriptions and resources below it
• Useful for large enterprises with many subscriptions

Example: A company creates a management group for "Production" and another for "Development." Policies enforcing encryption are applied to the Production management group and automatically apply to all production subscriptions.

Level 2: Subscriptions

Subscriptions serve as both a billing boundary and an access control boundary.

As a billing boundary:

• Each subscription generates a separate invoice
• Organizations can set up multiple subscriptions for different departments, projects, or environments
• Usage charges are aggregated at the subscription level

As an access control boundary:

• RBAC policies can be applied at the subscription level
• Users can be granted access to specific subscriptions only
• Resources in different subscriptions are isolated by default

Common subscription strategies:

• Per environment: One subscription for dev, one for staging, one for production
• Per department: One subscription for IT, one for marketing, one for finance
• Per project: One subscription per major project or application

Level 3: Resource Groups

Resource Groups are logical containers for Azure resources. They are the most fundamental organizational unit in Azure.

Key rules:

• Every Azure resource must belong to exactly one resource group
• A resource group can contain resources from any Azure region (the resource group's location is just metadata storage)
• Resource groups cannot be nested inside other resource groups
• Resources can be moved between resource groups
• Deleting a resource group deletes all resources inside it
• RBAC and policies applied to a resource group are inherited by all resources within it

Best practices for resource group organization:

• Group resources that share the same lifecycle (created and deleted together)
• Group resources by application or workload
• Group resources by environment (dev, test, production)

Level 4: Resources

Resources are the individual Azure services you create and use — Virtual Machines, Storage Accounts, Databases, Virtual Networks, etc. Every resource exists inside a resource group.

Hierarchy Inheritance

One of the most important concepts for the AZ-900 is inheritance. Policies, RBAC roles, and tags applied at a higher level in the hierarchy are inherited by all levels below:

On the Exam: If a policy denying the creation of VMs larger than D4s is applied at the management group level, that restriction applies to ALL subscriptions, resource groups, and resources under that management group. Inheritance flows DOWN, not up.

Azure Resource Manager (ARM)

Azure Resource Manager (ARM) is the deployment and management service for Azure. EVERY interaction with Azure resources goes through ARM, regardless of the tool you use.

Whether you use the Azure Portal, Azure CLI, Azure PowerShell, REST API, or SDK — they all send requests to the ARM endpoint, which authenticates and authorizes the request, then forwards it to the appropriate Azure service.

Benefits of ARM:

• Declarative templates — Define infrastructure as code using ARM templates or Bicep
• Consistent management — All tools use the same ARM API
• RBAC — Fine-grained access control at every level of the hierarchy
• Tags — Apply metadata to resources for organization and cost tracking
• Dependencies — ARM understands resource dependencies and deploys them in the correct order

On the Exam: Remember that ALL Azure management tools (Portal, CLI, PowerShell, REST API) communicate through Azure Resource Manager. ARM is the single control plane for Azure.