2.5 Management Groups, Subscriptions, and Resource Groups
Key Takeaways
- Management groups organize subscriptions for inherited governance and access.
- Subscriptions are billing, quota, policy, and access boundaries for Azure resources.
- Resource groups are lifecycle and management containers, but resources can have dependencies across groups.
- Governance hierarchy questions often test inheritance direction and choosing the right scope.
The Azure Management Hierarchy
Azure governance starts with a hierarchy. At the top is the Microsoft Entra tenant and the tenant root management group. Under that, organizations create management groups. Subscriptions are placed under management groups. Resource groups live inside subscriptions. Resources live inside resource groups.
| Level | Main purpose | Common governance use |
|---|---|---|
| Tenant | Identity boundary and directory trust. | Directory roles, users, groups, tenant-wide identity settings. |
| Management group | Organize subscriptions. | Assign policy and RBAC across many subscriptions. |
| Subscription | Resource, billing, quota, and access boundary. | Separate environments, departments, or billing units. |
| Resource group | Lifecycle container for related resources. | Delegate workload administration and apply tags, locks, or policy. |
| Resource | Individual service instance. | Fine-grained access or lock only when needed. |
Inheritance flows downward. A policy assigned at a management group can affect child subscriptions. An RBAC role assigned at a subscription can affect child resource groups. A lock at a resource group can affect resources in that group. The reverse is not true.
Management Groups
Management groups solve the problem of scale. If an organization has twenty production subscriptions, assigning the same allowed locations policy to each subscription is possible but tedious. Assigning it once at a Production management group is cleaner. Child subscriptions inherit the assignment.
A common layout is:
| Management group | Contains | Example controls |
|---|---|---|
| Tenant root group | All management groups and subscriptions in tenant. | Broad baseline policy, used carefully. |
| Platform | Connectivity, identity, management subscriptions. | Central operations RBAC and required diagnostics. |
| Landing zones | Application subscriptions. | Standard tags, allowed regions, security baseline. |
| Production | Production workloads. | Strict policy, limited owner assignments. |
| Sandbox | Experiment subscriptions. | Cost controls and less restrictive service policy. |
Exam trap: management groups do not contain resources directly. They contain subscriptions or child management groups. If a question asks where a VM is located, the answer is resource group in a subscription, not management group.
Subscriptions
A subscription is a major operational boundary. It is associated with billing, resource quotas, Azure RBAC scope, policy assignment scope, and service limits. Many organizations separate subscriptions by environment, workload, department, compliance requirement, or lifecycle.
Use separate subscriptions when you need stronger isolation, separate billing, different quota management, or distinct governance. Use resource groups inside one subscription when the workloads can share subscription-level policy, network model, and billing relationship.
Portal path: Subscriptions > select subscription for IAM, policies, budgets, resource providers, and resource groups. Administrators should know how to switch directories and subscriptions in the portal because many support tickets come from working in the wrong context.
Resource Groups
A resource group is a logical container for resources that are often managed together. Resource groups make it practical to delegate workload administration, deploy templates, view costs by group, apply locks, and clean up resources. However, a resource can connect to resources in other groups. A VM in one resource group can use a virtual network in another if permissions and architecture allow it.
Resource group location often confuses candidates. The resource group has a location because Resource Manager stores metadata there. The resources inside can be in different supported Azure regions. For operational clarity, most teams still group resources sensibly by workload and region.
| Resource group design | Good fit | Risk |
|---|---|---|
| By application and environment | rg-payroll-prod, rg-payroll-dev | Clear lifecycle and delegation. |
| By resource type only | rg-all-vms, rg-all-storage | Harder to delete or delegate whole workload. |
| By shared platform service | rg-hub-network | Works for central networking with controlled access. |
| One giant group | Everything | Poor delegation, cleanup, and blast-radius control. |
Portal And CLI Decision Logic
Use the portal to inspect hierarchy, move a subscription under a management group, or review policy inheritance visually. Use CLI for repeatable subscription and group operations.
az account list --output table
az account set --subscription <sub-id>
az group create --name rg-app-prod --location eastus
az group list --query "[].{name:name,location:location}" --output table
az account management-group list
Before running any create or delete command, verify the active subscription with az account show. This is a real administrator habit and an exam clue. If a command succeeds in the wrong subscription, RBAC was not the problem; context was.
Governance Scenarios
Scenario: All production subscriptions must allow resources only in eastus and centralus. Assign an allowed locations policy at the Production management group. Do not configure the policy separately on every resource group unless the question limits the requirement to a single workload.
Scenario: The networking team manages hub VNets in three subscriptions. Put those subscriptions under a platform management group and assign appropriate RBAC to a networking security group at that management group. This avoids repeated per-subscription assignments.
Scenario: A development team needs full control over its application resources but no access to shared networking. Put app resources in a workload resource group, assign Contributor on that resource group, and keep shared network resources in a separate group with narrower permissions.
Scenario: A resource group delete operation fails because a resource has a delete lock. The resource group boundary defines lifecycle, but locks and dependencies still matter. Remove the lock only if governance permits it, then retry.
Exam Traps
Do not say a resource group is a billing account. It helps view and organize costs, but the subscription is the primary billing boundary in these questions.
Do not assume moving a resource group changes the region of resources. Movement and region placement are separate topics and many resources have move limitations.
Do not assign governance at tenant root casually. Tenant root assignments can affect every subscription in the tenant and are difficult to reason about in large estates. On the exam, use the lowest common parent scope that includes all required targets and excludes non-targets.
Where should you assign a policy that must apply to all subscriptions under the Production management group and no others?
Which statement about resource group location is correct?
Before running Azure CLI commands that create resource groups, what should you verify to avoid deploying to the wrong place?