Understanding Azure Subscriptions
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Understanding Azure Subscriptions: The Foundation of Cloud Governance
Introduction: Why Subscriptions Matter
When you begin your journey into Microsoft Azure, the first concept you encounter is the subscription. Many newcomers treat the subscription as a simple billing container, but this is a significant misunderstanding that can lead to security vulnerabilities, budget overruns, and management chaos. An Azure subscription is the logical unit of account that links your identity, your billing, and your resources. It serves as the primary boundary for resource management, access control, and policy enforcement.
Understanding subscriptions is critical because they represent the primary "scope" for almost every action you take in the cloud. Whether you are assigning a permission to a user, applying a compliance policy to ensure data residency, or simply trying to figure out why a specific virtual machine costs so much money, the subscription is the anchor point. Without a solid grasp of how these containers function, you will struggle to scale your infrastructure or maintain a secure environment as your organization grows from a single project to an enterprise-wide cloud footprint.
This lesson explores the architecture of Azure subscriptions, how they interact with management groups, the nuances of billing, and the governance strategies necessary to keep your environment organized and cost-effective. By the end of this guide, you will understand not just how to create a subscription, but how to architect a subscription model that serves your business needs for years to come.
The Hierarchy of Azure Governance
To understand subscriptions, you must first understand where they sit in the Azure hierarchy. Azure is not a flat structure; it is a nested set of containers that helps you organize and control your environment.
1. The Management Group
Management Groups are the top level of the hierarchy. They allow you to manage access, policy, and compliance for multiple subscriptions. If you have ten subscriptions, you can apply a single policy to the Management Group, and it will inherit down to all ten subscriptions automatically. This is essential for large organizations that need to enforce consistent rules across different departments or environments (like Prod vs. Dev).
2. The Subscription
The subscription is the middle layer. It is the boundary for billing and resource limits. Every resource in Azure must belong to exactly one subscription. This makes the subscription the most important unit for budget tracking and granular access control.
3. Resource Groups
Resource groups are logical containers inside a subscription. They hold related resources like virtual machines, databases, and storage accounts. While subscriptions are for billing and identity, resource groups are for lifecycle management. You might group all resources for a specific web application into one resource group so you can delete the entire application with one command.
4. Resources
The actual service instances, such as an App Service, a SQL Database, or a Virtual Network.
Callout: Scopes and Inheritance In Azure, governance is based on the concept of "scope." A scope is any level in the hierarchy (Management Group, Subscription, Resource Group, or Resource). Permissions and policies assigned at a higher level automatically flow down to lower levels. This is known as inheritance. For example, if you deny the ability to create public IP addresses at the Management Group level, that restriction is inherited by every subscription inside it, preventing anyone from bypassing your security rules.
Subscription Lifecycle and Billing
Billing is often the primary reason organizations create multiple subscriptions. Azure subscriptions are tied to a specific billing account. This account determines how you pay, who pays, and the currency used.
Understanding Billing Accounts
When you sign up for Azure, you are associated with a billing account. This account might be an Enterprise Agreement (EA), a Microsoft Customer Agreement (MCA), or a Pay-As-You-Go account. The subscription is essentially a child of this billing account. If you need to separate costs between different departments—for instance, if the Marketing department needs to pay for their own campaigns while IT pays for core infrastructure—you would typically create separate subscriptions for them.
Subscription Limits and Quotas
Every subscription has built-in limits. For example, there are limits on how many virtual cores you can deploy or how many storage accounts you can create in a single region. These are called "Quotas." If you hit these limits, you must request an increase from Microsoft. By splitting workloads into multiple subscriptions, you can manage these quotas more effectively. If one project consumes all the available vCPU quota, it won't impact the productivity of another project residing in a different subscription.
Warning: The "One Subscription" Myth Many organizations start with a single subscription to keep things "simple." This is a common pitfall. As the environment grows, you will eventually need to split resources into different environments (Development, Testing, Production). Moving resources between subscriptions is possible but can be time-consuming and disruptive. It is much better to start with a multi-subscription strategy from day one.
Best Practices for Subscription Design
Designing your subscription structure is an architectural decision that should be made before you deploy your first virtual machine. Here are the industry-standard approaches to organizing your environment.
1. Environment-Based Separation
The most common pattern is to separate subscriptions by environment. You might have:
- Prod Subscription: Strictly controlled, limited access, high-budget alerts.
- Dev/Test Subscription: More permissive access for developers to experiment, separate budget.
- Sandbox Subscription: For proof-of-concept work where developers can break things without impacting anyone else.
2. Business Unit Separation
In large organizations, it is common to separate subscriptions by business unit or department. This allows for clear chargebacks. If the Finance department uses $5,000 of Azure resources, it is easy to bill that directly to their budget code if their resources are in a dedicated "Finance Subscription."
3. Regional Separation
While Azure regions are logical, sometimes regulatory requirements demand that data stays within a specific boundary. If you have strict compliance requirements for different countries, you might choose to separate subscriptions based on geographical location to ensure that policies are applied correctly.
Managing Access: Role-Based Access Control (RBAC)
Because the subscription is the primary unit for identity, you need to know how to grant access. Azure uses Role-Based Access Control (RBAC). You assign a role to a user, group, or service principal at the subscription level.
Common Roles
- Owner: Has full access to all resources, including the ability to delegate access to others.
- Contributor: Can create and manage all types of Azure resources but cannot grant access to others.
- Reader: Can view existing Azure resources but cannot make any changes.
- User Access Administrator: Allows you to manage user access to Azure resources.
Example: Assigning a Role via Azure CLI
If you are managing your infrastructure as code, you will likely use the Azure CLI to assign permissions. Here is how you would grant a user "Contributor" access to a specific subscription:
# First, identify the subscription ID
az account list --output table
# Assign the Contributor role to a user
az role assignment create \
--assignee "[email protected]" \
--role "Contributor" \
--scope "/subscriptions/YOUR-SUBSCRIPTION-ID"
Explanation: The az role assignment create command is the standard way to apply permissions. The --scope parameter is crucial here—by pointing it to the subscription ID, you ensure the user has contributor rights across the entire subscription, including all resource groups within it.
Governance: Applying Policies at Scale
Governance is the "rules of the road" for your cloud environment. Azure Policy allows you to enforce rules, such as "All resources must have a 'Department' tag" or "Virtual machines can only be deployed in the US East region."
Why Policy at the Subscription Level?
If you apply a policy at the resource group level, you have to remember to apply it every time you create a new group. If you apply it at the subscription level, it is "set and forget." Every resource group created in the future will automatically be subject to that policy.
Common Policy Uses
- Allowed Locations: Restricts which regions users can deploy to.
- Allowed Resource Types: Prevents users from deploying expensive services (like high-end GPUs) without approval.
- Tagging Enforcement: Ensures that every resource is tagged for cost-tracking purposes.
Tip: Use Policy Initiatives Instead of assigning individual policies, group them into an "Initiative" (also called a Policy Set). You can create an initiative called "Production Compliance" that includes policies for tagging, region restriction, and logging. Assigning one initiative is much cleaner than assigning twenty individual policies.
Cost Management and Budgeting
Managing your subscription also means managing your budget. Azure provides "Cost Management + Billing" tools that are natively integrated into the subscription view.
Setting Up Budget Alerts
You should never launch a production environment without a budget alert. You can configure Azure to send an email to your operations team when a subscription hits 50%, 75%, and 90% of its monthly budget.
- Navigate to your subscription in the Azure Portal.
- Select Cost Management + Billing from the menu.
- Click on Budgets.
- Define your spending limit and select the email addresses to notify.
This simple step is the difference between a minor accounting correction and a six-figure surprise at the end of the month.
Common Pitfalls and How to Avoid Them
Even experienced cloud engineers fall into traps with subscription management. Here are the most frequent mistakes:
1. The "Root" Account Problem
Many people log in with their personal global administrator account to manage subscriptions. This is a security risk. Always use the principle of least privilege. If you are doing day-to-day operations, do not use your Global Admin account; use an account with the specific permissions required for that subscription.
2. Ignoring Resource Locks
Resource locks prevent accidental deletion of critical infrastructure. You can apply a "CanNotDelete" lock at the subscription level. If someone tries to delete a resource group, the system will block the action.
- Best Practice: Place a "CanNotDelete" lock on your Production subscription to prevent someone from accidentally deleting the entire environment during a maintenance window.
3. Mismanaging Service Principals
When you automate deployments (like using Terraform or GitHub Actions), you use a "Service Principal." Do not give the Service Principal "Owner" rights to the subscription. Give it "Contributor" rights at most, and restrict it to specific resource groups if possible.
Callout: Service Principals vs. Managed Identities A Service Principal is an identity created for applications to access Azure resources. A Managed Identity is a special type of Service Principal that is automatically managed by Azure. If you are running code inside an Azure Virtual Machine or App Service, always use a Managed Identity. It eliminates the need to manage secrets or passwords, significantly improving your security posture.
Practical Exercise: Organizing Your Hierarchy
To reinforce these concepts, let's look at a hypothetical scenario. You are the lead cloud architect for a mid-sized retail company.
Requirements:
- You have a "Corporate" department and an "E-commerce" department.
- Both need Dev and Prod environments.
- You must ensure that no one can deploy resources outside of the North Europe region for data sovereignty.
The Solution:
- Management Groups: Create one for "Corporate" and one for "E-commerce."
- Subscriptions: Create four subscriptions total:
- Corporate-Dev
- Corporate-Prod
- E-commerce-Dev
- E-commerce-Prod
- Governance: Apply the "Allowed Locations" policy at the top-level Management Group (the "Tenant Root Group"). This ensures that all four subscriptions automatically inherit the policy, keeping your data in North Europe regardless of which department is deploying.
This structure is clean, scalable, and easy to audit. If the E-commerce team grows, you can add more subscriptions under their Management Group without touching the Corporate team's configuration.
Comparing Subscription Options
When deciding how to structure your subscriptions, it helps to see the trade-offs:
| Strategy | Pros | Cons |
|---|---|---|
| Single Subscription | Simplest management, easy to see total costs. | Hard to isolate budgets, quota limits reached quickly. |
| Environment-based | Clear separation of Prod/Dev, easier to apply different security policies. | More subscriptions to monitor, complex billing reports. |
| Business-Unit based | Perfect for chargebacks, clear ownership of resources. | Can lead to "siloed" infrastructure, potential duplicate costs. |
Note: Most successful enterprises use a hybrid approach, where they have a top-level structure based on business units, with environment-based subscriptions underneath those units.
Advanced Management: Tags and Naming Conventions
While tags are not technically part of the subscription object, they are the primary way you make sense of your subscription contents.
The Importance of Tagging
A subscription is a container, but it doesn't tell you what is inside. If you have 500 virtual machines, you need tags to identify their purpose.
Environment: ProductionOwner: FinanceTeamCostCenter: 12345
Enforcing Tags
You can use Azure Policy to deny the creation of any resource that does not have these required tags. This ensures that your cost reporting is accurate, as you can filter by these tags in the Cost Management portal.
// Example Azure Policy snippet to enforce tags
{
"if": {
"field": "tags['Environment']",
"exists": "false"
},
"then": {
"effect": "deny"
}
}
Explanation: This JSON snippet represents a policy rule. It says, "If the 'Environment' tag does not exist on the resource being created, deny the creation." This is a powerful way to enforce governance at the subscription level.
Common Questions (FAQ)
Q: Can I move a resource from one subscription to another? A: Yes, Azure supports moving resources between subscriptions. However, there are dependencies. For example, some resources (like virtual networks) have specific requirements for being moved. Always check the official documentation before moving complex resources.
Q: Does deleting a subscription delete all resources? A: Yes. When you cancel or delete a subscription, all resources inside it are eventually decommissioned. This is why you should always use Resource Locks on production subscriptions.
Q: How do I change the billing owner of a subscription? A: This is done through the Azure Portal in the "Cost Management + Billing" section. You can transfer ownership of a subscription to another billing account, though this requires specific permissions.
Q: Are there costs associated with having multiple subscriptions? A: No, the number of subscriptions you have does not impact your Azure bill directly. You only pay for the resources you deploy inside them.
Summary of Key Takeaways
To master Azure subscriptions, keep these principles at the forefront of your architecture:
- Subscriptions are more than billing: They are the foundation of your security, identity, and policy boundaries. Never treat them as just a "container for money."
- Hierarchy is your friend: Use Management Groups to apply policies to multiple subscriptions at once. This reduces manual work and prevents configuration drift.
- Start with a multi-subscription strategy: Do not try to cram all your environments into one subscription. Separate by environment (Dev, Test, Prod) early to make your life easier later.
- Use Policy for Enforcement: Don't rely on human memory to enforce rules. Use Azure Policy to mandate tags, regions, and resource types.
- Secure your Management Plane: Use Role-Based Access Control (RBAC) to limit who can modify the subscription. Apply the principle of least privilege, and use Managed Identities whenever possible.
- Protect your assets: Apply "CanNotDelete" resource locks on critical production subscriptions to prevent catastrophic accidental deletions.
- Monitor your budget: Set up automated budget alerts on every subscription. You want to be the one to tell your manager about a budget overage, not the one being asked to explain a surprise bill from the CFO.
By following these practices, you transform the subscription from a simple administrative requirement into a powerful tool for governance, security, and operational efficiency. You are now prepared to architect a cloud environment that is as robust as it is manageable.
Final Thoughts: The Path Forward
Managing Azure subscriptions is an iterative process. As your business changes, your subscription structure may need to evolve. Do not be afraid to refactor your hierarchy as you learn more about your team's needs and your organization's compliance requirements. The goal is not to reach a "perfect" structure on day one, but to build a foundation that is transparent, secure, and aligned with your operational goals.
As you continue your learning, focus on automating these configurations. Infrastructure-as-Code (IaC) tools like Terraform or Bicep are the best way to deploy subscriptions and policies. By codifying your governance, you ensure that every new subscription you create is born with the same security and compliance standards as the last. This is the hallmark of a mature, professional cloud infrastructure.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons