Azure AZ-900 Fundamentals Exam

Start here! Get your feet wet with the Microsoft cloud and begin your journey to earning your Microsoft Certified: Azure Fundamentals certification!

Practice Test

$2.95
List Price: $19.95
Microsoft Certified Azure AI Fundamentals

Describe the hierarchy of resource groups, subscriptions, andmanagement groups

Explore Management Groups

Management groups in Azure are used to manage multiple subscriptions efficiently. They provide a hierarchical structure that allows you to apply policies and manage access at scale. By organizing subscriptions into management groups, you can enforce governance conditions that cascade down to all associated subscriptions. This means that any policy or access control applied at the management group level will automatically apply to all nested subscriptions and resources. The hierarchical structure of management groups is flexible, allowing you to create a structure that fits your organization's needs. For example, you can apply a policy to a management group that restricts the regions where virtual machines (VMs) can be created. This policy will then apply to all nested management groups, subscriptions, and resources, ensuring that VM creation is restricted to authorized regions. This approach helps maintain consistent governance and prevents resource or subscription owners from altering security policies. At the top of the hierarchy is the root management group, which encompasses all other management groups and subscriptions. This root management group allows for the application of global policies and Azure role assignments at the directory level.

By default, the root management group's display name is "Tenant root group," and it cannot be moved or deleted. All new subscriptions automatically default to the root management group, ensuring a unified management structure.

Hierarchy and Relationships

The hierarchical relationship between management groups, subscriptions, and resource groups is essential for understanding how policies and permissions flow in Azure. Management groups sit at the top of the hierarchy, followed by subscriptions, and then resource groups. This structure allows for the inheritance of policies and access controls from the top down, ensuring consistent governance across all resources.

  • Management Groups: These are used to manage multiple subscriptions and apply policies and access controls at scale.

  • Subscriptions: These serve as a billing unit and help organize access to Azure resources. Each subscription is associated with a Microsoft Entra directory.

  • Resource Groups: These are containers that hold related resources for an Azure solution, making it easier to manage and deploy them as a group.

Policies and permissions flow from management groups down to individual resources. For example, a policy applied at the management group level will automatically apply to all nested subscriptions and resource groups. This hierarchical approach ensures that governance policies are consistently enforced across the organization.

Implementing Governance and Compliance

The hierarchy of resource groups, subscriptions, and management groups can be leveraged to implement governance and compliance strategies in Azure. By organizing subscriptions into management groups, you can apply governance conditions that cascade by inheritance to all associated subscriptions. This hierarchical structure allows for enterprise-grade management at scale, ensuring that all subscriptions within a management group trust the same Microsoft Entra tenant. Azure Policy and Role-Based Access Control (RBAC) are essential tools for implementing governance and compliance strategies. Azure Policy evaluates resource properties to ensure compliance with business rules, while Azure RBAC manages user actions at different scopes. Together, they provide full scope control in Azure, ensuring that resources remain compliant and secure regardless of who makes changes or has permissions.

By leveraging the hierarchical structure of resource groups, subscriptions, and management groups, along with tools like Azure Policy and RBAC, organizations can effectively implement governance and compliance strategies in Azure. This approach ensures that organizational standards and security requirements are enforced consistently across all resources.

Understand Subscriptions

Azure subscriptions are a fundamental part of managing resources in Azure. Subscriptions serve as a billing unit and help organize access to Azure resources. Each subscription is associated with a Microsoft Entra directory, which helps manage access and policies across multiple resource groups. Subscriptions allow you to control how resource usage is reported, billed, and paid for, making it easier to manage costs and compliance. Management groups provide a higher level of organization above subscriptions. They allow you to apply governance policies and access controls that cascade down to all associated subscriptions. For example, you can create a policy at the management group level that restricts the regions where virtual machines can be created. This policy will automatically apply to all subscriptions and resources under that management group, ensuring consistent governance across your organization. Each Azure directory has a root management group at the top of its hierarchy. This root management group includes all other management groups and subscriptions within the directory. It allows for the application of global policies and role assignments, providing a centralized point for managing access and compliance. New subscriptions automatically become part of the root management group, ensuring they inherit the necessary governance policies.

Define Resource Groups

Resource Groups in Azure are essential for organizing and managing resources. They act as containers that hold related resources for an Azure solution, allowing you to manage them collectively. This organization helps in applying management settings, such as access control, policies, and tags, to all resources within the group, ensuring consistency and ease of management. Resource groups are part of a broader hierarchical structure in Azure, which includes management groups and subscriptions.

Management groups provide a governance scope above subscriptions, allowing you to apply policies and access controls that cascade down to all associated subscriptions and their resources. This hierarchical structure ensures that governance policies are consistently applied across the organization. Each Azure subscription can contain multiple resource groups, and each resource group can contain multiple resources, such as virtual machines, storage accounts, and databases. This hierarchy allows for flexible and scalable management of resources. For example, you can apply a policy at the subscription level that restricts resource creation to specific regions, and this policy will automatically apply to all resource groups and resources within that subscription.

In summary, resource groups in Azure are crucial for organizing and managing resources efficiently. They are part of a hierarchical structure that includes management groups and subscriptions, allowing for scalable and consistent application of policies and access controls. Understanding this hierarchy is essential for effective resource management and governance in Azure.

Study Topics
Explore Management Groups

Explore Management Groups

Hierarchy and Relationships

Hierarchy and Relationships

Define Resource Groups

Define Resource Groups

Understand Subscriptions

Understand Subscriptions

Implementing Governance and Compliance

Implementing Governance and Compliance