Azure Account Hierarchy

1. What is an Azure AD Tenant?

Think of an Azure AD Tenant like a company or a school. It’s where all the people (users), groups, and permissions are managed. Just like a company has a list of employees, their roles, and access to different areas (like HR, Finance, or IT), an Azure AD Tenant keeps track of who can access what in your Azure cloud environment.

• Example: Acme Corp (a company) would have a tenant called acme.onmicrosoft.com. All the employees, contractors, and partners who work at Acme would have their accounts here.

2. What are Management Groups?

Now, imagine if your company grew really big and had multiple departments in different parts of the world—like in North America and Europe. You might want to create rules and policies that apply to the entire company, but also have special rules for each department or region. This is where Management Groups come in.

• Management Groups help organize and manage your subscriptions at a higher level—they group related subscriptions together and let you apply company-wide rules (like security policies, compliance checks, etc.) to them. You can think of Management Groups like a company's global or regional offices that set the rules for their respective areas.

• Example: Acme Corp might have two Management Groups:

  • One for North America (handling policies and subscriptions for their U.S. and Canada operations).

  • One for EMEA (covering Europe, Middle East, and Africa).

Each region will have different rules based on local laws or needs, but the Management Group makes sure everything is aligned with the company’s overall goals.

 

3. What is a Subscription?

A Subscription is like a big project or a budget within your Azure Tenant. If you think of your company having different departments (Sales, Marketing, IT, etc.), each department could have its own subscription to manage and track its cloud resources (like websites, databases, or apps). Each subscription has its own cost, and you can keep track of how much you are spending on each one.

• Example: Acme Corp might have:

  • A subscription for Production resources (live, customer-facing services).

  • A subscription for Development resources (things that are still being built or tested).

Each department or team can have a subscription, and each subscription can hold different resources.

4. What are Resource Groups?

Now let’s zoom in on the actual stuff that your company is managing in Azure—these are the resources (like servers, databases, and storage).

A Resource Group is like a folder where you organize all your resources that are part of the same project or purpose. It keeps everything related to that particular task or job in one place.

• Example: In Acme Corp, the Production Subscription might have a resource group for the web app (called acme-prod-rg-webapp) and another for the database (called acme-prod-rg-db). This way, all the pieces that make up the production environment are organized neatly.

How Do They All Fit Together?

Let’s imagine how this works in a simple way. Acme Corp has:

1. Tenant: This is like the company itself (Acme Corp), where all the employees (users) and departments (groups) are managed.

2. Management Groups: These are like the regional offices—Acme has one for North America and one for EMEA (Europe, Middle East, Africa). They help manage all the teams and resources in their respective areas.

3. Subscriptions: These are like the departments or projects. Acme might have a subscription for Production (live services) and another for Development (work in progress).

4. Resource Groups: These are the folders or projects that organize all the actual resources (servers, databases, websites, etc.) in each subscription.