Cloud Computing /

Understanding Core Azure Management Areas

Step‑by‑Step Guide: Management Groups, Subscriptions, Resource Groups, Policies, Roles, and Pricing

After setting up Microsoft Entra ID with custom domains, users, and groups, the next step in your Azure journey is understanding how to structure and govern your environment.

Azure provides multiple layers of organization — from Management Groups down to Resource Groups — along with policies, roles, and pricing tools. These are critical for scalability, compliance, and cost optimization.

If you’d like to watch a step‑by‑step walkthrough of Introduction to Cloud Computing, Azure Plans and Sign-up, Microsoft Entra ID, Promote a DC, Windows Domain join, please visit our post-

      1. Started with Microsoft Entra ID.
      2. Azure 4 Plans and How to sign-up.
      3. Introduction to Cloud Computing.
      4. How to Promote a Server to Domain Controller (DC).
      5. How to Join a Windows Client to a Domain.

 

If you’d like to watch a step‑by‑step walkthrough of these steps, please visit our YouTube Video.

1. Microsoft Azure Directory

Microsoft Azure Directory refers to Microsoft Entra ID (formerly Azure Active Directory), which is Azure’s cloud-based identity and access management (IAM) service. It is the backbone of authentication, authorization, and governance in Azure and Microsoft 365.

Definition:

A cloud-based directory and identity service that manages users, groups, devices, and applications. It is your Microsoft Entra ID tenant.

Why Important:

      • Every subscription is linked to a single directory.
      • Centralized identity ensures consistent access control across subscriptions.

Tenant & Tenant ID:

      • Tenant: Isolated instance of Entra ID representing your organization.
      • Tenant ID: Globally unique GUID used in APIs, SDKs, and automation. Azure Management - Directory

2. Azure Management Groups

In Azure, Management Groups are containers that sit above subscriptions, allowing you to apply governance, access control, and policies across multiple subscriptions at scale. The Root Management Group is automatically created at the top of every Microsoft Entra tenant’s hierarchy and contains all other management groups and subscriptions by default.

Definition:

Containers that organize multiple subscriptions or other management groups under a single hierarchy.

Why Important:

      • Apply policies and role assignments across all subscriptions in a group.
      • Simplify governance for enterprises with dozens or hundreds of subscriptions.
      • Ensure consistent compliance and security across environments.

Example:

      • Create a “Production” management group and enforce stricter security policies.
      • Create a “Development” group with relaxed policies for testing. Azure Management - Management Group

Best Practice:

      • Always design a hierarchy (Root → Department → Environment) before scaling workloads.

3. Azure Subscriptions

An Azure Subscription is the fundamental-logical container for all resources you create in Azure. It defines billing, quotas, and access boundaries, while the Subscription ID uniquely identifies it. Each subscription is tied to a billing account and serves as the unit of management, cost tracking, and governance.

Definition:

Logical containers for Azure services or resources, tied to a billing account and quotas. There are multiple types of subscriptions like Free Trial, Pay-As-You-Go (PAYG), Enterprise Agreement (EA), Azure Plan (MCA) or Sponsorship/Education.

Why Important:

      • Each subscription has its own billing account, spending limits, and quotas.
      • Helps separate workloads (Dev/Test vs. Production) or departments (HR, Finance, IT).

Example:

      • One subscription for corporate IT workloads.
      • Another subscription for customer‑facing applications. Azure Management - Subscription
Best Practice:
      • Use multiple subscriptions to isolate workloads and manage costs effectively.

4. Azure Resource Groups

Azure Resource Groups are logical containers under the subscriptions that hold related resources for an application or workload. They provide a way to organize, manage, and apply policies to resources as a unit. Each resource group is created in a specific Azure region, but resources inside can exist in different regions. Resources inside a resource group share the same lifecycle. You cannot create a Resource Group inside another Resource Group.

Definition:

A logical container that groups related Azure resources (VMs, databases, storage accounts, virtual networks, etc.) so they can be managed together.

Why Important:

      • Simplifies lifecycle management — resources in a group can be deployed, updated, or deleted together.
      • Enables tagging for cost tracking and governance.

Example:

      • A resource group for a web application containing VMs, storage, and networking. Azure Management - RG created

Best Practice:

      • Apply consistent naming conventions.
      • Use tags (e.g., Environment=Production, Owner=IT) for chargeback and reporting.

5. Azure Policies

Azure Policies are governance tools that enforce rules and compliance across your Azure resources. They help ensure that deployments meet organizational standards and regulatory requirements. Policies can be assigned at different levels — Management Group, Subscription, Resource Group, or individual Resource. Policies continuously audit resources and mark them as Compliant or Non-compliant.

Azure Blueprints: Deploy pre‑configured environments with policies and RBAC.

Definition:

Rules that enforce compliance and governance across resources.

Why Important:

      • Prevents misconfigurations and enforces standards automatically.
      • Ensures compliance with security and regulatory requirements.

Examples:

      • Restrict VM sizes to control costs.
      • Require encryption for storage accounts.
      • Enforce resource tagging for chargeback. Azure Management - Policy

Best Practice:

      • Assign policies at the management group level for broad enforcement.

6. Azure Entra Roles

Microsoft Entra Roles (formerly Azure AD roles) are built-in or custom administrative roles in Microsoft Entra ID that control access to identity-related resources such as users, groups, domains, and applications. These roles applies to directory-level objects (users, groups, applications, domains). There are about 60 predefined roles (e.g., Global Administrator, User Administrator, Exchange Administrator). They differ from Azure RBAC roles, which govern access to Azure resources like VMs, storage, and networking.

Definition:

Roles within Microsoft Entra ID that control directory‑level permissions.

Why Important:

      • Protects critical identity functions (user creation, domain management, security policies).
      • Ensures least privilege access at the directory level.

Examples:

      • Global Administrator: Full access to all directory features.
      • User Administrator: Create/manage users and groups.
      • Security Administrator: Manage security policies and reports.
      • Application Administrator: Manage app registrations and permissions. Azure Management - Entra Roles

Best Practice:

      • Assign roles sparingly — Global Admin should be limited to a few trusted individuals.

7. Azure RBAC Roles

Azure RBAC Roles (Role-Based Access Control roles) are permissions assigned to users, groups, or service principals that define what actions they can perform on Azure resources. RBAC ensures secure, least-privilege access management across subscriptions, resource groups, and resources. A system that allows fine-grained access management to Azure resources. Roles can be assigned at different levels — Management Group, Subscription, Resource Group, or individual Resource.

Definition:

Role‑Based Access Control (RBAC) roles that manage resource‑level permissions.

Why Important:

      • Controls who can create, modify, or view resources.
      • Prevents unauthorized changes to workloads.

Examples:

      • Owner: Full access, including delegation.
      • Contributor: Create/manage resources but cannot assign roles.
      • Reader: View‑only access.
      • Custom Roles: Define granular permissions tailored to your needs. Azure Management - Azure RBAC

Best Practice:

      • Combine Entra Roles (directory‑level) with Azure Roles (resource‑level) for complete governance.

8. Azure Price Calculator

The Azure Price Calculator is a web-based tool provided by Microsoft that helps estimate the cost of Azure services before deployment which can be exported or shared with stakeholders. It allows you to model workloads, compare options, and forecast monthly expenses based on your chosen configurations.

Definition:

An online calculator that estimates the cost of Azure services such as VMs, databases, storage, networking, and more.

Why Important:

      • Helps plan budgets before deploying workloads.
      • Avoids unexpected billing surprises.

Use Case:

      • Model workloads (VMs, databases, storage, networking) before deployment.
      • Compare costs across regions and service tiers. Azure Management - Azure Price Calculator

Best Practice:

      • Always run workloads through the calculator during planning.

6. Key Takeaways

Key Points:

      • Management Groups: Organize subscriptions at scale.

      • Subscriptions: Separate workloads and billing.

      • Resource Groups: Organize related resources.

      • Policies: Enforce compliance and governance.

      • Directory & Entra Roles: Manage identity and access at the tenant level.

      • Azure Roles (RBAC): Control permissions at the resource level.

      • Azure Price Calculator: Plan and optimize costs before deployment.

Pro Tip Always design your governance hierarchy first — Management Groups → Subscriptions → Resource Groups → Policies → Roles — before deploying workloads. This ensures compliance, cost control, and scalability from day one.

Discover more:

Head over to our Blog page for the latest posts.

Related Posts

Share Your Thoughts

Your email address will not be published. Required fields are marked *

Scroll to Top