Microsoft AzureArchitectureAzureIntermediate30 min read

What Does Subscription Design Mean?

Also known as: Subscription Design, Azure subscription design, management group hierarchy, AZ-305 governance, Azure subscription architecture

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Subscription Design is about planning how to group and manage your Azure subscriptions. Think of it like deciding how many bank accounts you need, who has access to each account, and how money moves between them. A well-designed subscription structure makes it easier to control costs, apply security rules, and keep resources organized.

Must Know for Exams

Subscription Design is a core topic in the Microsoft Azure Solutions Architect exam, specifically the AZ-305: Designing Microsoft Azure Infrastructure Solutions. This exam tests your ability to design governance, identity, and security solutions, and Subscription Design is central to all three. The exam objectives explicitly mention 'Design governance' and 'Design an Azure subscription management plan.' You can expect multiple questions that require you to evaluate different subscription architectures and choose the best one for a given scenario.

In the exam, you will be presented with scenarios that describe a company's structure, such as multiple business units, different environments (dev, test, prod), geographic locations, or compliance requirements. You will need to decide how many subscriptions are needed, how they should be grouped under management groups, and what policies or RBAC assignments should be applied at each level. For example, a question might ask: 'A company has three business units: Sales, Marketing, and Engineering. Each unit needs its own subscription for production and non-production workloads. The company also needs a shared subscription for networking services. Design a management group hierarchy.' The correct answer would show a management group for each business unit, with child management groups for production and non-production, plus a separate management group for shared services.

The exam also tests your understanding of Azure Policy and RBAC in the context of Subscription Design. You might be asked to identify which policies should be applied at the management group level versus the subscription level. For instance, a policy that restricts resource locations to a specific region might apply at the management group level, while a policy that enforces a specific naming convention might apply at the subscription level. You need to understand the inheritance model and how rules flow down the hierarchy.

Another common exam pattern is cost management. Questions will ask you to design subscriptions to ensure that each cost center can track its own spending. You might need to choose between using separate subscriptions for each department or using a single subscription with tags. The correct answer often involves separate subscriptions because tags are not always enforced, and they can be inconsistent. The exam expects you to know that subscriptions are the strongest boundary for cost isolation.

Additionally, the exam covers resource limits and quotas. You may encounter a scenario where a company is hitting the maximum number of storage accounts per subscription, and you need to recommend a solution. The correct answer would be to create additional subscriptions and distribute the storage accounts across them. Questions about management group depth limits (maximum six levels) also appear.

Finally, the AZ-305 exam frequently integrates Subscription Design with other topics like identity (Azure AD), networking (hub-spoke topology), and high availability. A question might ask you to design a subscription structure that supports a hub-spoke network model, where the hub subscription contains shared networking resources and the spoke subscriptions contain application workloads. To pass the exam, you must be comfortable with these interconnections and be able to justify your design decisions based on scalability, security, and cost.

Simple Meaning

Imagine you are moving into a large apartment building with many floors, and each floor has multiple apartments. The building itself is like your company's overall Azure cloud environment. Each apartment represents a single Azure subscription. Now, who gets which apartment? How do you decide which team lives on which floor? Do you group apartments by department, by project, or by the type of people living in them? That is the essence of Subscription Design.

In plain terms, Subscription Design is the process of deciding how to create and arrange your Azure subscriptions so that they match your organization's structure, security needs, and budgets. A subscription in Azure is a container that holds your cloud resources like virtual machines, databases, and storage accounts. Each subscription has its own billing, access control, and resource limits. If you design your subscriptions poorly, you might end up with one giant subscription that is hard to manage, or too many tiny subscriptions that create administrative chaos.

To make it simple, think of subscriptions as labeled drawers in a large filing cabinet. Each drawer holds files for a specific department or project. If you put all files into one drawer, it becomes overcrowded and hard to find anything. If you use one drawer per file, you waste space and keys. A good filing system uses just enough drawers, with clear labels, so that the right people can open the right drawer. In Azure, Subscription Design follows a management group hierarchy, where subscriptions are grouped under management groups that reflect your organizations structure, such as by business unit, environment (dev/test/production), or geography.

The real goal of Subscription Design is to create boundaries. Each subscription acts as a boundary for access, policy, and cost. By designing subscriptions thoughtfully, you ensure that the marketing team cannot accidentally delete the production database, and the finance team can see exactly how much each department is spending on cloud resources. It is a foundational skill for anyone preparing for the Azure Solutions Architect exam, because without a good subscription design, everything else in the cloud becomes harder to manage.

Full Technical Definition

Subscription Design in Microsoft Azure refers to the strategic arrangement of Azure subscriptions within a management group hierarchy to enforce governance, security, and cost management policies across an organizations cloud estate. Azure subscriptions are logical containers that hold Azure resources, such as virtual machines, storage accounts, and networking components. Each subscription is associated with an Azure Active Directory (Azure AD) tenant, which provides identity and access management services. Subscriptions also have service limits and quotas, which define the maximum number of resources that can be created within them.

From a technical perspective, Subscription Design is implemented using Azure Management Groups. Management groups are containers that can hold multiple subscriptions, and they can be nested up to six levels deep. This hierarchy allows administrators to apply Azure Policy, role-based access control (RBAC), and cost management rules at the management group level, which then flows down to all subscriptions inside that group. For example, a top-level management group called 'Corporate' might contain child management groups for 'Production', 'Development', and 'Sandbox'. Each of these child groups contains multiple subscriptions, with policies that restrict resource locations, enforce tagging, or require encryption.

One of the key technical aspects of Subscription Design is the Azure Subscription Resource Provider. Each subscription is registered with certain resource providers, such as Microsoft.Compute for virtual machines or Microsoft.Network for virtual networks. When you design your subscriptions, you must consider the maximum number of resources per subscription and per region. Azure imposes soft and hard limits on resources like storage accounts, virtual networks, and public IP addresses. A poorly designed subscription can hit these limits, causing outages or blocking new deployments. Therefore, Subscription Design often involves planning for scale, using multiple subscriptions to stay within limits, and distributing resources across regions for resilience.

Another critical component is the Azure Blueprint, which allows you to define a repeatable set of Azure resources, policies, and role assignments that apply to a new subscription. Blueprints help standardize subscription creation across an organization, ensuring that every new subscription comes with the same baseline security and compliance settings. This is especially important in enterprise environments where hundreds of subscriptions might be created over time.

Real-world implementation of Subscription Design follows the Cloud Adoption Framework (CAF), a Microsoft guide that provides best practices for Azure adoption. The CAF recommends a management group structure that separates environments, applications, and business units. For example, a common design uses a 'Platform' management group for shared services like identity and networking, and 'Application' management groups for workloads. Each application group might contain separate subscriptions for production, non-production, and testing. This design ensures that changes to shared services do not affect application subscriptions unless explicitly allowed.

In terms of monitoring and cost management, each subscription generates its own billing statement. Azure Cost Management tools allow you to analyze costs per subscription, per resource group, or even per tag. Subscription Design directly impacts your ability to track spending. If you mix workloads from different departments in the same subscription, you cannot easily determine which department incurred a specific cost. Good design uses separate subscriptions per department or project, combined with proper tagging, to create clear cost accountability.

Finally, Subscription Design is deeply tied to identity and governance. Azure Policy and RBAC are applied at the management group or subscription level. A well-designed hierarchy allows you to grant permissions broadly at the management group level and then refine them at the subscription or resource group level. This reduces the administrative overhead of managing permissions on thousands of resources individually. It also helps enforce security baselines, like requiring that all storage accounts use HTTPS traffic or that all virtual machines are backed up daily, across the entire organization.

Real-Life Example

Imagine a large office building that houses multiple companies, like a shared workspace provider. Each company rents a separate office suite, and each suite represents an Azure subscription. The building owner is like the Azure platform itself, providing the physical infrastructure. But the key decision is how the office spaces are allocated.

In this analogy, the building has a receptionist who assigns keys to each suite. The receptionist is like an Azure administrator. Some companies are big and need multiple suites spread across different floors. They might have one suite for their sales team, another for their engineering team, and a third for their HR department. This grouping of suites by team mirrors a Subscription Design where each business unit gets its own subscription.

Now, lets map this to the Azure concept. First, you decide on the management group hierarchy. The building itself is the management group root. Each floor could be a child management group, like 'Floor 1' for production workloads and 'Floor 2' for development. On Floor 1, you have Suite 101 belonging to the sales team, Suite 102 for engineering, and so on. Each suite is a subscription. The receptionist ensures that only people with the correct key can enter their suite. In Azure, this is role-based access control, where you assign permissions at the management group or subscription level.

Second, consider cost allocation. Each suite pays its own rent. The building manager can see exactly which suite paid what amount. Similarly, in Azure, each subscription generates its own billing. If you put two teams in the same subscription, you cannot easily separate their cloud costs. Good Subscription Design keeps teams in separate subscriptions so that cost reporting is clear.

Third, there are rules for the entire building, like no smoking, no loud music after 10 p.m. These are like Azure Policies applied at the management group level. They apply to all suites under that management group. For example, you might have a policy that all storage accounts must be encrypted, and that policy applies to all subscriptions in the 'Production' management group.

Finally, think about growth. A small company might start with one suite, but as they grow, they may need three suites. In Azure, you can create new subscriptions as needed. But if you planned ahead and reserved a block of suites on a specific floor, you can easily expand without disrupting existing tenants. That is the essence of Subscription Design: planning for current and future needs while keeping everything organized, secure, and cost-effective.

Why This Term Matters

Subscription Design matters because it is the foundation upon which all other Azure governance, security, and cost management is built. Without a clear design, your cloud environment quickly becomes chaotic, expensive, and insecure. In real IT work, administrators deal with hundreds or thousands of subscriptions across large organizations. Each subscription must be managed, monitored, and secured. If the design is poor, simple tasks like applying a company-wide security policy become nearly impossible, because you would have to manually configure each subscription one by one.

From a cost perspective, Subscription Design directly impacts the finance departments ability to track cloud spending. In many organizations, different teams or departments are responsible for their own budgets. A well-designed subscription structure allows you to generate cost reports by subscription, making it clear which department spent what. This is essential for chargeback and showback models, where internal teams are billed for the cloud resources they consume. Without proper Subscription Design, the finance team might have to guess or manually allocate costs, leading to disputes and budget overruns.

In terms of security, Subscription Design defines the boundaries for access control. If you place sensitive production resources in the same subscription as development resources, a developer with contributor access could accidentally delete a production database. Good design uses separate subscriptions to create strong isolation between environments. Additionally, Azure Policy can be applied at the management group level, ensuring that every subscription under that group inherits the same security rules. This is critical for compliance with standards like HIPAA, GDPR, or SOC 2, where you must prove that certain controls are in place across all resources.

Operationally, Subscription Design affects how teams collaborate. A good design allows the platform team to manage shared services like networking and identity in a central subscription, while application teams manage their own subscriptions. This reduces friction and allows each team to move quickly without stepping on each others toes. It also enables resource limits to be managed effectively, because each subscription has its own quota. By distributing resources across multiple subscriptions, you can avoid hitting the maximum limits for things like virtual machines per region.

Finally, Subscription Design is crucial for disaster recovery and business continuity. By separating critical workloads into their own subscriptions, you can manage backup and disaster recovery policies at the subscription level. If a subscription becomes compromised or experiences a catastrophic failure, the blast radius is limited to that subscription, leaving other parts of the business unaffected. In summary, Subscription Design is not just an architectural exercise, it is a practical necessity for running Azure at scale in a secure, cost-effective, and manageable way.

How It Appears in Exam Questions

In certification exams, especially the AZ-305, Subscription Design appears in several distinct question patterns. One common type is the scenario-based multiple-choice question. These questions present a company profile with specific requirements, such as multiple business units, compliance needs, or cost tracking demands. You are then asked to select the best subscription design from several options. For example: 'A company has four departments, each with its own budget. They need to track cloud costs per department. They also need to apply a company-wide policy that restricts resource creation to specific Azure regions. What is the most efficient subscription design?' The answer choices might include using a single subscription with tags, using four subscriptions under a single management group, or using one subscription per department with policies applied at the management group level. The correct answer is typically the one that provides clear cost isolation and broad policy application.

Another pattern is the drag-and-drop question, where you must arrange management groups and subscriptions into a hierarchy. You might be given boxes representing management groups and subscriptions, and you need to drag them into the correct order. For example, you might have boxes labeled 'Root Management Group,' 'Production,' 'Non-Production,' 'Sales-Prod,' 'Sales-NonProd,' 'Eng-Prod,' and 'Eng-NonProd.' You would need to arrange them so that 'Production' and 'Non-Production' are child management groups under the root, and then the department-specific subscriptions are placed under their respective environment group.

Configuration questions also appear. These questions ask you to choose the correct PowerShell or Azure CLI command to create a new subscription under a specific management group. For instance: 'You need to create a new subscription for the Marketing department, placing it under the existing Non-Production management group. Which command should you run?' You would need to know the syntax for New-AzSubscription or the Azure CLI equivalent, including the management group parameter.

Troubleshooting questions might present a scenario where an administrator is having trouble applying a policy. For example: 'A company has a policy that requires all virtual machines to use managed disks. The policy is applied to the Root Management Group, but some virtual machines in the Sales subscription are not compliant. What is the most likely cause?' The answer could be that the Sales subscription was created before the policy was applied, and it did not inherit the policy because of a configuration issue. Understanding policy inheritance in management groups is key to answering such questions.

Architecture design questions are also common. These are often part of the 'Design governance' objective. You might be asked to evaluate a proposed design and identify weaknesses. For example: 'A company plans to use a single subscription for all workloads, with resource groups for each department. Is this a good design?' The correct answer would point out that this design does not provide cost isolation or granular policy control, and it risks hitting subscription resource limits.

Finally, some questions combine Subscription Design with identity. For example: 'You need to ensure that only users from the US office can create resources in the US subscription. What should you design?' This tests your understanding of combining management groups with Azure AD conditional access or RBAC. You would need to design a management group for US resources, then assign RBAC roles to the US office user group at that management group level, with a conditional access policy that blocks creation from other locations.

Practise Subscription Design Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A company called GreenLeaf Analytics has 200 employees divided into three departments: Data Science, Marketing, and Finance. They are migrating their workloads to Azure. The IT manager wants to ensure that each department can only see its own cloud resources and that costs are tracked per department. Also, the company has a compliance requirement that all resources must be in the West US region. Finally, the company plans to grow rapidly and expects to triple its cloud resource usage within two years.

To design the subscription structure, you would start by creating a management group hierarchy. The root management group is called 'GreenLeaf.' Under it, you create three child management groups: 'DataScience', 'Marketing', and 'Finance'. Each of these management groups will contain two subscriptions: one for production workloads and one for development and testing. So, for Data Science, you have 'DataScience-Prod' and 'DataScience-Dev'. The same for Marketing and Finance.

At the root management group level, you apply an Azure Policy that restricts all resources to the West US region. This policy automatically flows down to all management groups and subscriptions under it. Then, you use role-based access control to grant the Data Science team 'Contributor' access only to their own management group and its subscriptions. They cannot see or access Marketing or Finance resources. Similarly for the other departments.

For cost tracking, each subscription generates its own billing report. The finance department can view costs per subscription, so they can charge each department accordingly. The growth plan is handled by the management group structure they can add new subscriptions under the appropriate management group as needed, without disrupting the existing setup. This design meets all requirements: security isolation, cost tracking, compliance, and scalability.

Common Mistakes

Using a single subscription for all workloads, believing it simplifies management.

A single subscription cannot provide cost isolation between departments or projects. It also has resource limits and quotas that can be easily exceeded. Applying different policies to different workloads becomes difficult because policies apply to the entire subscription. This creates security risks and billing confusion.

Use multiple subscriptions organized under management groups to separate environments and business units. This gives you clear boundaries for cost, policy, and access.

Creating too many subscriptions, one for every small project or team.

Each subscription requires administrative overhead to manage, including monitoring, billing, and policy assignment. Too many subscriptions can lead to sprawl, making it hard to track resources and manage permissions. It also increases the complexity of networking and resource sharing.

Group related workloads or teams under a single subscription, using resource groups for further separation. Only create a new subscription when there is a clear need for cost isolation, policy boundaries, or resource limits.

Applying all policies at the subscription level instead of the management group level.

This duplicates effort and increases the chance of missing a policy on some subscriptions. It also makes it harder to apply a company-wide standard because you have to manually configure each subscription. If a policy needs to be updated, you must update it in every subscription.

Apply common policies at the highest possible management group level so that all child subscriptions inherit them. Apply subscription-specific policies only for exceptions or unique requirements.

Ignoring resource limits and quotas when designing subscriptions.

Azure imposes limits on resources per subscription, such as a maximum number of storage accounts or virtual machines per region. If you put all resources in one subscription, you might hit these limits and be unable to deploy new resources. This can cause application downtime or block growth.

Estimate your resource needs and design multiple subscriptions to stay within limits. Use the management group hierarchy to organize them. Monitor subscription quotas and plan for future expansion.

Placing production and development resources in the same subscription.

This mixes environments with different security and stability requirements. A developer with access to the subscription could accidentally modify or delete production resources. It also makes it harder to apply different policies, such as stricter backup rules for production.

Create separate subscriptions for production, development, and testing. Even better, place them under separate management groups like 'Production' and 'Non-Production' to enforce environment-specific policies.

Exam Trap — Don't Get Fooled

An exam question describes a company with many small projects and asks for the most cost-effective subscription design. The answer choices include using a single subscription with resource groups for each project, or using separate subscriptions for each project. Many learners choose separate subscriptions because they think it provides better isolation.

Remember that resource groups can isolate resources for access control and policy if you use Azure RBAC at the resource group level. Only create a new subscription when you need a separate billing boundary, a different policy set that cannot be overridden, or you are approaching resource limits. For most small projects, a single subscription with multiple resource groups is more cost-effective and easier to manage.

Commonly Confused With

Subscription DesignvsResource Group

A resource group is a logical container within a subscription that holds related Azure resources, like a folder on your computer. A subscription is a larger container that groups resource groups and provides billing and access boundaries. Subscription Design focuses on how to organize subscriptions, not how to organize resources inside them.

If your company has a subscription for the Marketing department, you would create resource groups inside it for each campaign or project, like 'CampaignQ1' and 'CampaignQ2'. The subscription is the department, the resource groups are individual projects.

Subscription DesignvsManagement Group

A management group is a container that holds one or more subscriptions, used to apply policies and permissions at scale. Subscription Design uses management groups to create a hierarchy. The confusion arises because both are containers, but management groups sit above subscriptions, while subscriptions sit above resource groups.

A company has three subscriptions: Prod, Dev, and Test. They create a management group called 'AllEnv' and place all three subscriptions inside it. Then they apply a policy at the management group level that requires encryption, and it flows down to all three subscriptions. The management group is the folder holding the subscriptions.

Subscription DesignvsAzure AD Tenant

An Azure AD tenant is a dedicated instance of Azure Active Directory that provides identity services for an organization. All subscriptions in an organization trust one Azure AD tenant for authentication. Subscription Design occurs within a single Azure AD tenant, not across tenants. The tenant is the overarching identity boundary, while subscriptions are resource and billing boundaries.

Your company has one Azure AD tenant (like a central employee directory). Under that tenant, you have multiple subscriptions for different departments. The tenant knows who the employees are, and the subscriptions control what resources they can access.

Step-by-Step Breakdown

1

Identify organizational structure and requirements

The first step in Subscription Design is to understand the organization you are designing for. This includes identifying business units, departments, or teams, as well as the environments they need (production, development, testing). Also, gather requirements for cost tracking, compliance standards, security policies, and expected growth. This information drives the entire design.

2

Create a management group hierarchy

Using the organizational structure, create a tree of management groups that mirrors how the company is organized. For example, a root management group called 'Contoso' with child groups like 'Finance', 'Marketing', and 'IT'. Each child group can have further child groups for environments. The hierarchy should be kept simple, no more than six levels deep, and should align with business functions, not technical details.

3

Determine the number of subscriptions needed

Based on the requirements, decide how many subscriptions are needed. Consider factors like cost isolation, resource limits, and security boundaries. A common baseline is one subscription per environment per business unit. So, if you have three business units and three environments, you might need nine subscriptions. Also, consider shared services subscriptions for networking and identity.

4

Place subscriptions under appropriate management groups

Assign each subscription to the correct management group in the hierarchy. For example, the 'Marketing-Prod' subscription goes under the 'Production' management group, which is under the 'Marketing' management group. This ensures that policies applied at higher levels flow down to the correct subscriptions.

5

Apply Azure Policies at the management group level

Define policies that should apply to all subscriptions under a management group. Examples include allowed resource locations, required tags, encryption requirements, and allowed virtual machine SKUs. Apply these policies at the highest possible level to avoid redundancy. This step enforces governance across the entire design.

6

Assign RBAC roles at the management group and subscription level

Grant permissions to users or groups at the management group level for broad access, and at the subscription or resource group level for finer control. For example, assign the 'Contributor' role to the finance team at the 'Finance' management group, so they can manage all resources in that groups subscriptions. Use least privilege principles.

7

Configure cost management and tagging

Set up cost budgets and alerts at the management group or subscription level. Implement a tagging strategy that requires tags like 'CostCenter', 'Environment', and 'Owner' to be applied to all resources. Tags can be enforced via Azure Policy. This step makes it easy to generate cost reports and track spending per business unit.

8

Review and iterate

Subscription Design is not a one-time task. As the organization grows or changes, review the hierarchy and subscription count. Add new subscriptions under existing management groups as needed. Adjust policies and RBAC assignments to reflect new requirements. Regular audits help ensure the design continues to meet business needs.

Practical Mini-Lesson

Subscription Design is one of the most important skills for an Azure architect because it sets the stage for everything else you do in the cloud. In practice, you will rarely design a subscription structure from scratch for a greenfield customer. More often, you will be asked to fix a messy environment where subscriptions were created without a plan. So, lets go deep into how professionals approach this in the real world.

First, you must gather information. Talk to the business stakeholders to understand the company structure. Is it a small startup with one department, or a multinational with dozens of business units? Understand the compliance landscape: does the company need to follow PCI DSS, HIPAA, or GDPR? Each of these standards may require separate subscriptions to isolate sensitive data. Also, ask about the budget model. Does each department have its own budget? If so, they need separate subscriptions for clear cost tracking. Talk to the networking team, because they may need a dedicated subscription for shared networking resources like ExpressRoute circuits and virtual WAN hubs.

Once you have the requirements, you start sketching the management group hierarchy. A common mistake is to create a hierarchy that is too deep. Azure supports up to six levels of nesting, but in practice, three or four levels are usually enough. A typical design looks like this: Root Management Group, then a level for environment (Production, Non-Production), then a level for business unit (Sales, Engineering), and then the subscriptions. Alternatively, you might organize first by business unit, then by environment. There is no single correct way, but the key is consistency.

Now, lets talk about the subscriptions themselves. Each subscription is a billing boundary, a scale boundary, and a security boundary. You need to decide how many subscriptions to create. A common recommendation is to start with a small number, like one for production and one for non-production, then split further as needed. But for a large enterprise, you might need hundreds of subscriptions. The Cloud Adoption Framework provides a reference: use a 'Platform' management group for shared services, then 'Application' management groups for each workload, with separate subscriptions for each environment.

When you create a subscription, you must associate it with an Azure AD tenant. This is usually the same tenant for all subscriptions in an organization. However, there are scenarios like mergers and acquisitions where you might have multiple tenants. In those cases, you need to plan for cross-tenant management, which adds complexity. For the AZ-305 exam, you only need to focus on single-tenant designs.

One of the most practical aspects is applying Azure Policy. In the real world, you often need to ensure that developers cannot create resources in unsupported regions, that all storage accounts are encrypted, and that every resource has a 'Department' tag. You define these policies at the management group level. For example, in the 'Production' management group, you might have a policy that requires resources to have a backup plan, while in the 'Non-Production' group, that policy is not needed. This is the power of a well-designed hierarchy.

What can go wrong? A common pitfall is forgetting about inheritance. If you apply a policy that denies a specific resource type at the root management group, it will apply to all subscriptions, even to the shared services subscription that might need that resource. To avoid this, you can create an exclusion or use a policy exemption. Another issue is naming conventions. Without a consistent naming standard for management groups and subscriptions, the hierarchy becomes confusing. Use a clear naming pattern like 'MG-Group-Department' for management groups and 'subs-department-env' for subscriptions.

Finally, integration with DevOps is important. Many organizations automate subscription creation using Azure Blueprints or Terraform. A blueprint can create a new subscription, place it in the correct management group, apply policies, and assign RBAC roles automatically. This ensures that every new subscription follows the same design, reducing human error. In production, you should have a process for requesting new subscriptions that includes a review of the design against the existing hierarchy.

In summary, Subscription Design is about creating order in the cloud. It requires understanding business needs, applying governance, and planning for growth. As a professional, your design decisions will impact security, cost, and operational efficiency for years to come. For the exam, focus on the relationship between management groups, subscriptions, policies, and RBAC, and always think about the business context behind the technical choices.

Memory Tip

Think of Subscription Design as a family tree: the root management group is the grandparent, child management groups are parents, and subscriptions are the children. Policies and permissions flow from grandparent down to children, creating a family legacy of governance.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

How many subscriptions should I create for a small business with one department?

For a small business with one department, start with two subscriptions: one for production and one for development and testing. This provides a clean separation between environments. If costs need to be tracked per project, use resource groups with tags instead of creating more subscriptions.

Can I move a subscription to a different management group after it is created?

Yes, you can move a subscription to a different management group as long as you have the necessary permissions. However, moving a subscription can affect policies and RBAC assignments, because the subscription will inherit policies from the new management group and lose policies from the old one. It is best to plan the hierarchy carefully before creating subscriptions.

What is the maximum number of management groups in a hierarchy?

Azure supports up to six levels of management groups in a single hierarchy, not including the root management group. This limit is important to remember for exams, because deep hierarchies can violate this constraint and force a redesign.

Do I need separate subscriptions for each Azure region?

Not necessarily. You can deploy resources in multiple regions within the same subscription. However, if you need to apply different policies per region, or if you are hitting regional resource limits, you might use separate subscriptions. Typically, regions are managed via Azure Policy, not by subscription design.

How does Subscription Design affect cost management?

Each subscription has its own billing report. By designing subscriptions to align with departments or projects, you can see exactly how much each group is spending. You can also set budgets and alerts per subscription. This is more reliable than relying on tags alone, because tags can be missing or incorrect.

What is the difference between a management group and a subscription?

A management group is a container for subscriptions that helps you apply policies and permissions at scale. A subscription is a container for Azure resources that provides billing and access boundaries. Management groups are above subscriptions in the hierarchy.

Is it a good practice to create a subscription for every developer?

No, that would lead to subscription sprawl and high management overhead. Instead, use a shared development subscription and give each developer a resource group or use Azure DevTest Labs, which provides cost controls and automated shutdowns for development environments.

How does the Cloud Adoption Framework recommend designing subscriptions?

The Cloud Adoption Framework recommends using a management group hierarchy that separates platform (shared services) from application workloads. It suggests creating subscriptions for each environment (production, non-production) and using a 'Platform' management group for shared networking and identity resources.

Summary

Subscription Design is the practice of organizing Azure subscriptions into a structured hierarchy using management groups to align with business needs, governance, security, and cost management. A well-designed subscription structure acts as a blueprint for how resources are deployed, secured, and billed across an organization. The key components are management groups, which allow you to apply policies and permissions at scale, and subscriptions, which provide boundaries for billing, resource limits, and access control.

In practice, you must consider organizational structure, compliance requirements, cost allocation, and future growth. Common mistakes include using too few or too many subscriptions, mixing environments, and ignoring resource limits. For the AZ-305 exam, you need to be able to design a management group hierarchy, explain how policies and RBAC flow down, and justify your decisions based on business requirements.

Remember that good Subscription Design simplifies cloud management, reduces security risks, and provides clear cost accountability. Use the management group hierarchy as a tool to enforce governance from the top down, and always think about the business context behind the technical choices.