This chapter covers Azure Subscriptions and Management Groups, two fundamental building blocks for organizing and governing your cloud environment. For AZ-900, this falls under Domain 2 (Azure Architecture and Services) and Objective 2.1, which typically accounts for about 15-20% of the exam. Mastering these concepts is critical because they form the basis for cost management, policy enforcement, and access control in Azure. You'll learn how subscriptions act as containers for resources and billing boundaries, while management groups enable hierarchical governance across multiple subscriptions.
Jump to a section
Imagine a multinational corporation with a headquarters, regional divisions, and local departments. Azure subscriptions are like individual department budgets—each department gets its own spending authority and resource pool. Management groups are like the regional divisions that group several departments together so you can apply a single policy (e.g., 'all departments must use approved vendors') to the entire region at once. The root management group is the corporate HQ—it sits at the top and can apply policies that cascade down to every division and department. Without management groups, you'd have to apply policies to each subscription individually, like a manager walking to every desk to hand out a memo. With management groups, you send one email to the division head, and it gets forwarded to all departments automatically. Azure RBAC and Azure Policy work through this hierarchy: a policy applied at the 'Europe' management group automatically applies to all subscriptions under it. This mirrors how corporate directives flow from HQ to divisions to departments—each level inherits the rules from above, and you can add local rules that don't conflict. Just like you can't override a corporate compliance rule at the department level, you can't block an inherited Azure Policy at the subscription level—unless you have explicit exclusion permissions.
What Are Azure Subscriptions?
An Azure subscription is a logical container that holds your Azure resources—like virtual machines, databases, and storage accounts. Think of it as a billing boundary: each subscription has its own payment method, spending limits, and cost reports. But it's also an access boundary: you can assign different administrators to different subscriptions. For example, a company might have a 'Development' subscription for dev/test workloads and a 'Production' subscription for live applications. This separation ensures that changes in dev don't affect prod, and costs are tracked separately.
How Subscriptions Work
When you sign up for Azure, you create at least one subscription. Each subscription is associated with an Azure account (a Microsoft Entra ID tenant). The subscription defines: - Billing: You pay for all resources in the subscription under one invoice. - Access: RBAC roles assigned at the subscription level apply to all resources inside. - Limits: There are subscription-level quotas (e.g., max 25 VM cores per region). - Offer type: Different offers (Pay-As-You-Go, Free Trial, Enterprise Agreement) have different pricing and features.
You can have multiple subscriptions under one account. For instance, a startup might use a Free Trial subscription for learning, then create a Pay-As-You-Go subscription for production. Each subscription can have its own administrators and policies.
Management Groups: Hierarchical Governance
Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. They form a tree structure: you can have a root management group (assigned to your Entra ID tenant) and nest other management groups under it. For example:
Root (Tenant Root Group)
├── Production
│ ├── Prod-Subscription-1
│ └── Prod-Subscription-2
├── Development
│ ├── Dev-Subscription-1
│ └── Dev-Subscription-2
└── Sandbox
└── Sandbox-Subscription-1How Management Groups Work
Management groups work by inheritance. Any RBAC role assignment or Azure Policy assignment made at a management group automatically applies to all subscriptions and resources under it. For example, if you assign the 'Reader' role to a security team at the 'Production' management group, they can read all resources in Prod-Subscription-1 and Prod-Subscription-2. Similarly, a policy that restricts allowed VM sizes at the root group applies to all subscriptions.
Key Components and Limits
Root management group: Created automatically when you first use management groups. It cannot be moved or deleted.
Hierarchy depth: You can have up to 6 levels of management groups (not counting the root).
Max management groups: 10,000 per directory.
Max subscriptions per management group: Unlimited, but practical limits exist for RBAC performance.
Subscription limits: Each subscription has its own quotas (e.g., 25 VM cores per region). You can request increases.
Pricing
Management groups are free. Subscriptions have no cost for the container itself, but you pay for the resources inside. Different subscription offers have different pricing models (e.g., Pay-As-You-Go vs. Reserved Instances).
Comparison to On-Premises
In on-premises, you might have separate departments with their own budgets and servers. Subscriptions are like those department budgets—each has its own cost center. Management groups are like the corporate hierarchy that lets you apply company-wide policies (e.g., all servers must use encryption) without configuring each department individually.
Azure Portal and CLI Touchpoints
Portal:
Subscriptions: Azure Home > Subscriptions
Management Groups: Azure Home > Management Groups
CLI:
# List subscriptions
az account list --output table
# Create a management group
az account management-group create --name "Production" --display-name "Production"
# Add subscription to management group
az account management-group subscription add --name "Production" --subscription "sub-id"PowerShell:
# Get subscriptions
Get-AzSubscription
# Create management group
New-AzManagementGroup -GroupName "Production" -DisplayName "Production"
# Add subscription
New-AzManagementGroupSubscription -GroupName "Production" -SubscriptionId "sub-id"Business Scenarios
Scenario 1: Cost Tracking A company wants to track costs by department. They create one subscription per department (e.g., Marketing, Engineering, Sales). Each subscription has its own budget alert. Management groups are used to group subscriptions by division (e.g., 'Americas' contains all US subscriptions). This allows the CFO to view total cost per division.
Scenario 2: Policy Enforcement An enterprise must ensure all resources are in a specific region (e.g., US East). They create a policy at the root management group that restricts allowed locations. All subscriptions inherit this policy, so no resource can be created outside US East. If a new subscription is added, it automatically gets the policy.
Scenario 3: Access Control A company has a central IT team that needs read-only access to all subscriptions. Instead of assigning the 'Reader' role to each subscription, they assign it at the root management group. Now the team can see all resources across the entire organization.
Create a Management Group
First, navigate to the Management Groups blade in the Azure portal. Click 'Create' and provide a name (e.g., 'Production') and an optional display name. The name must be unique within the directory. Azure creates the management group as a container. Behind the scenes, it creates an object in the Azure Resource Manager hierarchy. There is no default limit on the number of management groups you can create, but best practice is to keep the hierarchy shallow (3-4 levels max). The root management group is automatically created and cannot be deleted.
Add Subscriptions to Management Group
Select the management group you created, then click 'Add subscription'. You can search for subscriptions in your directory and add them. A subscription can only belong to one management group at a time. If you move a subscription, all policies and RBAC assignments from the new management group apply, and those from the old one stop applying. This operation can be done via Portal, CLI, or PowerShell. There is no downtime for resources when moving a subscription.
Assign Azure Policy at Management Group
Go to Azure Policy in the portal, click 'Assignments', then 'Assign policy'. Set the scope to your management group (e.g., 'Production'). Choose a policy definition like 'Allowed locations'. Configure parameters (e.g., allow only 'East US'). Click 'Create'. The policy now applies to all subscriptions under that management group and all future subscriptions added. Enforcement is immediate for new resources; existing resources are evaluated on the next compliance scan (every 24 hours by default).
Assign RBAC Role at Management Group
Navigate to the management group blade, click 'Access control (IAM)', then 'Add role assignment'. Select a role like 'Reader' and a user or group. This grants the role on the management group scope, which means the user inherits that role on all subscriptions and resources under it. For example, a 'Reader' on the root management group can see everything in the tenant. Be careful: assigning 'Owner' at root gives full control over all subscriptions.
Create a Subscription
In the Azure portal, go to Subscriptions > Add. You need an Azure account with sufficient permissions (e.g., Account Administrator). Choose an offer (e.g., Pay-As-You-Go) and provide details. The new subscription is created under the root management group by default. You can then move it to a different management group. Each subscription has a unique subscription ID (GUID) used for billing and management. You can create up to 50 subscriptions per account by default (can be increased).
Scenario 1: Multi-National Corporation with Regional Compliance A global company must comply with GDPR in Europe and CCPA in California. They create a management group hierarchy: Root > Regions > Departments. Under the 'Europe' management group, they assign a policy that restricts data residency to European regions. Under the 'Americas' management group, they assign a policy that restricts data to US regions. Each regional management group contains subscriptions for departments like HR, Finance, and IT. When a new subscription is created for a new European subsidiary, it is placed under the 'Europe' management group and automatically inherits the data residency policy. The company saves thousands of hours by not manually configuring each subscription. If they had skipped management groups, they would have had to assign policies to each subscription individually—a nightmare at scale.
Scenario 2: Startup with Cost Optimization A startup uses separate subscriptions for development, testing, and production. They create a 'Development' management group containing Dev and Test subscriptions, and a 'Production' management group containing Prod subscriptions. They assign a policy at the 'Development' group that prevents using expensive VM sizes (e.g., anything larger than Standard_D4s_v3). This keeps dev costs low. The production group has no such restriction. They also assign the 'Contributor' role to developers at the 'Development' group so they can create resources freely, but only 'Reader' access to production. This setup ensures developers cannot accidentally modify production resources. When the startup grows, they can easily add more subscriptions under the same management groups.
What Goes Wrong When Set Up Incorrectly - Too deep hierarchy: If you create 6 levels of management groups, policy evaluation can become complex and slow. Also, RBAC assignments at deep levels are harder to troubleshoot. - Inherited policy blocks operations: If you assign a policy at root that denies all resources in a region, and then create a subscription that needs that region, you must either exclude the subscription from the policy or modify the policy. This can cause deployment failures. - Accidental root-level Owner: Assigning 'Owner' at the root management group gives that user full control over all subscriptions, including billing and deletion. If a disgruntled employee gets this role, they could delete everything. Always use the principle of least privilege.
Exam Objective 2.1: Describe core Azure architectural components — specifically, subscriptions and management groups. This objective appears in multiple-choice questions, often asking about the purpose of management groups, how policies inherit, and the relationship between subscriptions and management groups.
Common Wrong Answers and Why Candidates Choose Them 1. 'Management groups are used to organize resources within a subscription.' This is wrong because management groups contain subscriptions, not resources. Resources are inside subscriptions. Candidates confuse management groups with resource groups. 2. 'A subscription can belong to multiple management groups.' This is false. A subscription can only be in one management group at a time. Candidates think of tagging or multiple hierarchies, but Azure enforces a single parent. 3. 'The root management group can be deleted.' This is incorrect. The root management group is automatically created and cannot be deleted or moved. Candidates might think it's optional. 4. 'Management groups are used for billing aggregation.' While subscriptions are billing boundaries, management groups are not directly used for billing. Billing is per subscription. Candidates confuse the cost management features that can aggregate by management group.
Specific Terms and Values - Management group hierarchy depth: 6 levels max (excluding root). - Maximum management groups per directory: 10,000. - Root management group: also called 'Tenant Root Group'. - Subscription offers: Free Trial, Pay-As-You-Go, Enterprise Agreement, etc. - Subscription limits: 25 VM cores per region (default).
Edge Cases - Moving a subscription between management groups: The subscription inherits policies from the new parent and loses inheritance from the old parent. This can cause resources to become non-compliant. - Management group-level RBAC vs. subscription-level RBAC: If a user has 'Reader' at management group and 'Contributor' at subscription, the effective permissions are the union (i.e., they have 'Contributor' on that subscription). - Policy exclusion: You can exclude a subscription from a policy applied at a management group by adding an exclusion at the subscription level. This is a common exam scenario.
Memory Trick Use the acronym MRS (Management groups > Subscriptions > Resource groups > Resources). Remember: Management groups contain Subscriptions, Subscriptions contain Resource groups, and Resource groups contain Resources. The hierarchy is M > S > R > R. Also, think of management groups as 'folders for subscriptions' and subscriptions as 'billing accounts'.
An Azure subscription is a billing and access boundary that contains resources.
Management groups are containers for subscriptions that enable hierarchical governance.
The root management group is automatically created and cannot be deleted.
Management group hierarchy can be up to 6 levels deep (excluding root).
Azure Policy and RBAC assignments at a management group are inherited by all subscriptions and resources underneath.
A subscription can only belong to one management group at a time.
Management groups are free; you pay only for resources in subscriptions.
Subscriptions have default quotas (e.g., 25 VM cores per region) that can be increased.
These come up on the exam all the time. Here's how to tell them apart.
Management Group
Contains subscriptions
Used for policy and RBAC inheritance across subscriptions
Hierarchy up to 6 levels
Cannot contain resources directly
Free to use
Resource Group
Contains resources within a subscription
Used for organizing resources and applying RBAC/policy within a subscription
Flat structure (no nesting of resource groups)
Contains VMs, databases, etc.
Free to use
Mistake
Management groups are the same as resource groups.
Correct
Management groups contain subscriptions, while resource groups contain resources. They operate at different levels of the hierarchy. You cannot put a resource directly into a management group.
Mistake
A subscription can be in multiple management groups.
Correct
A subscription can only have one parent management group. This ensures a single path of inheritance for policies and RBAC.
Mistake
You can delete the root management group.
Correct
The root management group is created automatically and cannot be deleted. It represents the top of the hierarchy for your Entra ID tenant.
Mistake
Management groups are required for Azure subscriptions.
Correct
Management groups are optional. You can have subscriptions directly under the root without any custom management groups. However, using them simplifies governance at scale.
Mistake
Management groups affect billing directly.
Correct
Management groups do not change billing. Billing is per subscription. However, you can view costs aggregated by management group in Cost Management.
A management group is a container for subscriptions, used to apply policies and RBAC across multiple subscriptions. A resource group is a container within a subscription that holds related resources (like VMs and databases). Management groups operate at the tenant level, while resource groups operate at the subscription level. You cannot put resources directly into a management group.
No. Each subscription can have only one parent management group. If you need to apply policies from multiple groups, you must restructure your hierarchy or use Azure Policy with multiple assignments.
In the Azure portal, go to Management Groups, select the management group containing the subscription, click the subscription, then click 'Move'. You can also use Azure CLI: `az account management-group subscription add --name 'NewGroup' --subscription 'sub-id'` and then remove from old group. Moving a subscription changes its inherited policies and RBAC.
When you move a subscription, it loses inheritance from the old management group and gains inheritance from the new one. Existing resources are re-evaluated for compliance. Resources that were compliant may become non-compliant if the new policy is stricter.
No. You can use subscriptions directly without creating custom management groups. However, using management groups is best practice for managing many subscriptions, as it simplifies policy and RBAC management.
Yes. RBAC roles assigned at a management group scope are inherited by all subscriptions and resources under that group. For example, assigning 'Reader' at the root management group gives read access to everything in the tenant.
You can create up to 10,000 management groups per directory. The hierarchy can be up to 6 levels deep (excluding the root).
You've just covered Azure Subscriptions and Management Groups — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?