Azure Resource Management Hierarchy

1) Azure AD Tenant

In order to manage Azure subscriptions and resources, administrators need an identity directory to manage users that will have access to the resources. Azure AD is the identity store that facilitates the authentication and authorization for all users in an Azure tenant's subscriptions. Every Azure subscription has a trust relationship with one Azure AD tenant to manage access to the subscription. It is common for organizations to connect their on-premises AD to Azure AD using a tool called Azure AD Connect.

This is the top-level management group in the hierarchy, representing the entire organization. It's created by default when an Azure AD tenant is created. It provides a way to apply policies and manage access across all subscriptions and management groups in the tenant.

If an organization has enabled the root management group, they could create child management groups under the root to simplify the management of their subscriptions. Child management groups allow organizations to group subscriptions together in a flexible structure, mainly to centrally manage access and governance. Child management groups can be nested and can support up to six levels of depth.

To provision resources in Azure, we need an Azure subscription. An Azure subscription is the logical container where resources are provisioned.

Within subscriptions, there are resource groups. Resource groups are logical containers that can be used to group and manage Azure resources such as virtual machines (VMs), storage accounts, and databases.

Resources are the individual instances of Azure services that are deployed in an Azure subscription. The resource level is the bottom of the organization hierarchy.

Last updated 8 months ago