Azure uses a hierarchy of distinct concepts to help administrators configure and govern workloads that run in the cloud. These concepts -- also referred to as scopes -- interrelate and work together to manage complex cloud environments. However, they work in different ways and address different needs.
The purpose of the various scopes is for admins to manage cloud configurations and governance rules across multiple workloads and cloud users. Break down the key differences between the four scopes: management groups, subscriptions, resource groups and resources. Also, better understand how these scopes fit together to enable comprehensive management.
A management group is a way to manage policy configurations associated with multiple subscriptions at once. You can define certain management settings, such as access controls and governance policies, and lower levels will inherit those settings. Management groups are useful for businesses that have multiple Azure subscriptions because they eliminate the need to manage the access and governance policies of each subscription separately.
If you run just one or a handful of workloads in Azure, you likely don't need to take advantage of scopes like management groups. But if you have many workloads or users, these scopes make it much easier to manage all of them collectively because they allow admins to define configuration rules and policies that apply to multiple workloads and/or users.
A subscription is an agreement that allows specific users to access resources. The users associated with a subscription, along with their permissions, are defined in Azure Active Directory. Multiple users can share an Azure subscription. Some businesses may have only one subscription, even if more than one person at the business needs to use Azure.
For larger businesses, or for those with widely varying cloud workload requirements, it makes sense to use multiple Azure subscriptions. Doing so makes it possible to apply unique governance policies to each subscription. For example, a business might choose to create different Azure subscriptions for various developer groups who work on different apps. That way, each developer group can follow different governance rules.
Azure resource groups
An Azure resource group is a conceptual entity that governs multiple individual resources. If you want to manage multiple resources in a centralized way, you can associate the resources with an Azure resource group and then apply whichever policies you want.
For example, if you have multiple VMs that require the same security settings, you could create a resource group, add the VMs and then configure the security policies at the resource group level. That's simpler than configuring the policies for each VM independently. It also reduces the risk of configuration mistakes or inconsistencies between VMs.
Resources are the fundamental building block of Azure environments. A resource is any compute, storage or networking entity that users can access in the Azure cloud. For example, a VM and a blob that contains data is an Azure resource.
Any policies that you don't define at the management or resource group level, you can define at the level of the individual resource. You can define some policies that apply to all resources within a resource group, while also defining some policies on a resource-by-resource basis.