Azure Subscriptions
Slide deck explaining Azure subscriptions, their role in scope hierarchy, relationship with tenants, cost management, scenarios for multiple subscriptions, RBAC, and common pitfalls.
Azure Subscriptions
Introduction to Azure Subscriptions, covering their role as containers for resources and management boundaries.
Azure Subscriptions
Introduction to Azure Subscriptions, covering their role as containers for resources and management boundaries.
Why subscriptions matter
Subscriptions are a core boundary for managing resources, access, and costs. Subscription equals container for Azure resources. Common boundary for billing and governance. Sits in the scope hierarchy (above resource groups). Tied to Microsoft Entra ID (identity).
Azure subscription
A subscription is a container for resources and a common management/billing unit. Container for Azure resources. Common unit for billing and management. Used to define clean boundaries. Helps structure access and governance.
Scope hierarchy
Scopes nest: management groups → subscriptions → resource groups → resources. Management groups (optional) organize subscriptions. Subscriptions contain resource groups. Resource groups contain resources. Scope equals where governance is applied.
Inheritance in scopes
Settings at a parent scope can apply to child scopes. Assigning at a higher scope affects everything below. Broad scope equals simpler, but higher risk. Narrow scope equals safer, more targeted. Choose scope intentionally.
Subscription ↔ tenant relationship
A subscription trusts one Microsoft Entra tenant; a tenant can serve many subscriptions. Microsoft Entra ID equals identity directory. Tenant equals your directory (users, groups, apps). One subscription trusts one tenant at a time. One tenant can be linked to many subscriptions.
Cost scopes in Azure
Subscriptions are a common cost scope, but other billing scopes exist. Budgets and analysis often at subscription scope. Cost views can exist at other scopes (billing-related). Access determines what you can see. Always confirm the scope you're analyzing.
Why multiple subscriptions exist
Subscriptions help create clean boundaries as Azure usage grows. Access boundary (broad RBAC assignments). Policy boundary (governance at scale). Cost separation and visibility. Quotas/limits often scoped per subscription.
Scenario: Prod vs Dev/Test
Separate subscriptions keep production safer and cost tracking cleaner. Production subscription: tighter access and controls. Dev/Test subscription: safer experimentation. Cleaner budget and cost visibility. Resource groups help, but may be less strict.
Scenario: One tenant, many subscriptions
Tenant equals identity; subscription equals resource container and governance scope. Tenant: users, groups, applications. Subscriptions: resources plus governance plus cost scopes. Multiple subscriptions can trust one tenant. Don't confuse tenant with subscription.
Scenario: quotas vs budgets
Quota equals technical limit; budget equals cost control. Growth can hit quota limits. Quotas are often per subscription. Budgets track/limit spending (not capacity). Subscription design can reduce conflicts.
RBAC (Role-Based Access Control) and scope
Pick the smallest scope that still lets the team do the job. RBAC controls 'who can do what'. Subscription roles: broad operations access. Resource group roles: narrower team access. Inheritance means scope choice matters.
Pitfalls
Most issues come from confusing identity vs resources, or assigning at the wrong scope. Subscription is more than billing (governance boundary). Tenant (identity) does not equal subscription (resources). Separate workloads when you need cost/access clarity. RBAC scope inherits—assign carefully.