Skip to main content

Challenge 08: Azure Resource Hierarchy

Estimated Time

25-35 min | Cost: Free | Domain: Azure Architecture & Services (35-40%)

Exam skills covered

  • Describe Azure resources and resource groups
  • Describe subscriptions
  • Describe management groups
  • Describe the hierarchy of resource groups, subscriptions, and management groups

Overview

Azure organizes resources in a four-level hierarchy. Understanding this hierarchy is critical because it controls access (RBAC), policy enforcement, and billing.

Challenge 08 - Azure Resource Hierarchy

Each level inherits settings from the level above it. Policies applied at a management group flow down to all subscriptions, resource groups, and resources beneath it.

Explore

Task 1: Understand the hierarchy

LevelPurposeExample
Management groupsOrganize subscriptions; apply policies at scale"Production", "Development"
SubscriptionsBilling boundary + access control boundary"Pay-As-You-Go", "Visual Studio Enterprise"
Resource groupsLogical container for related resources"rg-webapp-prod", "rg-database-dev"
ResourcesIndividual Azure service instancesA specific VM, storage account, or database

Task 2: Explore resource groups in the Portal

  1. In the Azure Portal, search for Resource groups
  2. Click + Create to see the creation form:
    • Notice you choose a Subscription and a Region
    • Resource groups are free — they're just containers
  3. Create a resource group:
    • Name: rg-az900-learning
    • Region: Your nearest region
    • Click Review + createCreate
  4. Open your new resource group — notice it's empty (no cost!)

Task 3: Understand subscriptions

  1. In the Azure Portal, search for Subscriptions
  2. Click on your subscription
  3. Explore the menu:
    • Overview: See subscription ID, offer type
    • Cost analysis: View spending (should be $0)
    • Access control (IAM): Who has access
    • Resource groups: All RGs in this subscription

Key facts:

  • Every Azure resource belongs to exactly ONE resource group
  • Every resource group belongs to exactly ONE subscription
  • A subscription can have multiple resource groups
  • Subscriptions are the primary billing unit

Task 4: Explore management groups

  1. In the Azure Portal, search for Management groups
  2. You'll see the Tenant Root Group (the top of your hierarchy)
  3. All subscriptions are nested under management groups

Hierarchy example for a large organization: Challenge 08 - Management Group Structure

Task 5: Resource group rules

Important rules to remember:

RuleDescription
Resources can only be in ONE groupA VM can't be in two resource groups
Resource groups CAN span regionsAn RG in "East US" can contain resources in "West Europe"
Deleting an RG deletes ALL resources insideBe careful!
RGs cannot be nestedYou can't put a resource group inside another
Permissions are inheritedRBAC at RG level applies to all resources within
Azure CLI Alternative
# List your subscriptions
az account list --output table

# List resource groups
az group list --output table

# Create a resource group (free!)
az group create --name rg-az900-learning --location eastus

# Show resource group details
az group show --name rg-az900-learning --output table

Key Concepts

ConceptDescription
ResourceAny manageable item in Azure (VM, database, VNet)
Resource groupContainer that holds related resources for management
SubscriptionBilling unit and access control boundary
Management groupContainer for managing access/policy across subscriptions
InheritancePolicies and access flow DOWN the hierarchy
TenantThe top-level Microsoft Entra ID organization

Knowledge Check

1. What happens when you delete a resource group?

2. Which level of the Azure hierarchy is the primary billing boundary?

3. Can a resource group contain resources from different Azure regions?

4. An organization has multiple departments that each need their own Azure billing and access controls. What should they use?

5. A policy is applied at the management group level. Which resources does it affect?

Learn More