Forum Discussion

alwaysLearner's avatar
alwaysLearner
Iron Contributor
Dec 09, 2016

Understanding Azure Account, Subscription and Directory.

For the last couple of days, I am trying to understand the relationship between Azure account, Subscription, and Directory and Resource Groups.    Is there any comprehensive guide that can help me ...
azure
IonSecrieru's avatar
IonSecrieru
Copper Contributor
Jun 02, 2020

Hi alwaysLearner 

An Azure subscription is a logical container used to provision resources in Azure. It holds the details of all your resources like virtual machines (VMs), databases, and more. When you create an Azure resource like a VM, you identify the subscription it belongs to. As you use the VM, the usage of the VM is aggregated and billed monthly.

For more details check this out: https://docs.microsoft.com/en-us/learn/modules/create-an-azure-account/4-multiple-subscriptions

Tariq_Awan's avatar
Tariq_Awan
Copper Contributor
Jun 24, 2020

IonSecrieru 

 

HI, could you please clarify, if I have 3 Subscriptions, and when I create a new resource, can I have this resource to more than one Subscirptions or it must be only to one.

 

thanks

 

  • Stephane Budo's avatar
    Stephane Budo
    Iron Contributor
    Jun 24, 2020

    Tariq_Awan 

    Only one subscription...

    The hierarchy of Azure goes like this:
    Tenancy -> Subscription -> Resource Group -> Resource.

     

    From left to right, it's a one to multiple relationship:

    One tenancy can have multiple subscriptions, but a subscription can only belong to one tenancy.

    One Subscription can have multiple Resource Groups, but a Resource Group can only belong to one Subscription.

    And one Resource Group can have multiple Resources, but a Resource can only belong to one Subscription.

     

    Hope that makes sense,
    Stephane

    • rocketman2200's avatar
      rocketman2200
      Copper Contributor
      Oct 22, 2020

      Stephane Budo One horrible discovery I've made recently is that the tenant Global Admin can be locked out of a Subscription that it created.  We have an AAD in a hybrid mode not that that it is germane to this conversation.  It turns out if the IAM Role on the Subscription is modified and the Global Admin is removed from the "Global Admin" Role you lose access to the Subscription.  This was maddening to discover and it undermines my trust in the entire architecture in Azure.

       

      This is obscene that the highest level of authority over a tenant can be locked-out of any Subscription simply by removing the Role from their identity.  

      • Stephane Budo's avatar
        Stephane Budo
        Iron Contributor
        Oct 22, 2020

        Hi rocketman2200 ,

         

        I believe you can overwrite this from the Azure Active Directory properties by enabling the "Global Admin have access to all subscriptions" setting.

         

        Hope this helps,

        Stephane

Resources