Forum Discussion
Understanding Azure Account, Subscription and Directory.
HI, could you please clarify, if I have 3 Subscriptions, and when I create a new resource, can I have this resource to more than one Subscirptions or it must be only to one.
thanks
Only one subscription...
The hierarchy of Azure goes like this:
Tenancy -> Subscription -> Resource Group -> Resource.
From left to right, it's a one to multiple relationship:
One tenancy can have multiple subscriptions, but a subscription can only belong to one tenancy.
One Subscription can have multiple Resource Groups, but a Resource Group can only belong to one Subscription.
And one Resource Group can have multiple Resources, but a Resource can only belong to one Subscription.
Hope that makes sense,
Stephane
Stephane Budo One horrible discovery I've made recently is that the tenant Global Admin can be locked out of a Subscription that it created. We have an AAD in a hybrid mode not that that it is germane to this conversation. It turns out if the IAM Role on the Subscription is modified and the Global Admin is removed from the "Global Admin" Role you lose access to the Subscription. This was maddening to discover and it undermines my trust in the entire architecture in Azure.
This is obscene that the highest level of authority over a tenant can be locked-out of any Subscription simply by removing the Role from their identity.
Hi rocketman2200 ,
I believe you can overwrite this from the Azure Active Directory properties by enabling the "Global Admin have access to all subscriptions" setting.
Hope this helps,
Stephane
Thanks for your reply.
However, the Global Admin account had also lost access to the AAD when this happened. I would get an error page when attempting to access the AAD.
Once again telling me that even a Global Admin does not have ubiquitous authority in all the environments.
