Forum Discussion

alwaysLearner's avatar
alwaysLearner
Iron Contributor
Dec 09, 2016

Understanding Azure Account, Subscription and Directory.

For the last couple of days, I am trying to understand the relationship between Azure account, Subscription, and Directory and Resource Groups.    Is there any comprehensive guide that can help me ...
azure
Stephane Budo's avatar
Stephane Budo
Iron Contributor
Jun 24, 2020

Tariq_Awan 

Only one subscription...

The hierarchy of Azure goes like this:
Tenancy -> Subscription -> Resource Group -> Resource.

 

From left to right, it's a one to multiple relationship:

One tenancy can have multiple subscriptions, but a subscription can only belong to one tenancy.

One Subscription can have multiple Resource Groups, but a Resource Group can only belong to one Subscription.

And one Resource Group can have multiple Resources, but a Resource can only belong to one Subscription.

 

Hope that makes sense,
Stephane

rocketman2200's avatar
rocketman2200
Copper Contributor
Oct 21, 2020

Stephane Budo One horrible discovery I've made recently is that the tenant Global Admin can be locked out of a Subscription that it created.  We have an AAD in a hybrid mode not that that it is germane to this conversation.  It turns out if the IAM Role on the Subscription is modified and the Global Admin is removed from the "Global Admin" Role you lose access to the Subscription.  This was maddening to discover and it undermines my trust in the entire architecture in Azure.

 

This is obscene that the highest level of authority over a tenant can be locked-out of any Subscription simply by removing the Role from their identity.  

Resources