Understanding Azure Account, Subscription and Directory.

Hello, I would like to explain that:

Think of Azure as a set of nested boxes you use for identity, billing, and organizing resources:

• Directory (Microsoft Entra ID): Who are you? Users, groups, apps, and service principals live here.
• Subscription: Where is the bill and the guardrail? This is the billing and authorization boundary that trusts one directory.
• Resource Group: How do I group related things I deploy together? A logical folder inside a subscription.
• Resource: The actual thing (VM, database, storage account, etc.).
• Management Group: Optional box above subscriptions to apply policy/RBAC to many subscriptions at once.

Hierarchy for scope:
Management Group → Subscription → Resource Group → Resource

What each part does

• Azure account
  • The sign‑in identity (usually a work/school Entra ID account). It’s how a person authenticates; it doesn’t “contain” resources by itself.
• Directory (Microsoft Entra ID, formerly Azure AD)
  • The tenant that holds identities and roles. Subscriptions “trust” one directory for authentication and RBAC. One directory can be linked to many subscriptions.
• Subscription
  • Billing and access boundary. All resources live inside a subscription. It defines:
    • Who can do what (RBAC from the directory)
    • Where charges roll up (billing)
    • Quotas and limits
  • A subscription is linked to exactly one directory at a time, but you can transfer a subscription to a different directory if needed.
• Resource Group
  • A container inside a subscription for resources that share a lifecycle. Every resource must be in exactly one resource group (and therefore in that subscription).
• Management Group
  • An organizational layer above subscriptions. Use it to apply Azure Policy and RBAC across many subscriptions in one shot.

How they relate (in plain terms)

• A person signs in with an account that belongs to a directory.
• The directory provides identities/roles that control access to subscriptions.
• Each subscription is under that directory and contains resource groups.
• Resource groups contain resources.
• Optionally, management groups sit above subscriptions to make governance easier.

Practical guidance

• Separate concerns with subscriptions
  • Use different subscriptions for Prod/Test/Dev, different business units, or strong isolation/billing boundaries.
• Apply RBAC and Policy at the highest sensible scope
  • Prefer management group or subscription scopes so permissions/policies inherit down.
• Organize by lifecycle with resource groups
  • Put resources that are deployed/updated/retired together in the same RG.
• Moving things
  • Many resources can move between resource groups and sometimes between subscriptions; check service‑specific rules first.
  • A subscription can be moved to a different directory, but plan for identity/service principal changes.
• Keep identity vs billing separate
  • Directory handles identities and access; subscription handles billing and quotas.

A simple example

• One directory: contoso.onmicrosoft.com.
• Three subscriptions: Contoso‑Prod, Contoso‑Test, Contoso‑Dev.
• A management group “Contoso” contains all three subscriptions to enforce global policies (allowed regions, tagging).
• In Contoso‑Prod, resource groups: rg‑app1, rg‑data, rg‑network.
• RBAC:
  • Platform team: Owner at subscription scope.
  • App team: Contributor on rg‑app1 only.
  • Finance: Reader at subscription scope for cost visibility.