Understanding Azure Account, Subscription and Directory.

Brass Contributor

For the last couple of days, I am trying to understand the relationship between Azure account, Subscription, and Directory and Resource Groups. 

 

Is there any comprehensive guide that can help me to understand how Azure Account, Subscription and Directory works? 

 

Thank you in advance. 

 

22 Replies

Great question! @Daniel Martins, is there someone from the team who can help to answer this?

I would probably start with the following links:

 

What is Azure Active Directory:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis

 

The relationship between AAD and subscriptions:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-how-subscriptions-associate...

 

Managing resource groups with AAD:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-manage-groups

 

From each of the links above, there are multiple other links to a lot of content that will explain all these differnet components and their relationships.

 

Aside from the "docs" website, I also have found that the Microsoft Virtual Academy website is a great source of information:

https://mva.microsoft.com/

 

Cheers,

Stephane

Hello Jahongir, all,

 

Adding a little bit more here to Stephane`s great content.

 

The Azure account is a global unique entity that gets you access to Azure services and your Azure subscriptions. You can create multiple subscriptions in your Azure account to create separation e.g. for billing or management purposes. In your subscription(s) you can manage resources in resources groups. Azure subscription can have a trust relationship with an Azure Active Directory (Azure AD) instance – more here.

 

I hope this helps as well :)

 

Cheers

@Daniel MartinsThanks for simple explanation, now those elaborate article will make more sense to me.

Hi. I would like to explain that:

Lets think that:

AD Account - Director of your Holding

Directory - Sub-companies at your Holding

Subscriptions -  Each department at each directory/company

ResourceGroup - Shelves where you keep documents or etc on each department

 

 

[edit: after posting this, i noticed this post was kicked from a few years ago by Khalid. Well then my contribution is for good sake ;)]

 

@Khalid_Garayev Thanks for your effort, but I think your drawing can confuse others.

I see subscriptions with the same name connected to multiple directories. That is not possible. Comparing it to a company and shelves is to simplified. I won't recommend using an Azure AD for every subsidiary, unless this a requirement for seperated administrative purposes. It's more convenient to add the different custom domain for those sub-companies to the same Azure AD.

 

My 2 cents:

Azure Account: Your overall account to start you Azure journey. Also your billing account

Azure AD: Your directory for authentication and authorization

Azure Subscription: The container where your created resources are created. Billing is per subscription

(multiple subscription can have the same Azure AD). You can also set specific Azure policies on subscription level.

Azure Resource Groups: A logical group of resources belonging to the same application environment and lifecycle.

 

Within this construction you can seperate access to resource groups for departments by using clear RBAC roles.

 

Using multiple subscriptions can be convenient for administrative/billing use, or for example sandbox and test vs production environment. I don't recommend a subscription per department except when for example developers having their separate subscriptions. But then it's still rather based on usage than on a specific department.

Hi @jahongir abdurahmonov 

An Azure subscription is a logical container used to provision resources in Azure. It holds the details of all your resources like virtual machines (VMs), databases, and more. When you create an Azure resource like a VM, you identify the subscription it belongs to. As you use the VM, the usage of the VM is aggregated and billed monthly.

For more details check this out: https://docs.microsoft.com/en-us/learn/modules/create-an-azure-account/4-multiple-subscriptions

@IonSecrieru 

 

HI, could you please clarify, if I have 3 Subscriptions, and when I create a new resource, can I have this resource to more than one Subscirptions or it must be only to one.

 

thanks

 

@Tariq_Awan 

Only one subscription...

The hierarchy of Azure goes like this:
Tenancy -> Subscription -> Resource Group -> Resource.

 

From left to right, it's a one to multiple relationship:

One tenancy can have multiple subscriptions, but a subscription can only belong to one tenancy.

One Subscription can have multiple Resource Groups, but a Resource Group can only belong to one Subscription.

And one Resource Group can have multiple Resources, but a Resource can only belong to one Subscription.

 

Hope that makes sense,
Stephane

@Stephane Budo 

 

Thanks for your inputs.

@Stephane Budo One horrible discovery I've made recently is that the tenant Global Admin can be locked out of a Subscription that it created.  We have an AAD in a hybrid mode not that that it is germane to this conversation.  It turns out if the IAM Role on the Subscription is modified and the Global Admin is removed from the "Global Admin" Role you lose access to the Subscription.  This was maddening to discover and it undermines my trust in the entire architecture in Azure.

 

This is obscene that the highest level of authority over a tenant can be locked-out of any Subscription simply by removing the Role from their identity.  

Hi @rocketman2200 ,

 

I believe you can overwrite this from the Azure Active Directory properties by enabling the "Global Admin have access to all subscriptions" setting.

 

Hope this helps,

Stephane

@jahongir abdurahmonov 

  • a tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions
  • a subscription is linked to a payment setup and each subscription will result in a separate bill
  • in every subscription, you can add virtual resources (VM, storage, network, ...)
  • Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions

  • Resources from one subscription are isolated from resources in other subscriptions

  • An owner of a tenant can decide to have multiple subscriptions:

    • when Subscriptions limits are reached
    • to use different payment methods
    • to isolate resources between different departments, projects, regional offices, and so on.

@Stephane Budo 

Thanks for your reply.

 

However, the Global Admin account had also lost access to the AAD when this happened.  I would get an error page when attempting to access the AAD.

 

Once again telling me that even a Global Admin does not have ubiquitous authority in all the environments.

Thanks for your answer. Just noticed that the link pointing to resource group docs is actually pointing to Azure Resource Management documentation. Here one can find the correct link: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-port.... I know, those names don't help :)
I think one important aspect from the learner's perspective is the chronological order in which you administrate the entire Azure process.

Technically, it BEGINS with purchasing a subscription. When you create the subscription you become the administrator of the subscription. From this, you create and can expand an Azure Active Directory. At this point, your subscription, tenant and AAD all exists. What's confusing is showing a hierarchy with the subscription level below the others, when in fact, at least creation-wise, that subscription must already exist.
Adding in, from: https://azure-training.com/2022/02/28/understanding-tenants-and-subscriptions-in-azure/#:~:text=A%20....



Although when an organization or an individual signs up for the first time, only a single tenant is created and associated, but multiple tenants can be created after signing up and, therefore, an organization can have more than one tenant, depending upon organizational requirement. Each tenant has its own Azure Active Directory, thereby having a one-to-one relation between the tenant and the Azure AD, where each tenant is referred to as an organization. In a single tenant, resources within the tenant have access to other services and resources within that tenant, whereas, when the resources within a tenant have access to other resources and services in a shared environment across multiple organizations (i.e., multiple tenant), they are considered as multi-tenant.