Forum Discussion
Understanding Azure Account, Subscription and Directory.
For the last couple of days, I am trying to understand the relationship between Azure account, Subscription, and Directory and Resource Groups.
Is there any comprehensive guide that can help me to understand how Azure Account, Subscription and Directory works?
Thank you in advance.
- DaniMartMS
Microsoft
Hello Jahongir, all,
Adding a little bit more here to Stephane`s great content.
The Azure account is a global unique entity that gets you access to Azure services and your Azure subscriptions. You can create multiple subscriptions in your Azure account to create separation e.g. for billing or management purposes. In your subscription(s) you can manage resources in resources groups. Azure subscription can have a trust relationship with an Azure Active Directory (Azure AD) instance – more here.
I hope this helps as well :)
Cheers
DaniMartMSThanks for simple explanation, now those elaborate article will make more sense to me.
- Thanks for your answer. Just noticed that the link pointing to resource group docs is actually pointing to Azure Resource Management documentation. Here one can find the correct link: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal. I know, those names don't help 🙂
thank you for the 'short' but concise answer.
I would probably start with the following links:
What is Azure Active Directory:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis
The relationship between AAD and subscriptions:
Managing resource groups with AAD:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-manage-groups
From each of the links above, there are multiple other links to a lot of content that will explain all these differnet components and their relationships.
Aside from the "docs" website, I also have found that the Microsoft Virtual Academy website is a great source of information:
Cheers,
Stephane
- a tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions
- a subscription is linked to a payment setup and each subscription will result in a separate bill
- in every subscription, you can add virtual resources (VM, storage, network, ...)
Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions
Resources from one subscription are isolated from resources in other subscriptions
An owner of a tenant can decide to have multiple subscriptions:
- when Subscriptions limits are reached
- to use different payment methods
- to isolate resources between different departments, projects, regional offices, and so on.
Great question! DaniMartMS, is there someone from the team who can help to answer this?
Hi. I would like to explain that:
Lets think that:
AD Account - Director of your Holding
Directory - Sub-companies at your Holding
Subscriptions - Each department at each directory/company
ResourceGroup - Shelves where you keep documents or etc on each department
[edit: after posting this, i noticed this post was kicked from a few years ago by Khalid. Well then my contribution is for good sake ;)]
Khalid_Garayev Thanks for your effort, but I think your drawing can confuse others.
I see subscriptions with the same name connected to multiple directories. That is not possible. Comparing it to a company and shelves is to simplified. I won't recommend using an Azure AD for every subsidiary, unless this a requirement for seperated administrative purposes. It's more convenient to add the different custom domain for those sub-companies to the same Azure AD.
My 2 cents:
Azure Account: Your overall account to start you Azure journey. Also your billing account
Azure AD: Your directory for authentication and authorization
Azure Subscription: The container where your created resources are created. Billing is per subscription
(multiple subscription can have the same Azure AD). You can also set specific Azure policies on subscription level.
Azure Resource Groups: A logical group of resources belonging to the same application environment and lifecycle.
Within this construction you can seperate access to resource groups for departments by using clear RBAC roles.
Using multiple subscriptions can be convenient for administrative/billing use, or for example sandbox and test vs production environment. I don't recommend a subscription per department except when for example developers having their separate subscriptions. But then it's still rather based on usage than on a specific department.
- I think one important aspect from the learner's perspective is the chronological order in which you administrate the entire Azure process.
Technically, it BEGINS with purchasing a subscription. When you create the subscription you become the administrator of the subscription. From this, you create and can expand an Azure Active Directory. At this point, your subscription, tenant and AAD all exists. What's confusing is showing a hierarchy with the subscription level below the others, when in fact, at least creation-wise, that subscription must already exist.- Adding in, from: https://azure-training.com/2022/02/28/understanding-tenants-and-subscriptions-in-azure/#:~:text=A%20Tenant%20refers%20to%20a%20single%20dedicated%20and,represents%20a%20single%20organization%2C%20identity%2C%20or%20a%20person.
Although when an organization or an individual signs up for the first time, only a single tenant is created and associated, but multiple tenants can be created after signing up and, therefore, an organization can have more than one tenant, depending upon organizational requirement. Each tenant has its own Azure Active Directory, thereby having a one-to-one relation between the tenant and the Azure AD, where each tenant is referred to as an organization. In a single tenant, resources within the tenant have access to other services and resources within that tenant, whereas, when the resources within a tenant have access to other resources and services in a shared environment across multiple organizations (i.e., multiple tenant), they are considered as multi-tenant.
Hi jahongir abdurahmonov
An Azure subscription is a logical container used to provision resources in Azure. It holds the details of all your resources like virtual machines (VMs), databases, and more. When you create an Azure resource like a VM, you identify the subscription it belongs to. As you use the VM, the usage of the VM is aggregated and billed monthly.
For more details check this out: https://docs.microsoft.com/en-us/learn/modules/create-an-azure-account/4-multiple-subscriptionsHI, could you please clarify, if I have 3 Subscriptions, and when I create a new resource, can I have this resource to more than one Subscirptions or it must be only to one.
thanks
Only one subscription...
The hierarchy of Azure goes like this:
Tenancy -> Subscription -> Resource Group -> Resource.From left to right, it's a one to multiple relationship:
One tenancy can have multiple subscriptions, but a subscription can only belong to one tenancy.
One Subscription can have multiple Resource Groups, but a Resource Group can only belong to one Subscription.
And one Resource Group can have multiple Resources, but a Resource can only belong to one Subscription.
Hope that makes sense,
Stephane
- Request to go though this document it explained very well https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/architecture
- DaniMartMS Thanks for the simple explanation, - https://www.drabito.com/
