Dec 09 2016 01:59 AM
Dec 09 2016 01:59 AM
For the last couple of days, I am trying to understand the relationship between Azure account, Subscription, and Directory and Resource Groups.
Is there any comprehensive guide that can help me to understand how Azure Account, Subscription and Directory works?
Thank you in advance.
Dec 12 2016 05:01 PM
Great question! @Daniel Martins, is there someone from the team who can help to answer this?
Dec 15 2016 11:24 AM
I would probably start with the following links:
What is Azure Active Directory:
The relationship between AAD and subscriptions:
Managing resource groups with AAD:
From each of the links above, there are multiple other links to a lot of content that will explain all these differnet components and their relationships.
Aside from the "docs" website, I also have found that the Microsoft Virtual Academy website is a great source of information:
Jan 03 2017 02:24 PM
Hello Jahongir, all,
Adding a little bit more here to Stephane`s great content.
The Azure account is a global unique entity that gets you access to Azure services and your Azure subscriptions. You can create multiple subscriptions in your Azure account to create separation e.g. for billing or management purposes. In your subscription(s) you can manage resources in resources groups. Azure subscription can have a trust relationship with an Azure Active Directory (Azure AD) instance – more here.
I hope this helps as well :)
Apr 02 2019 11:51 PM
@Daniel MartinsThanks for simple explanation, now those elaborate article will make more sense to me.
Mar 26 2020 11:48 AM
Hi. I would like to explain that:
Lets think that:
AD Account - Director of your Holding
Directory - Sub-companies at your Holding
Subscriptions - Each department at each directory/company
ResourceGroup - Shelves where you keep documents or etc on each department
Apr 01 2020 03:49 AM - edited Apr 01 2020 03:51 AM
[edit: after posting this, i noticed this post was kicked from a few years ago by Khalid. Well then my contribution is for good sake ;)]
@Khalid_Garayev Thanks for your effort, but I think your drawing can confuse others.
I see subscriptions with the same name connected to multiple directories. That is not possible. Comparing it to a company and shelves is to simplified. I won't recommend using an Azure AD for every subsidiary, unless this a requirement for seperated administrative purposes. It's more convenient to add the different custom domain for those sub-companies to the same Azure AD.
My 2 cents:
Azure Account: Your overall account to start you Azure journey. Also your billing account
Azure AD: Your directory for authentication and authorization
Azure Subscription: The container where your created resources are created. Billing is per subscription
(multiple subscription can have the same Azure AD). You can also set specific Azure policies on subscription level.
Azure Resource Groups: A logical group of resources belonging to the same application environment and lifecycle.
Within this construction you can seperate access to resource groups for departments by using clear RBAC roles.
Using multiple subscriptions can be convenient for administrative/billing use, or for example sandbox and test vs production environment. I don't recommend a subscription per department except when for example developers having their separate subscriptions. But then it's still rather based on usage than on a specific department.
Jun 02 2020 02:43 AM
Hi @jahongir abdurahmonov
An Azure subscription is a logical container used to provision resources in Azure. It holds the details of all your resources like virtual machines (VMs), databases, and more. When you create an Azure resource like a VM, you identify the subscription it belongs to. As you use the VM, the usage of the VM is aggregated and billed monthly.
For more details check this out: https://docs.microsoft.com/en-us/learn/modules/create-an-azure-account/4-multiple-subscriptions
Jun 24 2020 12:33 AM
HI, could you please clarify, if I have 3 Subscriptions, and when I create a new resource, can I have this resource to more than one Subscirptions or it must be only to one.
Jun 24 2020 03:36 AM
Only one subscription...
The hierarchy of Azure goes like this:
Tenancy -> Subscription -> Resource Group -> Resource.
From left to right, it's a one to multiple relationship:
One tenancy can have multiple subscriptions, but a subscription can only belong to one tenancy.
One Subscription can have multiple Resource Groups, but a Resource Group can only belong to one Subscription.
And one Resource Group can have multiple Resources, but a Resource can only belong to one Subscription.
Hope that makes sense,
Oct 21 2020 09:19 PM
@Stephane Budo One horrible discovery I've made recently is that the tenant Global Admin can be locked out of a Subscription that it created. We have an AAD in a hybrid mode not that that it is germane to this conversation. It turns out if the IAM Role on the Subscription is modified and the Global Admin is removed from the "Global Admin" Role you lose access to the Subscription. This was maddening to discover and it undermines my trust in the entire architecture in Azure.
This is obscene that the highest level of authority over a tenant can be locked-out of any Subscription simply by removing the Role from their identity.
Oct 21 2020 10:21 PM
Hi @rocketman2200 ,
I believe you can overwrite this from the Azure Active Directory properties by enabling the "Global Admin have access to all subscriptions" setting.
Hope this helps,
Oct 21 2020 10:21 PM
Every tenant is linked to a single Azure AD instance, which is shared with all tenant's subscriptions
Resources from one subscription are isolated from resources in other subscriptions
An owner of a tenant can decide to have multiple subscriptions:
Oct 22 2020 05:14 AM
Thanks for your reply.
However, the Global Admin account had also lost access to the AAD when this happened. I would get an error page when attempting to access the AAD.
Once again telling me that even a Global Admin does not have ubiquitous authority in all the environments.