L6. Azure Resource Manager: Subscriptions, Resource Groups, and Management Groups
Video generating
Check back soon for the video lesson on Azure Resource Manager: Subscriptions, Resource Groups, and Management Groups
Azure Resource Manager (ARM) is the deployment and management layer for Azure. The AZ-900 exam tests the four-level hierarchy: management groups, subscriptions, resource groups, and resources.
Azure Resource Manager
Azure Resource Manager (ARM) is the management layer that receives all Azure API requests and handles authentication, authorization, and resource operations. Every action you take in the Azure portal, CLI, PowerShell, or REST API goes through ARM.
ARM provides: consistent resource management, role-based access control, tagging, templates (Bicep/ARM), and activity logging.
The Four-Level Hierarchy
Azure organizes resources into a four-level hierarchy: 1. Management Groups (top level)
Management groups contain subscriptions. You can apply Azure Policy and RBAC at the management group level, and they cascade down to all subscriptions within.
- Up to 6 levels of nesting below the root management group
- Root management group is the top level; all subscriptions are children
- Use case: Apply a "deny public IP" policy to all subscriptions in a business unit
A subscription is the billing unit in Azure. Resources are deployed into a subscription. Azure limits apply per subscription (e.g., number of VMs).
- Each subscription belongs to one Azure AD (Entra ID) tenant
- RBAC can be assigned at the subscription level
- Use case: Separate subscriptions for production and development environments
A resource group is a container that holds related resources for an Azure solution. Resources in a group share a lifecycle (typically deployed and deleted together).
- Every resource must belong to exactly one resource group
- Resource groups cannot be nested
- Tagging and access control can be applied at the resource group level
- Deleting a resource group deletes all resources inside it
Resources are individual services: a virtual machine, a storage account, an SQL database. They are the leaf nodes of the hierarchy.
ARM Templates
ARM templates (JSON) and Bicep (domain-specific language) define infrastructure as code. You declare what you want, and ARM deploys it consistently.
| Level | Applies Policy? | Billing? | Contains |
|---|---|---|---|
| Management Group | Yes (cascades) | No | Subscriptions |
| Subscription | Yes | Yes | Resource Groups |
| Resource Group | Yes (limited) | No | Resources |
| Resource | No | Per-usage | N/A |
- ✓Azure has a 4-level hierarchy: management groups contain subscriptions, which contain resource groups, which contain resources
- ✓Management groups apply policy and RBAC that cascades to all child subscriptions
- ✓Subscriptions are the billing unit; each belongs to one Entra ID tenant
- ✓Every resource must belong to exactly one resource group; resource groups cannot be nested
- ✓Deleting a resource group permanently deletes all resources inside it
1. A company wants to enforce a "deny creation of resources outside approved regions" policy across all its Azure subscriptions. At which level should the policy be applied?
2. What happens when you delete an Azure resource group?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds guided video paths, hands-on Azure labs, and timed practice exams to help you pass AZ-900 with confidence.