Cyber Intelligence
Azure Architecture and Services · 35-40% of exam

L6. Azure Resource Manager: Subscriptions, Resource Groups, and Management Groups

Video generating

Check back soon for the video lesson on Azure Resource Manager: Subscriptions, Resource Groups, and Management Groups

Azure Resource Manager (ARM) is the deployment and management layer for Azure. The AZ-900 exam tests the four-level hierarchy: management groups, subscriptions, resource groups, and resources.

Azure Resource Manager

Azure Resource Manager (ARM) is the management layer that receives all Azure API requests and handles authentication, authorization, and resource operations. Every action you take in the Azure portal, CLI, PowerShell, or REST API goes through ARM.

ARM provides: consistent resource management, role-based access control, tagging, templates (Bicep/ARM), and activity logging.

The Four-Level Hierarchy

Azure organizes resources into a four-level hierarchy: 1. Management Groups (top level)

Management groups contain subscriptions. You can apply Azure Policy and RBAC at the management group level, and they cascade down to all subscriptions within.

  • Up to 6 levels of nesting below the root management group
  • Root management group is the top level; all subscriptions are children
  • Use case: Apply a "deny public IP" policy to all subscriptions in a business unit
2. Subscriptions

A subscription is the billing unit in Azure. Resources are deployed into a subscription. Azure limits apply per subscription (e.g., number of VMs).

  • Each subscription belongs to one Azure AD (Entra ID) tenant
  • RBAC can be assigned at the subscription level
  • Use case: Separate subscriptions for production and development environments
3. Resource Groups

A resource group is a container that holds related resources for an Azure solution. Resources in a group share a lifecycle (typically deployed and deleted together).

  • Every resource must belong to exactly one resource group
  • Resource groups cannot be nested
  • Tagging and access control can be applied at the resource group level
  • Deleting a resource group deletes all resources inside it
4. Resources

Resources are individual services: a virtual machine, a storage account, an SQL database. They are the leaf nodes of the hierarchy.

ARM Templates

ARM templates (JSON) and Bicep (domain-specific language) define infrastructure as code. You declare what you want, and ARM deploys it consistently.

LevelApplies Policy?Billing?Contains
Management GroupYes (cascades)NoSubscriptions
SubscriptionYesYesResource Groups
Resource GroupYes (limited)NoResources
ResourceNoPer-usageN/A
Exam tip: Understand which scope each action applies at. Azure Policy at a management group affects all child subscriptions. Deleting a resource group deletes all its resources.

Exam Focus Points
  • Azure has a 4-level hierarchy: management groups contain subscriptions, which contain resource groups, which contain resources
  • Management groups apply policy and RBAC that cascades to all child subscriptions
  • Subscriptions are the billing unit; each belongs to one Entra ID tenant
  • Every resource must belong to exactly one resource group; resource groups cannot be nested
  • Deleting a resource group permanently deletes all resources inside it
Knowledge Check

1. A company wants to enforce a "deny creation of resources outside approved regions" policy across all its Azure subscriptions. At which level should the policy be applied?

2. What happens when you delete an Azure resource group?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds guided video paths, hands-on Azure labs, and timed practice exams to help you pass AZ-900 with confidence.

Start AZ-900 prep free10-day free trial available