In addition to managing other aspects of the Azure environment, admins must manage their Azure subscriptions. It is also necessary to understand how to manage your subscriptions for the purposes of the AZ-104 exam. This guide will explore AZ-104 managing subscriptions and the tools used to do this.

What is an Azure Subscription?

A Microsoft subscription is basically a contract arrangement to use one or more of Microsoft’s cloud services. This may include Microsoft 365, Dynamics 365, and Microsoft Entra ID. The billing depends on the service type. For example, the charges of Microsoft 365 and Dynamics 365, which are Software as a Service (SaaS) offerings, are based on per-user licenses.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

Azure, on the other hand, includes both Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). So, these services are billed according to the amount of cloud resources used. Trial subscriptions are available but have time or usage limits and can be upgraded to paid subscriptions.

Organizations can hold multiple subscriptions across these services. A single organization may have several Microsoft 365 and Azure subscriptions, along with a Dynamics 365 subscription simultaneously.

Key points to know about subscriptions

There are a few things to note about subscriptions to help understand where they fit in the management hierarchy. Note the following functionality:

Download Banner
  • A tenant can have many subscriptions
  • A subscription can only have a 1 to 1 relationship with a tenant, so these can’t be associated with more than one tenant
  • Subscriptions are where the billing takes place
  • Subscriptions have a trust relationship with an Entra ID instance
  • You can’t move resource groups to different subscriptions but you can move individual resources to different subscriptions
  • You can organize subscriptions into your management group hierarchy and apply your governance policies to the Azure management groups
  • When you create a management group, all subscriptions within a management group automatically inherit the policies applied to the management group

What are Management groups?

We have mentioned management groups quite a bit when talking about subscriptions. What are these exactly? Management groups in Azure provide a streamlined way to manage access, policies, and reporting across multiple subscriptions. By grouping subscriptions under a management group, any governance policies applied are inherited by all included subscriptions.

Every Microsoft Entra tenant has a built-in top-level management group, known as the root management group. This group sits at the top of the hierarchy, ensuring that any global policies or Azure role assignments are implemented across the entire directory.

The root management group is automatically created in several ways. You can do this by selecting Management Groups in the Azure portal, through an API call, or using PowerShell. This system simplifies the overall management of Azure resources.

Why may an organization have multiple subscriptions?

There are a number of reasons that organizations may choose multiple subscriptions. Subscriptions are part of the overall management strategy when organizations define Azure resources. Having multiple subscriptions can improve management and allow the creation of different resource groups within each subscription.

Organizations may use resource groups in day-to-day operations, such as where users submit support requests, define user permissions, create user account objects, role assignments, etc.

Subscription types

Microsoft recommends that for many use cases, you create the following types of subscriptions:

  • Subscription that houses your production workloads
  • Subscription that is used for non-production environments
  • Shared subscriptions for large environments
  • Sandbox subscription for sandbox-type accounts

What are the benefits of having these types of subscriptions? Note the following:

  1. Separating production and non-production environments into different subscriptions creates a clear division, simplifying resource management and enhancing safety
  2. Azure offers special Dev/Test subscription options for non-production workloads, which include discounted rates for Azure services and software licenses
  3. Production and non-production environments typically require distinct Azure policies. Having separate subscriptions allows for straightforward application of different policies at the subscription level
  4. Non-production subscriptions can be used to test certain Azure resources, enabling resource providers for these tests without risking exposure to the production environment
  5. Azure dev/test subscriptions can serve as isolated sandboxes, giving administrators and developers the flexibility to quickly set up and dismantle Azure resource groups, aiding in data protection and security
  6. The cost considerations for production and non-production environments often differ, which can be effectively managed through separate subscriptions

Shared services subscription

Microsoft also recommends something called a shared services subscription if you plan to host more than 1,000 VMs or compute instances within 24 months. Hosting shared services helps support the environments serviced by the resources.

Sandbox account

Sandbox accounts allow for experimentation with Azure features while creating isolation between production and non-production environments using specific security policies. You can use an Azure Dev/Test offer to create these experimental subscriptions.

Best practices for Managing subscriptions

Note the following best practices for managing subscriptions:

  1. Determine the personnel responsible for creating new subscriptions
  2. Define the default resource types accessible within each subscription
  3. Establish standard features for all subscriptions, including aspects like Azure RBAC access, policies, tagging, and infrastructure resources
  4. Aim to automate subscription creation using a service principal, ensuring it has the necessary permissions. Set up a security group authorized to request new subscriptions through an automated process
  5. For Enterprise Agreement (EA) customers, request Azure Support to restrict your organization to EA-only subscription creation

Managing Azure Subscriptions

In the Azure portal, we can manage subscriptions from there. Log into the portal and type subscriptions.

Managing Azure Subscriptions

We have the option for Adding a new subscription and also Advanced options.

Managing Azure Subscriptions

Under the advanced options, we can manage policies, view requests from other tenants, and view eligible subscriptions.

Managing Azure Subscriptions

FAQs

How does managing multiple Azure subscriptions differ from single subscription management?

Managing multiple subscriptions involves more complex governance structures, billing, and access control challenges.

What is the purpose of the root management group in Azure?

It provides top-level governance and policy enforcement for all Azure subscriptions and resources within an organization.

What are the benefits of using management groups in Azure?

They offer streamlined governance, policy application, and organization for multiple subscriptions.

Wrapping up

Understanding how to manage Azure subscriptions is an important concept to be familiar with before taking the AZ-104 exam. Subscriptions are important to the overall management of your Azure infrastructure and provide many different features that streamline billing and overall management of resources.

Read More:
Microsoft Azure Administrator: AZ-104 : Managing Azure Resource Groups – Part 16

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post