Part 2: Organizational Hierarchy
Source: John Savill's Azure Master Class v3 - Part 3: Governance
Video Timestamps: 12:50 - 32:15
AZ-104 Relevance: ⭐⭐⭐⭐⭐ HIGH - Management Groups, Subscriptions, and Resource Groups are CORE exam topics
The Big Picture
Key Relationship: Every Azure subscription trusts a specific Entra ID tenant for identity.
Management Groups
What They Are
Management Groups create a hierarchy above subscriptions for applying governance at scale.
Key Facts
| Fact | Detail |
|---|---|
| Root Management Group | Every tenant has exactly ONE (cannot be deleted or moved) |
| Hierarchy Depth | Up to 6 levels below root |
| Limit | 10,000 management groups per tenant |
| Parent Rule | Each MG can have only ONE parent, but many children |
| Display Name | Root MG's ID can't change, but display name CAN |
Common Organization Patterns
Organize by:
- Geography (different compliance per region)
- Business Unit (different permissions/policies)
- Environment (Dev/Test vs Production policies)
Entra Global Admin → Azure Elevation
Break-glass scenario: If subscription owners leave and you're locked out:
- Go to Entra ID → Properties
- Enable: "Access management for Azure resources" → Yes
- This grants User Access Administrator at Root MG
- Now you can assign yourself Owner on any subscription
⚠️ Warning: Don't leave this enabled! It's for emergency recovery only.
Subscriptions
What They Are
The fundamental unit for:
- Creating resources
- Billing
- Security boundary
Key Facts
| Fact | Detail |
|---|---|
| Trust | Must trust ONE Entra tenant |
| Default Position | Auto-placed under Root MG (can be moved) |
| Resource Groups | Up to 980 per subscription |
| Role Assignments | Up to 4,000 per subscription |
| Moving to Another Tenant | Possible but LOSES all RBAC and managed identities |
Subscription Policies (Controlling Join/Leave)
In Azure Portal → Subscriptions → Advanced Options → Manage Policies:
| Setting | Options |
|---|---|
| Who can leave tenant | Everyone / Permit no one / Exempted users only |
| Who can add subscription | Everyone / Permit no one / Exempted users only |
How Many Subscriptions?
Old guidance: Keep subscriptions minimal
New guidance: Be flexible - create as needed
| Reason to Create Separate Subscription |
|---|
| Different workload/application |
| Different billing requirements |
| Different compliance needs |
| Service health alerts need isolation |
| Approaching subscription limits |
With Management Groups, you can be looser with subscriptions while still applying consistent governance.
Resource Groups
What They Are
A container for resources that share a common lifecycle.
Key Facts
| Fact | Detail |
|---|---|
| Nesting | NOT allowed - Resource Groups are flat within a subscription |
| Location | Has a region (for metadata only) - resources can be anywhere |
| Lifecycle | Group things that get created/deleted together |
| Renaming | Cannot rename - must create new RG and move resources |
| Cross-RG Communication | Resources CAN communicate across RGs (not a network boundary) |
Lifecycle Grouping Example
Resources in different RGs can still work together!
Moving Resources
From Portal: Select resources → Move → Choose:
- Move to another Resource Group
- Move to another Subscription
- Move to another Region (validation required)
Not all resources support all move types - Azure validates before moving.
Governance Scopes
These three levels (MG → Sub → RG) are where you apply:
| Governance Type | Applied At | Inherited Down? |
|---|---|---|
| RBAC | MG, Sub, RG, Resource | ✅ Yes |
| Policy | MG, Sub, RG | ✅ Yes |
| Budget | MG, Sub, RG | Rolls up ↑ |
| Locks | Sub, RG, Resource | ✅ Yes |
| Tags | Sub, RG, Resource | ❌ No (by default) |
Best Practice: Apply broad governance high up, specific governance lower down. Avoid resource-level RBAC (hits 4,000 limit fast).
Azure Limits Quick Reference
| Scope | Limit |
|---|---|
| Management Groups per tenant | 10,000 |
| MG hierarchy depth | 6 levels below root |
| Subscriptions per tenant | Unlimited |
| Resource Groups per subscription | 980 |
| Role assignments per subscription | 4,000 |
| Tags per resource | 50 (some resources: 15) |
| Tag name length | 512 characters |
| Tag value length | 256 characters |
📎 Full limits: docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits
Mental Model
Think of it as a corporate org chart:
Entra Tenant = The Company
Root MG = CEO (unchangeable)
Management Groups = Divisions/Departments
Subscriptions = Cost Centers / Projects
Resource Groups = Teams working on specific deliverables
Resources = The actual work productPolicies flow DOWN (CEO sets company rules → everyone follows). Costs roll UP (teams report spending → aggregated at division → company).
AZ-104 Exam Tips
| Topic | What to Know |
|---|---|
| Root MG | Can't delete, can't move, CAN change display name |
| MG Depth | 6 levels max |
| Subscription trust | One Entra tenant; changing it loses RBAC |
| RG location | Just metadata - resources can be in any region |
| Moving resources | Some resources can't be moved; validation happens |
| Role assignment limit | 4,000 per subscription |
Practical Exercises
Exercise 1: View Your Management Group Structure (5 min)
- Azure Portal → Search "Management Groups"
- Note the Root MG name (usually the tenant ID)
- See where your subscriptions are placed
Exercise 2: Check Subscription Policies (3 min)
- Azure Portal → Subscriptions → Advanced Options → Manage Policies
- Check who can add/remove subscriptions from your tenant
Exercise 3: Explore a Resource Group (5 min)
- Open any Resource Group
- Find the Move button - what options do you see?
- Check the Locks blade - any locks present?
- Check Access Control (IAM) - what roles are inherited?
Exercise 4: Check Your Limits (5 min)
- Azure Portal → Search "Subscriptions"
- Select a subscription → Usage + quotas
- See how close you are to various limits
What's Next?
Part 3: Naming, Tagging & Inheritance - How to organize resources with names/tags and understand how governance flows down the hierarchy.
End of Part 2