Azure, Technology

8. Manage Subscriptions and Governance

Accounts, Subscriptions and Resource Groups

  1. Account: this is a user or an application. This is the basis for authentication.
  2. Tenant: this is the organisation or the company
    –  Usually a domain name is related to this.
    – a dedicated instance of Azure Active Directory
    – every Azure account is part of at least one tenant
  3. Subscription: an agreement with Microsoft to use AZURE services, and how you are going to pay for that. All Azure resources usage gets billed depending on the payment method of the subscription:
    – Free subscriptions
    – Pay as you go
    – Enterprise agreements
    Note: not every tenant needs to have a subscription and Tenants can have more than one subscription.
  4. Resources: this is any entity managed by Azure. EG: VM, web app, storage account, public IP address, network interface card, network security group etc…
  5. Resource Group:  a way or organising resources. Similar to an OU in AD. All resources can only belong to the one Resource Group.
    It is a way of separating projects , keeping unrelated items separate.

The Subscription Dashboard

The subscription is the basis of billing. It gives a breakdown of the services and resources by cost. It can give you forecasts for your spending for the month.
This is where you make changes to credit cards etc…

Assign Administrator permissions to Subscription

You can add another user as admin of your subscription.

To do this:

  • From within the Subscriptions dashboard, select “Access Control (IAM)”
  • Click on “Add”
  • Select the user you want to give access to
  • Assign this user the “Contributor” role assignment. This will allow them to make changes to the subscription, but not assign permissions to other people.

There are 100s of role assignments to choose from and they can get very granular.

Cost Centre and Tagging

Cost Analysis allows you to dig into the Locations and Resource Groups by what they are costing in the month.


You can create custom tags and then “Tag” resources. These are meta data you can attach to resources. You can then run reports per tag for costs etc… An example of using tags is:

  • Billing code
  • Created by
  • Environment

Azure Policy

You can use Azure Policy to define and enforce company standards and SLA’s across some or all of your companies resources.

There are some built in policies you can use:

  • Require SQL Server 12.0
  • Allowed Locations
  • Allowed VM SKUs
  • Allowed Resource Type

Assigning a policy

You assign Policies through the Azure Portal by going to “Policy Assignments -> Assign Policy”.

The options you set are:

  • Scope: Subscription or Resource Group
  • Exclusions: you can exclude specific resources
  • Policy Definition: Here you can select a built-in or custom policy. The built in policies can do things like:
    • Deploy threat protection
    • Audit resources
    • Set restrictions
  • Assignment name: set a name

Creating Custom Policies

You can create policy definition through “Policies -> Definitions”. The definitions are made up of JSON files. You can download samples of these from GitHub

Managing Policy by PowerShell

Everything you can do in the portal you can do through PowerShell

You can use PowerShell on your machine or use the “CloudShell”.

You will need to install the AZ module on your machine.

To list policiy definitions:

Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq "Ausit missing tags on resources" }

Creating a policy using a definition:

New-AzPolicyAssignment -Name "Checkingrules" -DisplayName "Checking the rules" -scope $resourceGroup.iresourceid -PolicyDefinition $definition


Subscriptions and Management Groups

You can have more than one subscription in the one tenant.

Management Groups

These are basically OU’s that contain other management groups or subscriptions. You can assign users to the Management Group and they will get access to the subscription underneath.


Resource Groups and Resource Locks

Resource Groups are basically an organisational structure for your resources. You can create as many as you need. The Resource Group name needs to be unique to your account.

They can contain things like:

  • VMs
  • VNets
  • Network Security groups
  • Disks
  • Public IP Addresses

Things you can do at the Resource Group level:

  • Policies
  • Locks
  • Reports
  • Deployments

Deleting a Resource Group deletes all the resources inside it also!

Resource Locks

A lock prevents you from changing or deleting the Resource Group. There are 2 types of locks:

  1. No changes (Read Only) – this prevents you from making any changes or even stopping a VM
  2. No deletions

You can add a lock by going to “Locks” in the Resource Group settings.

Resource Group Policies

Go to Resource Group -> Policy – Assignments

You ca assign policies such as “Allow Locations”. This only allows items in the Resource Group to be in certain locations.

Move Resources

Items in a Resource Group can be moved to:

  • Another Resource Group
  • Another Subscription
  • Another Location

NOTE: when you change an items Resource Group its “Resource ID” will change. This is because the Resource Group name is part of the Resources ID. You need to update any scripts that may be using this Resource ID.

Leave a Reply

Your email address will not be published. Required fields are marked *