As we start working in Azure Cloud Tenant, Directory, management groups, and subscriptions are the first terms we face, and often get troubled to understand the proper role of each. The Key to having proper control over the expenses of the company is to have a clear view of the spending structure.
For this Azure has many features that an administrator could leverage for organizing the resources well and put them in a proper hierarchy. And also be able to govern the resources transparently. Before moving ahead we should have some clarity to the terms related to the topic:
Tenant: As in physical parlance the tenant means the building being used by a company or group similarly in Azure purview the term holds its meaning here too. Tenant Logically identifies the company/organization. Though it is often used interchangeably with Azure AD it is not the same in an exact manner. An individual tenant is globally identified by the core domain and is in the form *.onmicrosoft.com, where the * is your tenant name.
Directory: Directory could be said as the instance of your company Azure AD, and it has one to one relationship with the tenant.
Management Groups: This again is a logical entity and could give a grouping of subscriptions and even other management groups. This comes in handy if your organization has multiple subscriptions and wants to apply and manage policies, access, and compliance on scope above the subscription then Management Group is there for you.
Subscriptions: Subscription is where you are billed for your resources. You can have multiple subscriptions under one tenant which are managed, or so could be managed as previously said, by Management Groups. Each of your logical resources in Azure cloud is linked with some subscription for billing purposes.
Having the broader idea of the terms lets dive a little deeper into the realm of management.
As evident from the above image the structure increases in complexity but it helps in understanding all the arrangements of the business at a glance.
The Root Management Group created by default for each directory. This is where all your other management groups and subscriptions reside and are created to give a proper hierarchy to the structure. All subscriptions that are created first reside here only and can then be moved to the appropriate Management Group.
You can create up to 10000 Management Groups and can be six levels deep excluding the root. Also, the point to remember here is every Management can have only one parent but can have multiple children, to properly maintain the hierarchy.
Management Group could be added as under:
This will take you to this blade:
The point to remember here is Management Group ID cant be changed after it is created, though the display name could be changed like as under:
All the management benefits are also listed above as you can manage Access Control with inbuilt and also custom-defined roles and so the cost and budget for the resources. You can apply policies at this level to further enforce the compliances.
As the Evident from the screen shot you can add management Groups and Subscription here and also these subscription can be moved to other MGs
The point to remember here is that if you have applied some custom role in Subscription which is defined at Management group level then the subscription can be moved. For moving it then you have to remove the role assignments first.
As we talk about the Subscription lets have a look it too
It gives a pandora of options and capabilities that could be harnessed to have proper control of your spending. This is where all your resources will eventually reside. Overview here gives you the Subscription ID that will be required multiple times as you deploy resources.
Azure subscription has a trust relationship with Azure Active Directory (Azure AD). Through Azure AD subscription authenticates different Users, Services, and devices. As you can visualize that many subscriptions can have a trust relationship with one Azure AD directory. but each subscription can only trust a single directory.
Under Cost Management, you can view what is costing you and can also filter the resources either by resource type or by resource tag. Like in MG you can also set Budgets in here and also the alerts thereof.
You can also define the scope of the budget and make it more granular by specifying at Resource Group level.
Under Settings, you can see all the resources and also the quotas and usage thereof. You can also request an increase in quota if you seem to overuse some resources. The beauty of control that Azure provides at different levels is marvelous and you can also specify locks to save your precious resources.
In the end, I will also like to bring a few points about managing your tenant as a whole.
As you know tenant holds everything of your organization together and this is what divides one organization from another. It is better to give a logical name to the directory and be more identifiable with the company name. By default all the directories in Azure are given the name Default Directory you can change it under the tenant properties page which could be searched as under
Here you have the option of changing different properties of the tenant including the name :
This name will also be the name of the Directory.
In certain scenarios when you need Tenant ID, then you can find it under the overview of Azure Active Directory.
Hope this has brought a bit more clarity on the concepts of Tenant, Management Groups, and Subscriptions. Happy Learning to all.
One thought on “Understanding Tenant, Directory, Management Group, and Subscriptions in Azure”