πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-104 Domain 1
Domain 1 β€” Module 4 of 6 67%
4 of 27 overall

AZ-104 Study Guide

Domain 1: Manage Azure Identities and Governance

  • Microsoft Entra ID: Your Identity Foundation Free
  • Users, Groups & Licenses Free
  • RBAC: Who Can Do What in Azure Free
  • Subscriptions, Resource Groups & Management Groups Free
  • Azure Policy & Resource Locks Free
  • Tags, Cost Management & Azure Advisor Free

Domain 2: Implement and Manage Storage

  • Storage Accounts & Redundancy
  • Securing Storage: Keys, SAS & Firewalls
  • Blob Containers & Storage Tiers
  • Blob Lifecycle, Versioning & Soft Delete
  • Azure Files: Shares, Snapshots & Recovery

Domain 3: Deploy and Manage Azure Compute Resources

  • ARM Templates & Bicep: Infrastructure as Code
  • Virtual Machines: Create & Configure Free
  • VM Disks, Encryption & Migration
  • Availability Sets, Zones & Scale Sets
  • Containers: ACR, ACI & Container Apps
  • App Service Plans & Scaling
  • App Service: Slots, Certificates & Networking

Domain 4: Implement and Manage Virtual Networking

  • Virtual Networks & Subnets
  • VNet Peering & User-Defined Routes
  • NSGs & Application Security Groups
  • Azure Bastion, Service & Private Endpoints
  • Azure DNS & Load Balancers

Domain 5: Monitor and Maintain Azure Resources

  • Azure Monitor: Metrics & Logs
  • Alerts, Insights & Network Watcher
  • Azure Backup & Vaults
  • Azure Site Recovery & Disaster Recovery

AZ-104 Study Guide

Domain 1: Manage Azure Identities and Governance

  • Microsoft Entra ID: Your Identity Foundation Free
  • Users, Groups & Licenses Free
  • RBAC: Who Can Do What in Azure Free
  • Subscriptions, Resource Groups & Management Groups Free
  • Azure Policy & Resource Locks Free
  • Tags, Cost Management & Azure Advisor Free

Domain 2: Implement and Manage Storage

  • Storage Accounts & Redundancy
  • Securing Storage: Keys, SAS & Firewalls
  • Blob Containers & Storage Tiers
  • Blob Lifecycle, Versioning & Soft Delete
  • Azure Files: Shares, Snapshots & Recovery

Domain 3: Deploy and Manage Azure Compute Resources

  • ARM Templates & Bicep: Infrastructure as Code
  • Virtual Machines: Create & Configure Free
  • VM Disks, Encryption & Migration
  • Availability Sets, Zones & Scale Sets
  • Containers: ACR, ACI & Container Apps
  • App Service Plans & Scaling
  • App Service: Slots, Certificates & Networking

Domain 4: Implement and Manage Virtual Networking

  • Virtual Networks & Subnets
  • VNet Peering & User-Defined Routes
  • NSGs & Application Security Groups
  • Azure Bastion, Service & Private Endpoints
  • Azure DNS & Load Balancers

Domain 5: Monitor and Maintain Azure Resources

  • Azure Monitor: Metrics & Logs
  • Alerts, Insights & Network Watcher
  • Azure Backup & Vaults
  • Azure Site Recovery & Disaster Recovery
Domain 1: Manage Azure Identities and Governance Free ⏱ ~12 min read

Subscriptions, Resource Groups & Management Groups

Azure's organisational hierarchy is how you structure billing, access, and governance at scale. Learn how subscriptions, resource groups, and management groups work together β€” and why getting this right matters for everything else.

Azure’s organisational hierarchy

β˜• Simple explanation

Think of Azure’s hierarchy like a company’s filing system.

A management group is the cabinet. A subscription is a drawer. A resource group is a folder. And the actual resources (VMs, databases, storage) are the documents inside.

Why does this matter? Because permissions, policies, and budgets are set at each level and flow downward. Set a policy at the cabinet level, and it applies to every drawer, folder, and document inside. Set a budget on a drawer, and every folder in that drawer counts against it.

Azure uses a four-level resource hierarchy for organising resources, controlling access, and applying governance:

Management groups β†’ Subscriptions β†’ Resource groups β†’ Resources

Management groups provide a level above subscriptions for applying Azure Policy and RBAC across multiple subscriptions. Subscriptions are billing and access boundaries. Resource groups are logical containers for resources that share a lifecycle. Resources are the actual Azure services (VMs, storage accounts, etc.).

Key design principle: policies, RBAC, and budgets assigned at a higher level are inherited by all levels below. This enables governance at scale without per-resource configuration.

Subscriptions

A subscription is a billing and access boundary in Azure. Every Azure resource belongs to exactly one subscription.

Key facts:

  • Each subscription trusts exactly one Entra ID tenant
  • A subscription has an owner (an Entra ID account) and a billing account
  • Subscriptions have limits (quotas) β€” e.g., max 980 resource groups per subscription
  • You can have multiple subscriptions per tenant
  • Resources cannot span subscriptions (but can communicate across them via networking)

Common reasons to create separate subscriptions:

  • Billing separation β€” different departments, projects, or customers
  • Access boundaries β€” isolate environments (Prod vs Dev)
  • Quota limits β€” stay within Azure’s per-subscription limits
  • Compliance β€” separate regulated workloads
Real-world: Meridian Financial's subscription strategy

Meridian Financial uses 12 subscriptions organised by business unit and environment:

  • Finance-Prod, Finance-Dev, Finance-Test
  • Insurance-Prod, Insurance-Dev, Insurance-Test
  • Corporate-Prod, Corporate-Dev, Corporate-Test
  • Shared-Services, Security, Sandbox

All 12 trust the same Entra ID tenant. RBAC is scoped per subscription β€” the Finance developers can’t touch Insurance resources. A management group sits above them all for company-wide policies.

Resource groups

A resource group is a logical container for resources that share a common lifecycle. When you delete a resource group, all resources inside it are deleted.

Rules to remember:

  • Every resource must be in exactly one resource group
  • A resource group can contain resources from different Azure regions
  • A resource group has its own region (where its metadata is stored), but this doesn’t limit where resources can be deployed
  • You cannot nest resource groups
  • Resources can communicate across resource groups (within the same subscription)

Naming strategy matters:

  • rg-prod-webapp-uksouth β€” environment + workload + region
  • rg-dev-database-eastus β€” clear, scannable, consistent
Subscriptions vs Resource Groups
FeatureSubscriptionResource Group
What it isBilling and access boundaryLogical container for related resources
ContainsResource groupsResources
Can be nested?No (but management groups can)No
Deleted = ?All RGs and resources inside are deletedAll resources inside are deleted
RBAC scope?Yes β€” roles apply to all RGs withinYes β€” roles apply to all resources within
LimitDepends on account type980 per subscription

Management groups

Management groups sit above subscriptions in the hierarchy. They let you apply governance (policies and RBAC) across multiple subscriptions at once.

Key facts:

  • Every tenant has a root management group by default
  • Management groups can be nested β€” up to 6 levels deep (not counting root)
  • A subscription can only be in one management group
  • 10,000 management groups per tenant
  • RBAC and Policy assigned at a management group are inherited by all child management groups and subscriptions
Root Management Group
β”œβ”€β”€ IT Management Group
β”‚   β”œβ”€β”€ Production Subscription
β”‚   └── Development Subscription
β”œβ”€β”€ Finance Management Group
β”‚   β”œβ”€β”€ Finance-Prod Subscription
β”‚   └── Finance-Dev Subscription
└── Sandbox Management Group
    └── Sandbox Subscription
πŸ’‘ Exam tip: Management group access

By default, new management groups are created under the root management group. Only Global Administrators who have elevated their access (the toggle from Module 1) can manage the root management group initially.

The exam often tests: β€œWho can create management groups?” Answer: anyone with the Management Group Contributor or Owner role at the parent management group scope.

Moving resources

You can move resources between resource groups and subscriptions. This is a commonly tested scenario.

What you need to know:

  • Not all resources support move β€” check Azure documentation per resource type
  • Both source and target resource groups are locked during the move operation
  • Moving a resource changes its resource ID
  • RBAC and Policy at the new scope apply; old scope’s RBAC no longer applies
  • Some resources can be moved across subscriptions; others only within the same subscription
  • VMs can be moved (but all dependent resources like disks and NICs must move together)
Question

What happens to RBAC assignments when you move a resource to a different resource group?

Click or press Enter to reveal answer

Answer

The resource loses RBAC assignments from the source resource group and inherits RBAC assignments from the target resource group. Subscription-level RBAC assignments remain unchanged since the resource stays in the same subscription.

Click to flip back
Question

Can management groups be nested? If so, how deep?

Click or press Enter to reveal answer

Answer

Yes, management groups can be nested up to 6 levels deep (excluding the root management group). This allows hierarchical governance for complex organisations.

Click to flip back
Question

What is the maximum number of resource groups per subscription?

Click or press Enter to reveal answer

Answer

980 resource groups per subscription. This is a hard limit. If you need more, you need additional subscriptions.

Click to flip back
Question

Can a resource group contain resources from different Azure regions?

Click or press Enter to reveal answer

Answer

Yes. A resource group has its own region (where its metadata is stored), but the resources inside can be deployed to any Azure region. The resource group region does NOT restrict where resources can be created.

Click to flip back

Knowledge check

Knowledge Check

CloudFirst Labs has grown from 5 VMs to 50 and needs to separate billing for their customer-facing platform and internal tools. What should Alex recommend?
Knowledge Check

Meridian Financial wants to enforce a policy that prevents anyone from creating resources in the East US region across ALL their 12 subscriptions. Where should the policy be assigned?
Knowledge Check

Alex deleted a resource group called 'rg-test-webapp'. What happened to the three VMs, the storage account, and the SQL database that were inside it?

🎬 Video coming soon

← Previous

RBAC: Who Can Do What in Azure

Next β†’

Azure Policy & Resource Locks

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.