πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-900 Domain 2
Domain 2 β€” Module 2 of 11 18%
9 of 26 overall

AZ-900 Study Guide

Domain 1: Describe Cloud Concepts

  • What is Cloud Computing? Free
  • Cloud Models: Public, Private, and Hybrid Free
  • Cloud Pricing: Consumption, Serverless, and Pay-as-You-Go Free
  • High Availability and Scalability Free
  • Reliability, Security, and Manageability Free
  • IaaS, PaaS, and SaaS Explained Free
  • Choosing the Right Cloud Service Free

Domain 2: Describe Azure Architecture and Services

  • Azure Regions, Zones, and Datacenters
  • Resources, Resource Groups, and Subscriptions
  • Azure Virtual Machines
  • Azure Compute: Containers, Functions, and App Service
  • Azure Networking: VNets, Subnets, and Peering
  • Connecting to Azure: VPNs, ExpressRoute, and DNS
  • Azure Storage Services
  • Data Migration: Moving to Azure
  • Microsoft Entra ID: Your Identity Hub
  • Authentication and External Identities
  • Azure Security: RBAC, Zero Trust, and Defender

Domain 3: Describe Azure Management and Governance

  • What Affects Your Azure Bill
  • Pricing Calculators: TCO and Azure Pricing
  • Cost Management and Tags
  • Azure Governance: Purview, Policy, and Locks
  • The Azure Portal and Cloud Shell
  • Infrastructure as Code: ARM, Bicep, and Arc
  • Azure Advisor and Service Health
  • Azure Monitor: Logs, Alerts, and Insights

AZ-900 Study Guide

Domain 1: Describe Cloud Concepts

  • What is Cloud Computing? Free
  • Cloud Models: Public, Private, and Hybrid Free
  • Cloud Pricing: Consumption, Serverless, and Pay-as-You-Go Free
  • High Availability and Scalability Free
  • Reliability, Security, and Manageability Free
  • IaaS, PaaS, and SaaS Explained Free
  • Choosing the Right Cloud Service Free

Domain 2: Describe Azure Architecture and Services

  • Azure Regions, Zones, and Datacenters
  • Resources, Resource Groups, and Subscriptions
  • Azure Virtual Machines
  • Azure Compute: Containers, Functions, and App Service
  • Azure Networking: VNets, Subnets, and Peering
  • Connecting to Azure: VPNs, ExpressRoute, and DNS
  • Azure Storage Services
  • Data Migration: Moving to Azure
  • Microsoft Entra ID: Your Identity Hub
  • Authentication and External Identities
  • Azure Security: RBAC, Zero Trust, and Defender

Domain 3: Describe Azure Management and Governance

  • What Affects Your Azure Bill
  • Pricing Calculators: TCO and Azure Pricing
  • Cost Management and Tags
  • Azure Governance: Purview, Policy, and Locks
  • The Azure Portal and Cloud Shell
  • Infrastructure as Code: ARM, Bicep, and Arc
  • Azure Advisor and Service Health
  • Azure Monitor: Logs, Alerts, and Insights
Domain 2: Describe Azure Architecture and Services Premium ⏱ ~11 min read

Resources, Resource Groups, and Subscriptions

Every Azure service you create is a resource. Resources live in resource groups. Resource groups live in subscriptions. Understanding this hierarchy is essential for organising and managing your Azure environment.

Azure’s organisational hierarchy

β˜• Simple explanation

Think of it like a filing cabinet.

Resources = individual documents (a VM, a database, a storage account).

Resource groups = folders that hold related documents. You might have a β€œWebsite” folder and a β€œDatabase” folder.

Subscriptions = drawers in the cabinet. Each drawer has its own billing β€” so the β€œProduction” drawer bills separately from the β€œDevelopment” drawer.

Management groups = the entire cabinet itself. If you have multiple cabinets (subscriptions), management groups let you apply rules to all of them at once.

Azure organises resources in a four-level hierarchy:

Resources are the fundamental building blocks β€” any Azure service you create (VMs, databases, storage accounts, virtual networks). Every resource belongs to exactly one resource group.

Resource groups are logical containers that hold related resources. They provide lifecycle management (delete the group = delete all resources inside), access control (apply permissions at the group level), and tagging for cost management.

Subscriptions provide a billing boundary and access control boundary. Each subscription receives its own invoice. An Azure account can have multiple subscriptions for different environments, teams, or projects.

Management groups sit above subscriptions and allow you to apply governance (Azure Policy, RBAC) across multiple subscriptions. They form a tree structure with a root management group at the top.

The hierarchy visualised

Management Groups
  └── Subscriptions
        └── Resource Groups
              └── Resources

Summit Construction’s hierarchy:

Root Management Group
  β”œβ”€β”€ IT Management Group
  β”‚     β”œβ”€β”€ Production Subscription ($2,000/month)
  β”‚     β”‚     β”œβ”€β”€ RG: project-portal-prod
  β”‚     β”‚     β”‚     β”œβ”€β”€ VM: portal-vm-01
  β”‚     β”‚     β”‚     β”œβ”€β”€ SQL Database: portal-db
  β”‚     β”‚     β”‚     └── Storage: portal-files
  β”‚     β”‚     └── RG: monitoring-prod
  β”‚     β”‚           └── Log Analytics Workspace
  β”‚     └── Development Subscription ($400/month)
  β”‚           └── RG: project-portal-dev
  β”‚                 β”œβ”€β”€ VM: portal-vm-dev
  β”‚                 └── SQL Database: portal-db-dev
  └── Finance Management Group
        └── Finance Subscription ($300/month)
              └── RG: accounting-app
                    β”œβ”€β”€ App Service: accounting-web
                    └── SQL Database: accounting-db

Resources β€” the building blocks

A resource is any Azure service you create:

  • A virtual machine
  • A storage account
  • A SQL database
  • A virtual network
  • An App Service web app

Key rules:

  • Every resource belongs to exactly one resource group
  • Resources can be in different regions from their resource group
  • Resources can communicate across resource groups and subscriptions

Resource groups β€” logical containers

A resource group is a container that holds related Azure resources. Think of it as a project folder.

Key rules about resource groups:

RuleDetail
Every resource needs oneA resource cannot exist outside a resource group
One group onlyA resource can only be in one resource group at a time
Groups can’t be nestedYou can’t put a resource group inside another resource group
Deleting a group deletes everythingDelete the resource group β†’ all resources inside are deleted
Permissions inheritApply permissions to the group β†’ all resources inside inherit them
Resources can be in different regionsA resource group in β€œAustralia East” can contain resources in β€œUS East”

Peak Roasters’ resource groups

Peak Roasters organises their Azure resources by application:

Resource GroupResources InsidePurpose
rg-websiteApp Service, SQL Database, StorageOnline ordering website
rg-email(managed by Microsoft 365)Business email
rg-backupsStorage account, Recovery vaultData backups
πŸ’‘ Exam tip: Resource group location

A resource group has a location (region), but this is only where the group’s metadata is stored. The resources inside can be in any region.

Example: Resource group in β€œAustralia East” can contain a VM in β€œUS West” and a database in β€œUK South.”

Why does the group location matter? For compliance β€” some organisations need metadata stored in specific geographies.

Subscriptions β€” billing boundaries

A subscription provides:

  • Billing boundary β€” each subscription gets its own invoice
  • Access control boundary β€” you can set different permissions per subscription
  • Resource limits β€” each subscription has quotas (e.g., max VMs per region)

Why multiple subscriptions?

ReasonExample
Separate billingProduction vs development have different budgets
Access controlDevelopers can access dev subscription but not production
ComplianceRegulated workloads in a separate subscription with stricter policies
Resource limitsApproaching quota limits in one subscription

Harbour Health uses three subscriptions:

  • Production β€” patient-facing apps, strict access controls
  • Development β€” dev/test environments, more relaxed permissions
  • Sandbox β€” experimentation, auto-delete after 30 days

Management groups β€” governance at scale

When an organisation has many subscriptions, management groups help manage them:

  • Apply Azure Policy to a management group β†’ it applies to ALL subscriptions underneath
  • Assign RBAC roles at the management group level β†’ inherited by all subscriptions
  • Nest management groups up to 6 levels deep (not counting the root)

Key facts:

  • Every Microsoft Entra ID tenant has a single root management group
  • All subscriptions belong to the root management group by default
  • You can create sub-groups to organise subscriptions by department, environment, or region
ℹ️ Management group hierarchy limits
  • 10,000 management groups per directory
  • 6 levels of depth (excluding root)
  • Each management group or subscription can have only one parent
  • Each management group can have many children

This tree structure means policies and access controls flow DOWN from parent to child β€” a powerful governance mechanism for large organisations.

🎬 Video walkthrough

🎬 Video coming soon

Resources, Resource Groups, and Subscriptions β€” AZ-900

Resources, Resource Groups, and Subscriptions β€” AZ-900

~10 min

Flashcards

Question

What is an Azure resource?

Click or press Enter to reveal answer

Answer

Any Azure service you create β€” a VM, database, storage account, virtual network, etc. Every resource belongs to exactly one resource group.

Click to flip back
Question

What happens when you delete a resource group?

Click or press Enter to reveal answer

Answer

ALL resources inside the group are deleted. This is called lifecycle management β€” the group and its contents share a lifecycle.

Click to flip back
Question

What is the purpose of Azure subscriptions?

Click or press Enter to reveal answer

Answer

Subscriptions provide a billing boundary (separate invoices) and an access control boundary (different permissions). An account can have multiple subscriptions for different teams, environments, or budgets.

Click to flip back
Question

What are management groups used for?

Click or press Enter to reveal answer

Answer

To apply governance (Azure Policy, RBAC) across multiple subscriptions at once. They sit above subscriptions in the hierarchy and form a tree structure with a root management group at the top.

Click to flip back

Knowledge Check

Knowledge Check

Peak Roasters wants to ensure that when they're done with their test environment, all test resources are cleaned up with a single action. What should they use?
Knowledge Check

Harbour Health wants production and development environments to have separate billing. What is the BEST way to achieve this?
Knowledge Check

What is the correct hierarchy from TOP to BOTTOM in Azure's organisational structure?

Next up: Azure Virtual Machines β€” the most common IaaS service, including Scale Sets, availability sets, and Azure Virtual Desktop.

← Previous

Azure Regions, Zones, and Datacenters

Next β†’

Azure Virtual Machines

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.