Managing Azure Subscriptions and Resource Groups

Azure subscriptions
Azure subscriptions are basically the billing accounts in Azure. Aside from billing, access to the Azure portal and the creation of the different Azure services in the portal are done through the use of Azure subscriptions.
If you look at the Azure account hierarchy, you will see where Azure subscriptions actually fit in. In the following diagram, the account hierarchy is shown:

Account hierarchy in Azure
It is divided into Enterprise, Department, Accounts, and Subscriptions levels. In the following overview, you'll get an idea of what these different levels are for:
Enterprise: This is also called the Enterprise Agreement, and is only used by organizations. It can be accessed from a separate portal (https://ea.azure.com) and is used for the whole organization to create the different departments.
Departments: At the department level, sub-accounts for the different departments in your organization are created. You can also group your departments in a functional way, like an IT and finance department, or group them in a geographical way, like North America and Europe, for instance. You can add a department owner here, which will be the person in charge of owning the budget for the department, for instance.
Accounts: This is where the different departments can create multiple accounts within their department. They can also add additional owners to manage these accounts. When you create a personal account in Azure, this is the starting point for creating the subscriptions. The Microsoft account that you use to log in to the Azure portal is then added to this account as the owner.
Subscriptions: You can create multiple subscriptions in an account. This is the level where the actual billing takes place and where the different Azure resources are created. You can add additional subscription owners that can manage the subscriptions, create the different resources, and assign other users to the subscription. Subscriptions always have a trust relationship with an Azure Active Directory instance.
Inside the Azure subscription, you can create multiple resource groups. This will be covered in the next section.

Azure resource groups
Each resource that you create inside Azure must belong to a resource group. It is a logical container that groups multiple resources together. An example would be all the resources that share a similar life cycle, like all the different resources for a particular application; this can be a virtual machine, an Azure Database, a virtual network in Azure, and more, grouped inside the same resource group. They can then be managed and deleted as a single entity.
If you don't have an Azure account yet and you want to get started, you can refer to the following site to create an Azure trial account: https://azure.microsoft.com/en-us/free/.
In the next section, we'll assign administrator permissions to a user.

Assigning administrator permissions
There are two ways to assign administrator permissions to your users. The first is done inside Azure Active Directory and is used to assign global administrator permissions. The second is done by using role-based access control (RBAC) and can be set from the subscription level.
In the following sections, we'll look at both possibilities.

Assigning global administrator permissions
With global administrator permissions, you can manage all subscriptions and management groups. A management group provides a level of scope above permissions and can be used to manage multiple subscriptions together.
When a user is assigned to the global administrator role, it is able to see all Azure subscriptions and management groups in an organization, allow an automation app to access all Azure subscriptions and management groups, regain access to an Azure subscription or management group when a user has lost access, and grant another user (or themselves) access to an Azure subscription or management group.

To assign administrator permissions to a user on the subscription level, take the following steps:
Navigate to the Azure portal by opening https://portal.azure.com.
In the left-hand menu, select Azure Active Directory to open the Azure AD blade.
Then, under Manage, select Properties.
In the Directory properties blade, enable Access management for Azure resources:
Selecting Properties
Click on Save.
In the next section, we're going to assign owner permissions to a user on the subscription level.

Assigning owner permissions
The owner of a subscription has full access to all the resources inside the subscription and is able to delegate the access to others. To assign owner permissions to a user on the subscription level using RBAC, perform the following steps:
Navigate to the Azure portal by opening https://portal.azure.com.
In the left-hand menu, select All services and select Subscriptions (you can also add it to your favorites so that's displayed in the left-hand menu):

Selecting the subscription
Select your subscription, and in the Subscription overview blade, click Access control (IAM):

Access control settings
To add a user with administrator permissions, click Add | Add role assignment to open the Add role assignment pane.
In the Role drop-down list, select the Owner role.
Then, in the Select list, select the user. If you don't see the user in the list, you can search for it in the textbox by name and email address:

Selecting the user
Click on Save to add the user to the owner role.
In this demonstration, we added administrator permissions to a user. In the next section, we're going to configure Azure subscription policies.

Configuring Azure subscription policies
With Azure Policy, you can create, assign, and manage policies. These policies can be used so that you stay compliant with your corporate standards and SLAs by enforcing different rules and effects over your Azure resources. Your resources are evaluated by the assigned policies for non-compliance. For instance, you can create a policy that only allows virtual machines from a certain SKU size in your environment. When this policy is assigned, all new and existing resources are evaluated for compliance with this policy.
To configure subscription policies, perform the following steps:
Navigate to the Azure portal by opening https://portal.azure.com.
In the left-hand menu, select Subscriptions (this is if you added it to your favorites; otherwise, take the steps that we described in the previous demonstration).
In the Subscriptions overview blade, in the left-hand menu under Settings, select Policies:

Selecting subscription policies
In the Policies overview blade, select Assign policy to create a new policy:

Creating a new policy
On the next screen, we're going to create a definition for our policy. Add the following values to create the policy so that resources for this subscription can only be created in selected regions: Scope: The subscription name.
Exclusions: Leave this blank; we are going to create a policy that applies to the entire subscription.
Policy definition: When you select this, you can choose from a number of available policies that you can apply to your subscription. Microsoft has created these JSON templates for you, based on the best practices from different enterprises. You can create your own templates here as well. Select a policy from the list (for instance, Allowed locations), and then click Select.
Assignment name: This is automatically filled in after selecting the policy.
Parameters: Here, you can select the allowed locations where users can deploy their resources. For instance, select Central US, East US, East US 2, West US, and West US 2.
After selecting the different regions, click the Assign button:

Assigning a new policy
After applying this policy, resources for this subscription can only be created in the selected regions. If you want to add additional regions or remove regions from this policy, you can edit this later.
You can apply policies at the resource group level as well. This works exactly the same as adding policies at the subscription level. Once you have created a resource group, you can go to the overview blade and select Policies from the left-hand menu. In there, you can apply policies at the resource group level.
 

Implementing and setting tagging on resource groups
You can apply tags to all of your Azure resources. This way, you add extra metadata to the resource group, which can be used to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For instance, you can set the name to Environment and the value to Demo, or you can set the name to Maintenance Window and the value to Saturday 9 AM. After applying these tags, you can easily retrieve all the resources with the same tag name and value. This can be a useful feature for billing or management purposes.
For billing based on your tags, you can use the assigned tags to group the billing for certain resources; for example, if you run VMs and databases for different environments (test, pre-production, and production), you can use tags to categorize the costs. These tags will then show up in the different cost reporting views. For instance, they are visible in the cost analysis view immediately after they are created, and in the detail usage .csv after the first billing period.
You can create resource groups in Azure using the Azure portal, PowerShell, and the CLI. In this demonstration, we are going to create an Azure resource group in our subscription from the Azure portal. You can also set tagging on the resource group level, so we are going to do that, as well. Therefore, perform the following steps:

Navigate to the Azure portal by opening https://portal.azure.com.
In the left-hand menu, select Resource groups:
Azure portal overview page
In the Resource groups blade, click on the Add button in the top menu:

Creating a new resource group
Fill in the following values: Subscription: Select the subscription to which you want to add the resource group.
Name: FatskillsResourcegroup.
Region: Keep the default (Central US, in my case). You can also select another region, if you prefer.
Next, select Tags in the top menu:

Adding tags to the resource group
Add the following values to create a tag for this resource group: Name: Environment
Value: Demo
Click on Review + Create, and then Create.
Repeat these steps for some of the resources inside the subscription. In my case, I've added the same tag to the VM.
We have now created a new resource group and applied a tag to it. You can also manage your tags from the Tags blade of the resource group. In the next section, we're going to look at how to configure cost center quotas.

Configuring cost center quotas
Quotas in Azure are basically the limits of creating an amount of resources in Azure. For example, there is a limit of 2,000 availability sets that can be created inside an Azure subscription. However, you can contact Microsoft support if you wish to increase this quota. We need to perform the following steps:
Navigate to the Azure portal by opening https://portal.azure.com.
In the left-hand menu, select Subscriptions.
Select the right subscription. In the Subscriptions overview blade, under Settings, select Usage + quotas. There, you can select a provider:

Usage and quotas overview
Select Microsoft.Compute.
You will see the amount of available availability sets for this subscription. If you want to increase this, select the Request Increase button on the right-hand side of the screen:

Increasing quotas
A new blade will open, where you can create a new support request for increasing the quota of an Azure resource.
In the next section, we're going to configure resource locks and resource policies.

Configuring resource locks
Administrators can set locks on your Azure resources to prevent other users from deleting the resource or making any changes to it. You can set two different lock levels on your subscriptions, resource groups, or resources:
CanNotDelete: This level prevents authorized users from deleting the resource. They can still read and modify the resource.
ReadOnly: Within this level, authorized users can read a resource, but they cannot delete or update it. This level is similar to assigning all authorized users to the reader role using RBAC.
To apply a lock on your resource group, you have to perform the following steps:
Navigate to the Azure portal by opening https://portal.azure.com.
In the left-hand menu, select Resource groups. Select the resource group that we created in the previous demonstration.
In the Resource Group overview blade, under Settings, select Locks:

Resource group overview
On the next screen, click Add in the top menu to create a new lock for this resource.
Add the following values: Name: No-Deletion
Lock type: Delete:
Creating a lock
Click on OK to create the lock.

We have created a lock for this resource group to prevent authorized users from deleting it. 

Moving resources across resource groups
You can easily move your resources across different resource groups and subscriptions by using the Azure portal, PowerShell, the CLI, and the REST API. During the move operation, both the source group and the target group are locked. This blocks all write and delete operations on the resource group until the movement is complete. This means that you cannot update, add, or delete resources in the resource group, but the resources aren't frozen. There will be no downtime for these resources. However, the location of the resources will remain the same, even when the new resource group is created in a different location.
There are limitations for moving resources across different resource groups and subscriptions. For instance, a VM with managed disks that is deployed inside an availability zone cannot be moved. For more information about these limitations, you can refer to the following article: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources.
In the following demonstration, we are going to move resources from a resource group to another resource group using the Azure portal. For this demonstration, I've added a VM to this resource group and created a new resource group called FatskillsResourceGroup1. To move this VM, perform the following steps:
Navigate to the Azure portal by opening https://portal.azure.com.
In the left-hand menu, select Resource groups. Select the FatskillsResourceGroup that we created in the previous demonstration. Select all the VM resources from the list, and in the top menu, select Move:

Moving resources
You have two possibilities: Move to another resource group and Move to another subscription. Click on Move to another resource group, and in the next screen, select FatskillsResourceGroup1 as the resource group, and check the checkbox underneath:

Moving resources
Click on OK to move the resources to the other resource group.
After moving the resources, you can open the overview blade of FatskillsResourceGroup1. You will see that all the resources have been moved.
In the next (and final) section of this chapter, we are going to remove the resource group.

Removing resource groups
Resource groups can be removed using the Azure portal, PowerShell, the CLI, and the REST API. You can remove the resource group and all the resources inside of it at once.
In the following demonstration, we are going to remove FatskillsResourceGroup1, which we used for the previous demonstration:
Navigate to the Azure portal by opening https://portal.azure.com.
In the left-hand menu, select Resource groups. Select FatskillsResourceGroup1. In the top menu, select Delete resource group:

Deleting a resource group
To confirm that you want to delete the resource group, you have to specify the name. Enter the name of the resource group and select Delete:

Confirm deletion
The resource group will now be deleted.

Read more about Azure Subscriptions and Resource Groups:

Associate or add an Azure subscription to your Azure Active Directory tenant: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Resource access management in Azure: https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/getting-started/azure-resource-access
Elevate access to manage all Azure subscriptions and management groups: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin
Understand Azure Policy effects: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
Prevent unexpected charges with Azure billing and cost management: https://docs.microsoft.com/en-us/azure/billing/billing-getting-started
Use tags to organize your Azure resources: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
Lock resources to prevent unexpected changes: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
Move resources to new resource group or subscription: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources