Azure's Four Levels of Management Explained in a Simple Way

Azure provides four levels of management scope, which are designed to provide flexibility and control in managing resources:

Management Groups: Think of management groups as containers that help you organize and manage things in Azure. They make it easier to control who can access what, set rules for how things should be done, and make sure everyone follows the same guidelines. When you create a management group, all the things inside it automatically follow the same rules.

Example: Management groups is like the school district. The school district oversees several schools (which in our case would be 'subscriptions'). It sets some rules and guidelines that all its schools have to follow.

Subscriptions: An Azure subscription is like a big box where you can put different things, such as virtual machines, databases, and more. It helps you keep track of all these resources and manage how much they cost. Subscriptions are useful for organizing resources based on who is using them or what projects they're for.

Example: Think of a subscription as an individual school. The school is a part of the school district (management group). It has its own resources like classrooms, labs, libraries (which would be 'resource groups' in Azure), and each of these contains things like books, computers, etc. (the 'resources'). The school follows the district's rules, but it can also set its own rules for its resources.

Resource Groups: Imagine a resource group as a special folder that holds all the things you need for a particular project or solution in Azure. For example, if you're building a website, the resource group can contain the web server, the database, and other related resources. It helps you keep things organized and manage them as a group. You can also set specific rules for the entire resource group.

Example: These can be thought of as specific areas within the school like classrooms or labs. For example, a computer lab would have computers, projectors, chairs, etc. (which would be 'resources' in Azure). All items in this lab are managed together, and rules can be set for this lab, like 'only students with computer science subjects can use this lab'.

Resources: Resources are like individual parts or tools that you can use to build something in Azure. They can be virtual machines (which are like computers in the cloud), storage spaces, databases, and more. Each resource can have its own specific rules and settings.

Example: resources are individual items, like a book in the library or a computer in the lab. Each of these items is a part of a resource group (like the lab or library). And we can set rules for these items as well, like 'this book can only be checked out for one week'.

So, these four levels of management scope in Azure provide a way for you to organize and control your resources. You can set rules and conditions at different levels, and those rules will apply to everything below them. For example, if you set a rule at the subscription level, it will apply to all the resource groups and resources within that subscription. It helps keep things organized and makes it easier to manage everything in Azure.

Tags: Think of tags as those little sticky notes you use in your school books. Let's say you're studying for a test, and you use different color sticky notes for different subjects. Maybe you use green for science, yellow for Math, and red for English. This helps you quickly find and review topics you've marked in each subject. In the same way, tags in Azure are used to organize all the different things (called resources) that are part of your project. They can help you quickly find related resources or even help to understand how much money you're spending on different parts of your project.

Identity and Access Management: This is all about who gets to do what. Think about the roles in your school. Students, teachers, and principals all have different responsibilities and access to different things. For example, only teachers can grade papers and only principals can make certain decisions. Similarly, in Azure, there are different roles, and each role has access to different resources. This ensures that people can only do what they're supposed to and helps keep everything secure.

For example, the roles for managing a storage account may be different from the roles for managing virtual machines. These roles are part of a system called RBAC (Role-Based Access Control). You can apply these roles to different scopes, which determine where the roles apply.

Management groups are used to organize multiple Azure subscriptions. If you apply a rule or role at the subscription level, it will automatically apply to all the resource groups and resources within that subscription. It's like setting rules for a whole bunch of things at once. But if you want more control over specific resource groups, you can use role assignments at the resource group level. This gives you a more granular way to assign roles to different users or groups for specific resource groups.