In Microsoft Azure, a subscription is an agreement between a customer and Microsoft on how to pay for and access Azure services. It is paid based on the consumption of services within the subscription. For example, if you provisioned Azure Virtual Machines, App Service, Azure SQL Database, and other services, your subscription will be billed based on using these services. There are many types of subscriptions. Each type of subscription may have various characteristics and limitations, such as the maximum number of a specific virtual machine size that can be provisioned or the number of tags in a resource group. However, you may raise a support ticket to Microsoft to increase these limits.
Azure also has Role-Based Access Control (RBAC) to provide different access levels to Azure services. RBAC provides a way to control who has access to various Azure resources.
You can assign roles to other people, such as administrators, developers, or end users. This will allow you to assign permissions and limits to each group of people to ensure that everyone has access to only the Azure services they need. Remember always to follow the least privileged access methodology when handing out access credentials to your users.
The typical Azure RBAC roles are:
- Owner – Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
- Contributor – Grants full access to manage all resources but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
- Reader – View all resources, but does not allow you to make any changes.
- User Access Administrator – This lets you manage user access to Azure resources.
You should use management groups if you plan on deploying multiple subscriptions for multiple departments from your organization. Management groups provide a way to organize your subscriptions by adding hierarchies to Azure. You can place subscriptions into different management groups to manage your Azure services. Management groups allow you to assign permissions and limits to different groups of people on each Azure service they use.
Using Azure subscriptions, RBAC and management groups provide a higher level of security and organization to Azure services. Having controls on each subscription, group of people, and even each resource in Azure will allow you to assign appropriate permissions and limits to ensure that everyone has access to only the services they need in Azure.
In summary, an Azure subscription is how to pay for and access Azure services. RBAC provides a way to control who has access to Azure resources. Meanwhile, management groups provide a way to organize Azure subscriptions and give organization to your Azure services. Using them gives you higher security and organization in the Azure services you use.