BeginnerGovernance

Governance & Organization

Master Azure's organizational hierarchy: management groups, subscriptions, resource groups, policies, locks, and tagging strategies.

🧠 ELI5 Explanation

Imagine a large company with multiple divisions. You can't let each division do whatever they want—that leads to chaos. Governance = rules and structure. Management Groups = departments. Subscriptions = budgets per department. Resource Groups = projects within budgets. Policies = enforceable rules ("all resources must be tagged"). Locks = protection ("don't delete this resource by accident").

Organizational Hierarchy

Azure Organizational Structure


      Management Group (Root)

      ├── Management Group "Production"

      │   ├── Subscription (Prod-Finance)

      │   │   ├── Resource Group (RG-Web)

      │   │   │   └── Resources (VMs, DBs, Storage)

      │   │   └── Resource Group (RG-Database)

      │   └── Subscription (Prod-Operations)

      └── Management Group "Development"

          └── Subscription (Dev-Sandbox)

              └── Resource Group (RG-Testing)

Components Explained

Management Groups

What: Container for subscriptions, enables policy application at scale.

Root MG: Top level (1 per tenant)
Custom MGs: Organize by department, environment, cost center
Hierarchy: Policies cascade down (parent to child)

Example: Policy at "Production" MG applies to all production subscriptions automatically.

Subscriptions

What: Billing & administrative boundary. Resources exist in subscriptions.

One subscription = one budget/bill
Multiple subscriptions = separate control (team A can't touch team B's resources)
Types: Free trial, pay-as-you-go, enterprise agreement

Best practice: Separate subscriptions per environment (dev, test, prod) for isolation.

Resource Groups

What: Logical container for related resources (must belong to exactly one RG).

Group by project, application, or lifetime (resources created/deleted together)
Facilitates management (apply policies, delete all at once)
Must specify region (for default location, not requirement for resources inside)

Example: RG-WebApp contains: web app, app service plan, app insights, key vault—all related.

Governance Controls

Control What It Does Example Azure Policy Enforce organizational standards (audit or deny non-compliant resources) Policy: "All VMs must have antivirus installed" RBAC Who can do what on which resources Role: Data team = SQL Contributor; app team = App Service Contributor Resource Locks Prevent accidental deletion or modification Lock type: "Cannot Delete" on production DB Tagging Label resources for cost tracking, compliance, organization Tags: cost-center=finance, env=prod, owner=alice

Tagging Strategy (Best Practice)

Tags = key-value pairs that help organize, bill, and track resources.

Common Tag Categories

Business: cost-center, owner, department, project
Technical: environment (dev/test/prod), application, tier (web/app/db)
Compliance: data-classification, regulatory (pci, hipaa), backup-required

# Example tagging strategy
{
  "cost-center": "engineering",
  "environment": "production",
  "application": "ecommerce-api",
  "owner": "platform-team",
  "tier": "application",
  "backup-required": "true",
  "data-classification": "confidential"
}

Resource Locks

Prevent accidental deletion or modification.

CanNotDelete: Resource can be modified but not deleted
ReadOnly: Resource cannot be modified or deleted

When to use: Production databases, critical infrastructure, shared resources.

Real-world Example: Enterprise Setup

Structure:
Root MG
├── MG-Production
│ ├── Sub-Finance (Billing: Finance team)
│ │ ├── RG-WebApp (cost-center=finance, env=prod)
│ │ └── RG-Database (backup-required=true)
│ └── Sub-Operations
└── MG-Development
└── Sub-Dev (Billing: Engineering team)

Policies:
• At MG-Production: All resources must have cost-center tag (audit)
• All VMs must have antivirus (deny if violated)
• Require encryption on storage accounts

Benefits:
• Each team has separate budget & billing
• Policies enforced automatically (no manual checks)
• Cost tracking per cost-center for billing
• Separation of duties (Finance can't access Dev)

Summary

Management Groups: Container for subscriptions, enable policy cascade
Subscriptions: Billing boundary, separate budgets/teams
Resource Groups: Logical grouping of related resources
Policies: Enforce organizational standards (audit or deny)
RBAC: Control who can do what
Tags: Label for cost tracking, compliance, organization
Locks: Protect against accidental deletion/modification

Interview Questions

Q: Explain the difference between a subscription and a resource group.
A: Subscription = billing boundary, administrative boundary. Resource Group = logical grouping within subscription. One RG per subscription is possible, but one subscription can have many RGs.

Q: Why use multiple subscriptions instead of one big subscription?
A: Separation of concerns (teams don't interfere), cost tracking per team/project, separate billing, enforcing different policies per environment, blast radius isolation.

Q: Design an Azure governance structure for a large company with 3 divisions (Finance, IT, Marketing), each with dev/test/prod environments.
A: Root MG → MG-Finance, MG-IT, MG-Marketing. Under each: Sub-Dev, Sub-Test, Sub-Prod. Each sub has RGs per project. Policies at division MG level (e.g., "Finance = PCI-compliant"). RBAC per sub/RG. Tags: cost-center, division, environment.