I'm getting really confused about management groups and subscriptions. In the diagrams found in the link there are management groups under management groups and then subscriptions below those. How is access managed using these resources? Do these work in conjunction with rbac?
Hierarchy of management groups and subscriptions AZ-900
Management groups are mainly used when an organization has multiple subscriptions. Because management groups are a level of scope above subscriptions. you can apply a policy at the management group level and that policy will inherit to all subscriptions within that management group.
Maybe you have three Azure subscriptions. You want to limit VM creation to the EastUS region in all three subscriptions. If all three subscriptions are under the same management group, you can apply the restriction policy once, at the management group, and it will apply to all three subscriptions. Users at the subscription level cannot override this.
RBAC can also be used with management groups. Role assignments done at the management group level inherit to all management groups and subscriptions below it in the hierarchy, simplifying role assignments.
Imagine having three management groups, Dev, Production, and Marketing. Each management group has it's own subscription underneath it. All three of these management groups are under a root management group, called Corp. If you assign the VM contributor role to a user at the Dev management group level, they can only create VMs in the subscription under the Dev management group. If you assign the VM contributor role to a user at the Corp management group level, they could create VMs in all three of the subscriptions, because the role assignment inherits from the root management group to the child management groups.
In single subscription environments, management groups aren't used. They are used to simplify administration of mulitple subscriptions.
@Mike-Rodrick Thanks Mike, but I'm thoroughly confused. I get the use of groups to ease administration, but when I try looking at the different parts (subscription, resources, resource groups, and management groups) they don't seem to fit together. From what I'm reading it seems possible to be able to apply multiple subscriptions to management groups, or multiple management groups to other management groups? None of this makes any sense. How do you decide where to start, or what group to use, or????
So if you manage through subscriptions, but then decide to use management groups does the access originally provided by subscriptions get overriddent by the management group when you add the subscription to the management group?