Organize your Azure resources effectively

Organize your cloud-based resources to secure, manage, and track costs related to your workloads. To organize your resources, define a management group hierarchy, consider and follow a naming convention, and apply resource tagging.

Management levels and hierarchy

Azure provides four levels of management: management groups, subscriptions, resource groups, and resources. The following image shows the relationship between these levels.

Diagram that shows the relationship of management hierarchy levels.

  • Management groups help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group.

  • Subscriptions logically associate user accounts with the resources they create. Each subscription has limits or quotas on the amount of resources it can create and use. Organizations can use subscriptions to manage costs and the resources created by users, teams, or projects.

  • Resource groups are logical containers where you can deploy and manage Azure resources like web apps, databases, and storage accounts.

  • Resources are instances of services that you can create, like virtual machines, storage, or SQL databases.

Management settings scope

You can apply management settings like policies and Azure role-based access control at any management level. The management level determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to a subscription, the policy applies to all resource groups and resources in that subscription.

Usually, it makes sense to apply critical settings at higher levels, and project-specific requirements at lower levels. For example, to make sure all resources for your organization deploy to certain regions, apply a policy to the subscription that specifies the allowed regions. The allowed locations are automatically enforced when users in your organization add new resource groups and resources. Learn more about policies in the Governance, security, and compliance section of this guide.

It's easy to manage a few subscriptions independently. For a larger number of subscriptions, consider creating a management group hierarchy to simplify subscription and resource management. For more information, see Organize and manage your Azure subscriptions.

Work with people in the following roles as you plan your organizational compliance strategy:

  • Security and compliance
  • IT administration
  • Enterprise architecture
  • Networking
  • Finance
  • Procurement

Create a management structure

To create a management group, subscription, or resource group, sign in to the Azure portal.

  • To create a management group to help you manage multiple subscriptions, go to Management groups and select Create.

  • To create a subscription to associate users with resources, go to Subscriptions and select Add.

    Note

    You can also create subscriptions programmatically. For more information, see Programmatically create Azure subscriptions.

  • To create a resource group to hold resources that share the same permissions and policies:

    1. Go to Create a resource group.
    2. In the Create a resource group form:
      1. Select the Subscription to create the resource group under.
      2. Enter a name for the Resource group.
      3. Select a Region for the resource group location.
    3. Select Review + create, and once the review passes, select Create.

Actions

  • To create a management group to help you manage multiple subscriptions, go to Management groups and select Create.

  • To create another subscription to associate users with resources, go to Subscriptions and select Add.

  • To create a resource group to hold resources that share the same permissions and policies:

    1. Go to Resource groups and select Create.
    2. In the Create a resource group form:
      1. Select the Subscription to create the resource group under.
      2. Enter a name for the Resource group.
      3. Select a Region for the resource group location.
    3. Select Review + create, and if the review passes, select Create.

Naming standards

A good naming standard helps identify resources in the Azure portal, on a billing statement, and in automation scripts. Your naming strategy should include business and operational details in resource names.

  • Business details should include the organizational information needed to identify teams. Use the resource's short name, along with the business owners who are responsible for the resource costs.

  • Operational details in resource names should include information that IT teams need. Include details that identify the workload, application, environment, criticality, and other information useful for managing resources.

Different resource types have different naming rules and restrictions. For more information and recommendations that support enterprise cloud adoption efforts, see the Cloud Adoption Framework guidance on naming and tagging.

The following table shows naming patterns for a few sample Azure resource types:

Note

Avoid using special characters like - or _ as the first or last characters in a name, which causes most validation rules to fail.

Entity Scope Length Casing Valid characters Suggested pattern Example
Resource group Subscription 1-90 Case insensitive Alphanumeric, underscore, parentheses, hyphen, and period except at end <service-short-name>-<environment>-rg profx-prod-rg
Availability set Resource group 1-80 Case insensitive Alphanumeric, underscore, and hyphen <service-short-name>-<context>-as profx-SQL-as
Tag Associated entity 512 (name), 256 (value) Case insensitive Alphanumeric, spaces, and Unicode characters except for angle brackets, percent symbol, ampersand, forward or back slashes, question mark, or period key : value Department : Central IT ☺

Resource tags

Tags can quickly identify your resources and resource groups. You apply tags to your Azure resources to logically organize them by categories. Tags can include context about the resource's associated workload or application, operational requirements, and ownership information.

Each tag consists of a name and a value. For example, you can apply the name environment and the value production to all the resources in production.

After you apply tags, you can easily retrieve all the resources in your subscription that have that tag name and value. When you organize resources for billing or management, tags can help you retrieve related resources from different resource groups.

Other common uses for tags include:

  • Metadata and documentation: Administrators can easily see detail about the resources they're working on by applying a tag like ProjectOwner.
  • Automation: Regularly running scripts can take action based on a tag value like ShutdownTime or DeprovisionDate.
  • Cost optimization: You can allocate resources to the teams and resources who are responsible for the costs. In Azure Cost Management + Billing, you can apply the cost center tag as a filter to report charges based on team or department usage.

Each resource or resource group can have a maximum of 50 tag name and value pairs. This limitation only applies to tags directly applied to the resource group or resource.

For more tagging recommendations and examples, see the Cloud Adoption Framework recommended naming and tagging conventions.

Apply a resource tag

To apply a tag to a resource group:

  1. In the Azure portal, go to Resource groups and select the resource group.
  2. Select Tags in the left navigation.
  3. Enter a new name and value, or select an existing name and value, and then select Apply.

Action

Apply a resource tag:

To apply a tag to a resource group:

  1. Go to Resource groups and select a resource group.
  2. Select Tags in the left navigation.
  3. Enter a new name and value, or select an existing name and value, and then select Apply.

Next steps

To learn more about management levels and organization, see:

For more information about resource naming and tagging, see: