Managing Subscriptions

• Structured Summary + Deep Understanding for Exam & Real-World Azure Administration

Primary services involved:

• Azure Subscription
• Azure Portal
• Azure Resource Manager
• Microsoft Entra ID

Official documentation:

Subscriptions overview:

Azure subscription limits & quotas:

Cost Management overview:

Enterprise Agreement:

1️⃣ What Is an Azure Subscription?#

An Azure subscription is:

• ✔ A billing boundary ✔ A governance boundary ✔ A quota boundary ✔ A deployment scope boundary

It contains:

• Resource Groups
• Resources (VMs, VNets, Storage, etc.)

Important:

• Resource Groups cost nothing.
• Resources may incur costs.
• Costs accumulate at the subscription level.

2️⃣ Subscription Hierarchy (Exam Critical)#

Azure hierarchy:

Tenant (Entra ID) → Subscription → Resource Group → Resource

🔹 Tenant#

Managed by:

• Microsoft Entra ID
• Holds identities (users, groups, service principals)
• A subscription trusts ONE tenant
• A tenant can manage multiple subscriptions

3️⃣ Why Use Multiple Subscriptions?#

Subscriptions help with:

✔ Billing Segmentation#

Example:

• Marketing subscription
• Engineering subscription
• Each team sees its own cost breakdown.

✔ Environment Isolation#

Common pattern:

• Prod subscription
• Dev subscription
• Staging subscription

Benefits:

• Billing isolation
• RBAC isolation
• Policy isolation
• Risk containment

✔ Compliance & Governance#

Subscriptions allow:

• Separate Azure Policy enforcement
• Separate RBAC assignments
• Separate regulatory zones

✔ Regional Segmentation#

Example:

• US subscription
• Europe subscription

Used for:

• Regulatory compliance
• Business segmentation
• Cost allocation

4️⃣ Subscription Offers (Billing Models)#

Common subscription types:

🔹 Pay-As-You-Go#

Pay monthly based on usage

Most common model

🔹 Enterprise Agreement (EA)#

• Large organizations
• Commit annual spend upfront
• Discounted pricing

🔹 Free Trial#

• Limited credits
• Time-limited
• For learning/testing

🔹 Azure for Students#

Free credits

No credit card required

🔹 Cloud Solution Provider (CSP)#

Partner-managed subscription:

• Partner designs & manages solution
• Billing through partner

Docs:

5️⃣ Subscription as Governance Scope#

Subscriptions define scope for:

• ✔ RBAC role assignments ✔ Azure Policy ✔ ARM/Bicep deployments ✔ Resource limits ✔ Budgets & alerts

Deployment scope example:

• az deployment sub create
• This deploys at subscription level.

6️⃣ Managing Subscriptions in Azure Portal#

In:

• Azure Portal

Navigate to:

• Subscriptions → Select subscription

You can manage:

• Billing summary
• Cost analysis
• Budgets
• Alerts
• Resource usage
• Partner information

7️⃣ Cost Management Capabilities#

Under subscription:

✔ Cost Analysis#

• Historical spending
• Resource breakdown
• Filtering by resource group

✔ Budgets#

Set threshold alerts:

• Email notifications
• Automation triggers

✔ Cost Alerts#

Prevent unexpected overspend

8️⃣ Quotas & Limits (Very Important for Exams)#

• Cloud is NOT unlimited.

Each subscription has:

• Compute limits
• Networking limits
• Storage limits
• Regional quotas

Example:

• vCPU quota per region
• Public IP limit
• NSG rule limit

Docs:

• Many quotas are adjustable.
• You can request increases.
• Exam trap: Subscription limits ≠ Azure global limits.

9️⃣ Subscription Naming Strategies#

Common enterprise naming patterns:

Environment-Based#

• Contoso-Prod
• Contoso-Dev
• Contoso-Test

Department-Based#

Contoso-Marketing

Contoso-Engineering

Region-Based#

Contoso-US

Contoso-EU

Hybrid Naming#

• Contoso-Prod-US
• Contoso-Dev-EU
• Purpose: ✔ Governance clarity ✔ Billing clarity ✔ Compliance separation

🔟 Subscription vs Resource Group (Common Confusion)#

Important:

Resources cannot exist outside a subscription.

1️⃣1️⃣ Security & Roles at Subscription Level#

Roles can be assigned at:

• Subscription scope
• Resource group scope
• Resource scope
• Example: Billing admin for Marketing subscription only.

Identity relationship:

• Tenant → Grants roles → On subscription

1️⃣2️⃣ Real-World Enterprise Design Pattern#

Large enterprise might use:

• Management Group → Corp → Prod Subscriptions → Dev Subscriptions → Department Subscriptions

This allows:

• ✔ Policy inheritance ✔ Cost roll-up ✔ Central governance

1️⃣3️⃣ High-Probability Exam Topics#

Expect questions on:

• What defines billing boundary? (Subscription)
• Where are quotas enforced? (Subscription)
• Can one tenant manage multiple subscriptions? (Yes)
• Can one subscription trust multiple tenants? (No)
• Do resource groups incur cost? (No)
• Where do you set budgets? (Subscription level)
• Can quotas be increased? (Yes, request increase)

1️⃣4️⃣ Mental Model for Exams#

Think of subscription as:

💰 Billing wallet 🛡 Governance boundary 📦 Container of resource groups ⚖ Quota enforcer

1️⃣5️⃣ Final Key Takeaways#

• ✔ Subscription = billing + governance + quota boundary ✔ Subscriptions belong to ONE Entra ID tenant ✔ Tenant can manage multiple subscriptions ✔ Multiple subscription offers exist (EA, Pay-As-You-Go, CSP, etc.) ✔ Subscriptions support budgets and cost tracking ✔ Quotas limit resource creation ✔ Subscription segmentation improves governance ✔ Subscription is deployment scope for ARM & Bicep

If you'd like next:

• 🧠 Subscription vs Management Group deep dive
• 💰 Azure Cost Management architecture breakdown
• 🔐 RBAC at subscription scope explained
• 📘 40 AZ-104 subscription scenario questions
• 🏗 Enterprise subscription design patterns
• Tell me which certification you're preparing for.

Hands-on: Budget, Tags, and Resource Lock at Subscription Scope#

Goal: Practice the subscription governance controls that AZ-104 expects administrators to know.

1. Open Cost Management + Billing > Budgets.
2. Create a monthly budget for the subscription, such as $25 for a lab.
3. Add an alert at 80% actual spend and 100% forecasted spend.
4. Create a resource group named az104-governance-rg.
5. Add tags:
   • Environment = lab
   • Owner = <your-name>
   • CostCenter = learning
6. Create a CanNotDelete lock on the resource group.
7. Try deleting a test resource inside the group and confirm the lock blocks deletion.
8. Remove the lock before cleanup.

Hands-on: Check Subscription Quotas#

1. Open Subscriptions > Usage + quotas.
2. Filter for Microsoft.Compute.
3. Review current vCPU usage and regional limits.
4. Change the region filter and compare quotas.
5. Start a quota increase request for a lab region, but do not submit it unless you actually need it.