Understanding Azure Resource Manager
AZ-104 notes: Understanding Azure Resource Manager. Covers key concepts for the Azure Administrator Associate exam.
- Structured Summary + Deep-Dive for Exam & Architecture Clarity
Primary service:
- Azure Resource Manager
Official documentation:
1️⃣ Azure Cloud Fundamentals – The Hierarchy
Azure is built in logical layers. Understanding this hierarchy is foundational for every Azure exam and real-world architecture.
🔹 Level 1: Resources (Smallest Unit)
- Resources are the building blocks of Azure.
Examples:
- Virtual Machines
- Storage Accounts
- Virtual Networks
- Databases
- App Services
Each resource:
- Belongs to one resource group
- Exists in one region
- Has a resource provider type
- Is managed through ARM
Think of resources as individual cloud components providing:
- Compute
- Storage
- Networking
- Security
- Identity
- Application hosting
🔹 Level 2: Resource Groups (Logical Containers)
- A Resource Group (RG) is a logical container for resources.
Characteristics:
- Resources can only belong to one resource group
Resource groups help organize by:
- Lifecycle
- Environment (Dev/Test/Prod)
- Department
- Application
- Security boundary
Important behaviors:
- Deleting a resource group deletes ALL contained resources
- RBAC can be applied at RG level
- Tags can be applied at RG level
Docs:
🔹 Level 3: Subscriptions (Billing + Governance Boundary)
A subscription is:
- A billing boundary
- A management boundary
- A security boundary (RBAC scope)
- A quota boundary
Key facts:
- Resource groups live inside subscriptions
- Resources are billed per subscription
Organizations often use multiple subscriptions for:
- Departments
- Cost separation
- Compliance
- Environments
Docs:
2️⃣ What is Azure Resource Manager (ARM)?
Azure Resource Manager is:
- ✔ The deployment and management service for Azure ✔ The control plane of Azure ✔ The orchestration layer
- ARM does NOT directly manipulate resources.
Instead:
- Client (Portal/CLI/PowerShell) → ARM → Resource Provider → Resource
3️⃣ How ARM Works Internally
When you create or modify a resource:
You send a request via:
- Azure Portal
- Azure CLI
- Azure PowerShell
- REST API
- The request goes to ARM.
- ARM routes the request to the appropriate Resource Provider.
- The Resource Provider performs the operation.
4️⃣ Resource Providers (Critical Exam Concept)
- Resource Providers (RPs) are services that manage specific resource types.
Examples:
- Microsoft.Compute → Virtual Machines
- Microsoft.Storage → Storage Accounts
- Microsoft.Network → VNets
- Microsoft.Web → App Services
Each resource type belongs to a provider namespace:
Example:
- Microsoft.Storage/storageAccounts
Docs:
5️⃣ Control Plane vs Data Plane
This distinction is essential.
🔹 Control Plane (ARM)
Operations like:
- Create VM
- Delete Storage Account
- Modify Networking
- Assign RBAC
- Managed via ARM.
🔹 Data Plane
Operations like:
- Upload Blob
- Read File
- Insert Table Entity
- Handled directly by the service endpoint.
- ARM governs control plane only.
6️⃣ Azure Identity & Trust Model
- Azure uses identity-centric security.
Identity service:
- Microsoft Entra ID
Docs:
🔹 Tenant
A tenant is:
- An identity boundary
- A directory of users, groups, service principals
Important:
- ✔ A subscription can trust only ONE tenant ✔ A tenant can manage multiple subscriptions
- This is the trust relationship.
🔹 How Access Is Controlled
User logs in → Authenticated via Entra ID Entra issues token → Token sent to ARM ARM validates RBAC → Routes request
If no RBAC role assignment: Access denied.
7️⃣ ARM Deployment Model
ARM enables:
- ✔ Declarative deployments ✔ Infrastructure as Code (IaC) ✔ Repeatable deployments
Supported via:
- ARM Templates (JSON)
- Bicep
- Terraform (via ARM APIs)
Example ARM template defines:
- Resource
- Properties
- Dependencies
- Parameters
Docs:
8️⃣ Benefits of ARM Model
- Before ARM, Azure used "classic" deployment model.
ARM improvements:
- ✔ Role-based access control ✔ Resource tagging ✔ Resource grouping ✔ Template-based deployment ✔ Consistent API layer ✔ Dependency management ✔ Idempotent deployments
- Classic model is deprecated.
9️⃣ Management Scope Hierarchy
Azure management hierarchy:
- Tenant → Management Groups → Subscriptions → Resource Groups → Resources
- RBAC can be applied at any level.
Docs:
🔟 Governance Capabilities via ARM
ARM integrates with:
- ✔ Azure RBAC ✔ Azure Policy ✔ Azure Blueprints ✔ Tags ✔ Locks
- These operate through ARM control plane.
1️⃣1️⃣ Security Model Summary
Security flow:
- User → Auth via Entra → Token issued → ARM validates → Resource provider executes
- No direct subscription access without tenant trust.
1️⃣2️⃣ Common Exam Pitfalls
🚩 Resource groups are billing boundaries → False 🚩 Subscriptions can trust multiple tenants → False 🚩 ARM directly manages data plane → False 🚩 Resource providers must be registered → True 🚩 Tenant = subscription → False 🚩 Deleting resource group deletes contained resources → True
1️⃣3️⃣ Real-World Architecture Example
Scenario:
Company has:
- Tenant A → 5 Subscriptions → Dev, Test, Prod resource groups
Each subscription:
- Linked to same tenant
- RBAC enforced
- Separate billing
ARM ensures:
- Policy enforcement
- Deployment standardization
- Controlled access
1️⃣4️⃣ Mental Model for Mastery
Think in layers:
Identity (Tenant) → Governance (Management Groups) → Billing (Subscriptions) → Organization (Resource Groups) → Services (Resources) → Orchestration (ARM) → Execution (Resource Providers)
1️⃣5️⃣ Final Key Takeaways
- ✔ Resources are smallest unit ✔ Resource Groups organize resources ✔ Subscriptions handle billing and governance ✔ ARM is the orchestration/control plane ✔ Resource Providers execute operations ✔ Tenant controls identity trust ✔ Subscription trusts only one tenant
Understanding ARM is foundational for:
- AZ-104
- AZ-204
- AZ-305
- Enterprise architecture
- Governance design
If you'd like next:
- 🧠 30 scenario-based ARM exam questions
- 📊 ARM architecture diagram walkthrough
- 🔐 RBAC deep dive with real examples
- 🏗 ARM vs Bicep vs Terraform comparison
- 🏢 Enterprise multi-subscription design strategy
- Tell me your focus area.