What is Azure Resource Management – or ARM?

ARM can be perceived as the unified management layer that is used to create, delete or otherwise manage components in Azure. Regardless of the tooling used to configure something (Azure Portal, Azure Powershell, Azure CLI, REST Clients,…) the actual change is handled by the Azure Resource Manager, handling all requests from different sources:

Resource Manager request model

Image source: https://docs.microsoft.com

What are the organizational scopes in Azure?

Nearly all components in Azure can be managed through the use of any one of the following organization constructs:

  • Resources
  • Resource Groups
  • Subscriptions
  • Management Groups

Resources are the workloads that you create and use in Azure. Virtual Machines, Virtual Networks, Network Security Groups, … are all examples of resources. Resources are the lowest scope that you can assign Role Assignments to. Resources inherit all Policies and Role Assignment that are created on a higher level.

Resource Groups are groups that entail one or more resources. All resources must belong to a resource group (and can only belong to a single resource group). You should only add resources to the same resource group if you manage (create, update, delete,…) them identically. permissions or policies that are assigned on this level automatically trickle down to all underlying resources.

A subscription, as per Microsoft, is “an agreement with Microsoft to use one or more Microsoft cloud platforms or services, for which charges accrue based on either a per-user license fee or on cloud-based resource consumption”.

A Management Group is the only entity described here that is able to work cross-subscriptions. As the Azure consumption in an organization grows, more and more subscriptions will be created. Management Groups can be used to centrally manage RBAC & Policies.

The following image describes the link between the aforementioned items with regards to RBAC and Policies:

Scope