Azure Subscriptions: What They Are and Why They Matter
Azure architecture and services
Azure Subscriptions: What They Are and Why They Matter
Short Summary
This lesson explains what an Azure subscription is and why it exists. You’ll learn how subscriptions fit into Azure’s scope hierarchy and how they relate to identity (Microsoft Entra ID) and cost tracking. You’ll also see practical reasons teams use multiple subscriptions.
Learning Objectives
By the end of this lesson, you will be able to:
- Define what an Azure subscription is.
- Explain how a subscription relates to Microsoft Entra ID (identity) and cost scopes.
- Place subscriptions correctly in the Azure scope hierarchy.
- Describe why organizations use multiple subscriptions.
- Distinguish subscriptions from tenants and resource groups.
Core Concepts
An Azure subscription is a container used to manage Azure resources. It’s commonly treated as a unit of management and billing, and it also acts as a scale boundary in many real-world Azure setups. ([Microsoft Learn][1])
You can think about Azure scopes like a nesting structure:
- Management groups (optional) organize multiple subscriptions.
- Subscriptions contain resource groups.
- Resource groups contain resources.
- Resources are the actual services (like virtual machines, storage accounts, databases).
In other words: scope is “where” you apply access control, policies, and (often) where you analyze costs. ([Microsoft Learn][2])
A subscription is also closely tied to identity. Every Azure subscription has a trust relationship with a Microsoft Entra tenant (directory). A subscription can trust only one tenant at a time, while a tenant can be trusted by multiple subscriptions. ([Microsoft Learn][3])
On the money side: the subscription is a common scope for tracking and managing spend (budgets, exports, analysis), but cost views can also exist at other scopes (like billing accounts) depending on your billing setup. ([Microsoft Learn][2])
Finally, subscriptions are often used to keep boundaries clear:
- Access boundary: assign Azure Role-Based Access Control (RBAC) at subscription scope for broad access, or use smaller scopes when needed. ([Microsoft Learn][2])
- Policy boundary: apply governance at subscription or management group scopes.
- Scale/limits boundary: many quotas and limits are scoped per subscription, so splitting workloads can reduce “noisy neighbor” problems. ([Microsoft Learn][2])
Practical Understanding
Practical Situation 1: Separating production and development
A company wants tighter control over production access and spending, while allowing development teams to experiment safely. They create separate subscriptions for production and dev/test workloads.
How to think about it: Subscriptions make clean boundaries for access, budgeting, and governance. If production and dev share one subscription, it’s easier for permissions and cost visibility to get messy. ([Microsoft Learn][1])
Common misunderstanding: “Resource groups are enough to separate production and dev.” Resource groups help, but subscriptions often make the separation stronger and easier to manage at scale. ([Microsoft Learn][1])
Practical Situation 2: One company, one tenant, many subscriptions
A company keeps one Microsoft Entra tenant for identity but runs multiple subscriptions for different departments (Finance, Engineering, Data).
How to think about it: The tenant is the identity system (users, groups, apps). Subscriptions are where resources live and where you apply resource governance and cost scopes. One tenant can serve many subscriptions. ([Microsoft Learn][3])
Common misunderstanding: “Each subscription needs its own tenant.” No—multiple subscriptions can trust the same tenant. ([Microsoft Learn][3])
Practical Situation 3: Hitting quota limits during growth
A team scales a workload and suddenly can’t provision more capacity in a region because they hit a quota.
How to think about it: Many quotas are per subscription. You can request quota increases, but you should also design subscriptions so one workload doesn’t block another. ([Microsoft Learn][2])
Common misunderstanding: “Quotas are the same thing as budgets.” Quotas are technical limits; budgets are cost controls. They solve different problems. ([Microsoft Learn][2])
Practical Situation 4: Delegating ownership without chaos
A platform team wants full visibility but doesn’t want to manage every small change. App teams need enough permissions to ship.
How to think about it: Start by deciding the right scope for access: subscription-wide roles for platform operations, narrower scopes (like resource groups) for app teams. Role assignments inherit down the scope hierarchy. ([Microsoft Learn][2])
Common misunderstanding: “Giving someone access to a resource group won’t affect anything else.” It can affect everything inside that resource group, and role inheritance matters—so choose scopes intentionally. ([Microsoft Learn][2])
Common Pitfalls
-
Mistake: Treating a subscription as “just a billing item.” Correction: Use it as a management and governance boundary too (access, policy, structure). ([Microsoft Learn][1])
-
Mistake: Confusing the tenant with the subscription. Correction: The tenant is identity (Microsoft Entra ID). The subscription is the resource container that trusts a tenant. ([Microsoft Learn][3])
-
Mistake: Putting unrelated workloads into one subscription “to keep things simple.” Correction: Separate workloads when you need clearer cost visibility, tighter access boundaries, or reduced quota conflicts. ([Microsoft Learn][1])
-
Mistake: Assigning broad RBAC roles without thinking about scope inheritance. Correction: Pick the smallest scope that matches what the person/team needs, because permissions apply to child scopes. ([Microsoft Learn][2])
-
Mistake: Assuming cost analysis is only available at the subscription level. Correction: Cost management uses multiple scopes (subscription, billing account, and more) depending on what you have access to. ([Microsoft Learn][2])
Check Your Understanding
- In your own words, explain what a subscription “contains” and what it does not contain.
- Write the scope hierarchy (management groups → subscriptions → resource groups → resources) and describe what “inheritance” means for access or policy.
- Describe a scenario where you would keep one tenant but use multiple subscriptions.
- Think of one technical limit (quota) problem and one cost problem. Explain which one a quota helps with and which one a budget helps with.
- If two teams must not see each other’s costs, what design choices could help (and why)?
Further Reading
- Cloud subscription (Azure subscription) overview — https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/cloud-subscription ([Microsoft Learn][4])
- Cloud Adoption Framework: Subscription considerations — https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-subscriptions ([Microsoft Learn][1])
- Subscription and Microsoft Entra tenant relationship — https://learn.microsoft.com/en-us/entra/fundamentals/how-subscriptions-associated-directory ([Microsoft Learn][3])
- Cost Management scopes (subscription vs billing scopes) — https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/understand-work-scopes ([Microsoft Learn][2])