Azure Resource Organisation

Hierarchy Overview

Azure resources should be organised hierarchically: Management Groups at the top for governance, Subscriptions for billing and access boundaries, and Resource Groups for logical grouping of related resources. This structure enables consistent policy enforcement and clear cost attribution across the organisation.

Resource Hierarchy

• Management Groups — top-level governance containers; nest up to 6 levels deep
• Subscriptions — billing and access boundaries; isolate workloads by environment or team
• Resource Groups — logical containers for related resources that share a lifecycle
• Resources — the actual services (VMs, storage accounts, databases, etc.)

Naming and Tagging

Use a consistent naming convention and apply tags for cost tracking and ownership. A good naming pattern includes the resource type abbreviation, workload, environment, and region — for example, rg-prod-webapp-uksouth.

• Environment — Production, Staging, Development, Test
• Department — Engineering, Finance, Marketing
• Owner — the team or individual responsible for the resource
• CostCentre — maps to your internal billing codes

RBAC Best Practices

Assign RBAC roles at the appropriate scope — prefer resource group level over subscription level to follow the principle of least privilege. Avoid assigning permissions at the management group level unless the policy truly applies organisation-wide.

Configuration Examples

az group create \
  --name "rg-prod-webapp-uksouth" \
  --location "uksouth" \
  --tags Environment=Production Department=Engineering Owner="Platform Team"

az role assignment create \
  --assignee "user@contoso.com" \
  --role "Reader" \
  --resource-group "rg-prod-webapp-uksouth"