Easy Guide to Your Azure Subscription
An Azure subscription is a base container that comprises a group of related business or technical resources. The group of resources are used and billed together. An Azure subscription also acts as an administrative boundary, meaning that it allows subscription administrators to access all resources within the subscription and delegate access through role-based access-control mechanisms.
Interested in learning more about Azure Virtual Desktop? Join our webinar where author Ryan Mangan will discuss his book “Mastering Azure Virtual Desktop“:
What Is an Azure Subscription?
An Azure subscription is mandatory when you are using Azure resources. An Azure resource is a manageable item like a database, web application, virtual network, virtual machine (VM) or storage account that is available on Azure. A subscription authenticates and authorizes you to use these resources. An Azure subscription links to an Azure account, which in turn is an identity in Azure Active Directory (AD). Hence, a subscription is an agreement between an organization and Microsoft to use resources, for which charges are either paid on a per-license basis or a cloud-based, resource-consumption basis.
An Azure account can have multiple subscriptions with different access management policies and different billing procedures. An Azure subscription can be used to define the following boundaries:
- Billing boundary: This subscription type defines the billing requirements for using resources. You can create different subscriptions for different billing requirements, and Azure sends separate billing resources for each subscription.
- Access control boundary: You can create an access control boundary at the subscription level by applying different access management policies to different subscriptions to reflect different organizational structures.
How Do Accounts, Tenants and Azure Active Directory Relate to Subscriptions?
Azure charges for the services it offers to organizations. Each organization is given an Azure AD Tenant, can create Azure Accounts, and can create different subscriptions for the use of different services. These terminologies are defined below:
- Organization—Any business entity or individual that plans to use Azure resources. An organization is identified by one or more domain names.
- Tenant— A specific instance of Azure AD, identified and authorized using a Tenant ID. After Azure registration, organizations are given the Azure AD Tenant. Azure AD is a single platform that allows you to manage accounts, users, groups and permissions.
- Accounts— Azure AD Tenant stores all accounts created to utilize Azure’s offerings.
Now that you understand the terminology, you can learn the relation between accounts, tenants and subscriptions:
- An organization can have many tenants.
- Each tenant can have many subscriptions.
- Each tenant can have many accounts.
- Accounts can use multiple subscriptions.
- Azure AD Tenant determines which account can use which subscription.
- Azure resources must be tied to a subscription for billing purposes.
How Can You Use Azure Subscriptions to Scale the Environment?
To avoid per-subscription limits, organizations often use multiple Azure subscriptions. There are several strategies that you can adopt to ensure that your Azure subscription scales the environment and manages Azure resources effectively.
Once you create your initial subscriptions, depending on the model of your organization, you can create additional subscriptions to scale your environment. Before you scale your subscriptions:
- Consider the subscription limits imposed on some resource types. You might need to create additional subscriptions if some resources are limited in a particular subscription.
- Consider the data ingress and egress costs between subscriptions.
- Consider business priorities like governance, migration, operations, innovation and security.
- Consider that some resources fit better on other subscriptions, and you can move resources between subscriptions depending on where they fit best.
There are multiple strategies that can help you decide on how to purchase and design additional Azure subscriptions. A few are listed here:
- Workload separation: In accordance with the workload separation strategy, you can separate subscriptions depending on production and non-production management groups as new workloads are added to the cloud.
- Application category: Subscriptions can be also be categorized depending on the differences in access controls, business needs, data protection needs or compliance needs. You can also categorize subscriptions based on if your applications are mission-critical, are subject to regulatory requirements or are part of the cost of goods sold.
- Functional line: Subscriptions can also be categorized based along functional lines such as IT support, finance or sales.
- Business unit: By utilizing a management hierarchy, subscriptions can also be grouped by business division or even based on profit and loss.
- Geographic region: If your organization has global operations, you can also categorize subscriptions and accounts based on geographic regions.
Azure Subscription: Transferring to a Different Azure Active Directory
Each Azure subscription is associated with an Azure AD. If you have a huge number of subscriptions, you might want to transfer some into a different Azure AD. Transferring a subscription can lead to potential downtime, so you can consider alternate approaches like re-creating the resources and copying data to the target subscription or adopting a multi-directory architecture. This is because there are significant impacts of transferring subscriptions to a different Azure AD for the following services:
- Role assignments
- Custom roles
- System-assigned managed identities
- User-assigned managed identities
- Azure Key Vault
- Azure SQL databases
- Azure Storage
- Azure Files
- Azure File Sync
- Azure Managed Disks
- Azure Kubernetes Service
- Azure Policy
- Azure AD Domain Services
- App registrations
If you still want to move forward with the transfer, follow the steps mentioned below:
- Sign in to the source directory as an administrator.
- Install the Azure Resource Graph extension to query the resources managed by Azure Resource Manager.
- Save all the role assignments as JSON, TSV or table format.
- Save all the custom roles.
- Determine the mappings for your users, groups and services.
- List the role assignments for the managed identities.
- List all the Key Vaults, Azure SQL databases with Azure AD authentication, Access Control Lists (ACLs) and other known resources.
- Transfer the subscription, and then re-create the custom roles and role assignments.
- Update system-assigned managed identities, user-assigned managed identities, Key Vaults, ACLs and review other security methods.
Parallels RAS Supports Azure as a VDI Provider
Parallels® Remote Application Server (RAS) is a virtualization tool that delivers desktops and applications to end users effectively. Parallels RAS supports Microsoft Azure Hypervisor as a virtual desktop infrastructure (VDI) provider. This allows organizations to provision and scale VDI workloads on-demand directly on Microsoft Azure, rendering faster deployments and simplifying management. Moreover, by integrating with Windows Virtual Desktop, Parallels RAS unifies all virtual workloads and resources into one.
Enhance the flexibility of VDI and Remote Desktop Session Host (RDSH) deployments by mixing and matching on-premises, hybrid and public cloud environments. The built-in automation capabilities of Parallels RAS simplify its deployment and configuration in the Azure cloud. It includes prebuilt Azure virtual machine (VM) templates and configuration wizards, enabling a Parallels RAS appliance to be fully configured in under 30 minutes.
Download the trial version of Parallels RAS to reap the benefits today!
Growth Opportunities for MSPs, ISVs, VARs and SIs in the Post-Pandemic Era
The Road from VAR to MSP: How to Successfully Transition from One-Off to Recurring Revenue