Skip to content



  • Using Azure requires an Azure subscription which provides you with authenticated and authorized access to Azure products
  • An Azure subscription is an identity in Azure Active Directory (Azure AD) or in a directory that an Azure AD trusts

Resource Levels

Level Notes ~AWS
Management groups
  • These are containers that allows to order Azure resources (hierarchically into collections) for multiple subscriptions
  • All subscriptions in a management group automatically inherit the conditions applied to the management group
  • The root management group's display name is Tenant root group (the ID is the Azure AD ID)
  • A subscription groups together user accounts and the resources that have been created by those user accounts
AWS Account
Resource groups
  • A resource group is a logical container for resources deployed on Azure
  • Resource groups are also a scope for applying RBAC permissions
  • Cannot be nested


Azure AD

Source: Azure Active Directory – Security Overview

Identity Types

  • Something that can be authenticated (users and apps)
  • An identity acting with certain roles or claims
  • Groups are often also considered principals because they can have rights assigned
Service principal
  • An identity that is used by a service or application
Managed identity for a service
  • An account on the organization's Azure AD tenant
  • The Azure infrastructure will automatically take care of authenticating the service and managing the account

Identity Management

  • Azure AD Connect integrates on-premises directories with Azure AD, providing both synchronization and sign in
  • On Azure, users, groups, and roles are all stored in Azure Active Directory (Azure AD)
  • The Azure Resource Manager API uses RBAC to secure all resource access management within Azure