Azure Fundamentals: Terminology, Hierarchy, and Resources

The first step in building an MSP cloud practice with Microsoft Azure is deeply familiarizing yourself with Microsoft Azure’s fundamentals: its terminology, elements, and hierarchy.  Here we will list and define the most critical Azure elements and discuss how they interrelate with each other.   

In this section, we will focus exclusively on Azure Resource Manager (ARM), which is Microsoft’s latest and more current implementation of Azure.  Prior to ARM, Azure used a “Classic” model, which had significantly different terminology associated with it and is not relevant to the MSP community today. 

Microsoft Azure is a diverse cloud platform that contains hundreds of products (also known as SKUs).  Azure to Cloud is like Apple to devices–each has many products within multiple categories. 

Azure Categories 

These products fall into many categories.  For instance: 

  • Infrastructure-as-a-Service (user-managed, raw resources that can be used to build IT environments)   
    For example: 
    • Virtual Machines
    • Storage 
    • Networking 
  • Platform-as-a-Service (Microsoft-managed, use-specific, packaged offers designed to be the building blocks of applications)   
    For example: 
    • Azure SQL – Microsoft managed SQL service without a “server running SQL” that can be used as the database back-end for a new or existing application 
    • Azure Files – Microsoft managed SMB (CIFS) file share service that behaves just like a Windows file server but without a server to manage 
  • Data Services – things like machine learning, analytics, and cognitive services 
  • Software-as-service– fully usable, end-user applications written, hosted, and managed by Microsoft
    • Office 365 
    • Dynamics 365 

We will focus on IaaS, SaaS, and somewhat on PaaS — as those are the most fundamental building blocks an MSP needs to build a cloud practice in Azure.

Accounts, Tenants, and Subscriptions 

At the highest level is an Azure account, also known as a tenant or directory (these terms will be used interchangeably).  An Azure account is uniquely associated with an Azure Active Directory (AAD), where user objects that access the Azure Portal exist.  An Azure tenant is free to create, and by itself is simply a container for subscriptions and AAD objects.  You cannot run anything in an Azure account without a subscription.  Azure tenant names must be globally unique (i.e. no one else in the world can use the same name) and each one has a domain associated with it.   


It is possible to use a single Azure tenant for all your customers’ infrastructure.  We will discuss below the advantages of doing so for flexibility of compute reservations.

Inside an Azure tenant there are subscriptions.  A single Azure tenant can contain multiple subscriptions, but each subscription must be contained within a single tenant.  A subscription is the “billing container”.  You obtain a subscription directly from Microsoft or through an Azure reseller and you can create resources inside of that subscription.  The monthly Azure invoice will contain the consumption of every resource you run inside of a subscription.  If you don’t run any resources and therefore have no consumption–-your bill is $0. 

Subscriptions come in many flavors, but the easiest way to think about them is an agreement between you and Microsoft that you will use any of the available Azure products under the terms of your subscription and you agree to pay for them after you’ve used them.  A good comparison is electrical power service in your home.  You open an account with the electricity provider (subscription), agree on a rate for electricity and delivery, use the electricity during a month, and then pay the bill once the power company tells you how much you have used or consumed. 

Subscriptions obtained directly from Microsoft will typically be Pay-as-you-go, Free, EA, CSP, or Sponsored. 

Most MSPs, however, purchase Azure through a CSP Provider(like Pax8, Sherweb, Ingram, Techdata, etc.).  The MSP in this scenario is known as a “CSP Reseller”.  Using the CSP Provider’s own portal, the MSP will be able to create a subscription to consume resources inside this subscription.  The CSP Provider will get a bill from Microsoft for the consumption and will in turn bill the MSP.  The MSP will then bill its customer for the Azure consumption. 

  • Pay-as-you-go (PAYG) – if you sign up to use Azure on you will be required to put in a credit card.  This will be the agreed upon payment method for any resources consumed inside of your subscription and it be billed automatically on a monthly basis – at Azure’s list prices. 
  • Free – this is limited subscription that you can obtain directly from to play around with Azure for a limited time and to consume up to $200 in resources usage.  This type of subscription is too limited to use for anything but a simple VM or two and is not recommended for MSPs looking to build cloud practices in Azure. 
  • EA (Enterprise Agreement) – if your customer is a larger organization, they will likely have a direct volume licensing agreement with Microsoft that gets negotiated every few years with annual “True Ups”.  As part of this EA, the customer will have prepaid for a certain amount of Azure consumption (monetary commitment) and will be able to use resources in the subscription up to this amount.  Any overages will be reconciled at the time of the customer’s True Up with Microsoft. 
  • CSP(Cloud Solution Provider)– if you are a Direct CSP with Microsoft, you can provision a CSP subscription for Azure inside of your customer’s tenant or your own tenant.  Microsoft will bill you for the usage (i.e. consumption) inside of this subscription – at your discounted reseller rate – and you will in turn bill your customer.  This is one of the most flexible and powerful types of subscription.   
  • Sponsored – if you are part of the Microsoft Partner Network (MPN) and have Silver or Gold competencies, Microsoft may provide you with a sponsored Azure subscription that you can use to hone your Azure skills, do demos for customers, and use internally.  Each subscription will have a preset monetary limit and you’ll be required to add a credit card to be used once you exceed the preset limits.  The details on your sponsored subscriptions, if you have any, can be obtained in your Partner Center under MPN or your Partner Development Manager (PDM).  A word of caution: do not use sponsored subscriptions for customer workloads.  Once you exceed your sponsored subscription limit, you will be billed at list rates on your credit card and there is no easy way to convert this subscription to CSP.  You will be forced to migrate actual resources to another subscription, which is a disruptive process. 
Subscriptions have globally unique IDs (GUID) associated with them.  They also have a friendly name that you can set to anything you want, and this name does not have to be unique.  As a matter of fact, you can have subscriptions with the same friendly name inside of the same tenant.  However, try to assign logical, unique names to each of your subscriptions to make things easier to manage. 
  • Click here to know more about Azure Enterprise enrolment hierarchy
  • Click here to know more about AzureAD Accounts/Tenants/Subscriptions

Resource Groups and Resources 

Below the subscription are resource groups (RG).  These are logical groupings of resources in Azure that allow you to easily view and manage sets of resources associated with a single function.  For example, if you have two complex, multi-component applications A and B, you will want to split them up into resource groups (e.g. RG-A and RG-B) to logically group all the compute, storage, and networking for each application with other related components.   

Resource groups are not billing units.  You won’t be able to easily answer the question of “how much are the resources in resource group RG-A costing me” by looking at your Azure invoice.  These RGs are there for ease of management, resource organization, and isolation.  There are lots of resources in every Azure deployment so keeping things nice, tidy, and logical is very important. 

There could be multiple resource groups within a single subscription, but any one resource group can only be part of only one subscription.  Resource group names do not have to be globally unique, but must be unique within a single subscription. 

Finally, resources are created inside of a resource group, which is inside a subscription, which is inside a tenant.  What are resources?  It’s everything that does something in Azure.  Examples are virtual machines, virtual networks, disks, network cards, VPN gateways, IP addresses, etc.   

Usage and Billing 

There are many categories of resources and each one has different configuration, usage and billing characteristics.  We will explore the most important elements in this and future write-ups.  For now, let’s focus on billing. 

Some resources will be billable while others won’t.  For example, a virtual machine (compute resource) will be billable while a virtual network interface (network resource) attached to a virtual machine will not be billable.   

Billing in Azure typically has a unit and frequency.  The easiest way to think about this is to go back to our electricity at home example.  Electric power is a resource, the unit is kWatt and frequency is hour.  We therefore have a pre-defined cost per kWatt-hour.  As we use electricity, there is a meter running that measures how many kWatt-hours we’ve used up and then the electric company sends us a bill for what we used.  Azure works the same way. For instance, a virtual machine (VM) is billed for compute capacity (unit) on a per-second basis (frequency).  Every time we start up (provision) a VM, a meter starts up and keeps track of how long this VM is running.  At the end of the month our invoice will show how many hours we used a particular type of VM and that’s what we owe either Microsoft directly or via a CSP.   

The key takeaway here is that each billable resource has a virtual “meter” that’s running any time the resource in “used” (this is defined differently for each type of resource).  If we stop the resource, we stop the meter and we are no longer billed.  

Azure Object Hierarchy Overview   

Familiarizing yourself with this set of core building blocks including Accounts, Tenants, Subscriptions, Resource Groups, Resources, and Billing options is the first step an MSP should take in determining the most efficient and cost-effective way to build a cloud IT practice in Microsoft Azure. 

Now, let’s dive deeper in Azure Resource

Azure Resources  

As we stated above, the building blocks of an Azure IT environment are Resources.  These resources are organized into Resource Groups inside of an Azure subscription.  There are billable and non-billable resources.  Billable resources have a Meter attached to them that runs while the resource is provisioned.   

In this section, we will explore the three most common types of Azure resources used by MSPs when deploying IT environments: Compute (virtual machines), Storage, and Network. 

Every resource used in Azure must be deployed in a geographical location known as a Region.  An Azure region is a grouping of data centers located in a specific geographic location.  Microsoft is constantly growing its global footprint and adding data centers and regions.  At the time of this article, there are 54 regions available in 140 countries and the list is growing.  The most up-to-date map of regions can be viewed here

Resources deployed in the same region are interconnected with high speed connectivity (think LAN speeds).  Resources in different regions can still communicate with each other but are subject to additional WAN latency.  The latency depends on how far the regions are from each other.

You can also download our complete guide to Azure resources here

Associate or add an Azure subscription to your Azure Active Directory tenant

An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A subscription trusts Azure AD to authenticate users, services, and devices.

Multiple subscriptions can trust the same Azure AD directory. Each subscription can only trust a single directory.

If your subscription expires, you lose access to all the other resources associated with the subscription. However, the Azure AD directory remains in Azure. You can associate and manage the directory using a different Azure subscription.

All of your users have a single home directory for authentication. Your users can also be guests in other directories. You can see both the home and guest directories for each user in Azure AD.


Understand scope

Azure provides four levels of scope: management groups, subscriptions, resource groups, and resources. The following image shows an example of these layers.

Management levels

You apply management settings at any of these levels of scope. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a policy on the resource group, that policy is applied the resource group and all its resources. However, another resource group doesn’t have that policy assignment.

You can deploy templates to tenants, management groups, subscriptions, or resource groups