Azure Subscriptions Best Practices: A comprehensive guide to effective cloud governance

Because every organization is different, Azure management groups are designed to be flexible. While subscriptions can be moved between different management groups, it is helpful to design an initial management group hierarchy that reflects your anticipated organizational needs.

Below are Azure subscriptions patterns and several more advanced hierarchies that can align with your organization.

Single Subscription

A single subscription per account may suffice for organizations that need to deploy a small number of cloud-hosted assets. This is the first subscription pattern when you choose Azure migration services to explore more capabilities of the cloud.

Production-and-Preproduction Pattern

Once you’re ready to deploy a workload to a production environment, you should add an additional subscription. This helps you keep your production data and other assets out of your dev/test environments. You can also easily apply two different sets of policies across the resources in the two subscriptions.

Workload Separation Pattern

As an organization adds new workloads to the cloud, different ownership of subscriptions or basic separation of responsibility may result in multiple subscriptions in both the production and preproduction management groups. While this approach does provide basic workload separation, it doesn’t take significant advantage of the inheritance model to automatically apply policies across a subset of your Azure subscriptions.

Application Category Pattern

As an organization’s cloud footprint grows, additional subscriptions are typically created to support applications with fundamental differences in business criticality, compliance requirements, access controls, or data protection needs.

Each organization will categorize their applications differently, often separating subscriptions based on specific applications or services or along the lines of application archetypes. Some workloads that might justify a separate subscription under this pattern include:

• Mission-critical workloads.
• Applications with protected data.
• Experimental applications.
• Applications subject to regulatory requirements (such as HIPAA or FedRAMP).
• Batch workloads.
• Big data workloads such as Hadoop.
• Containerized workloads using deployment orchestrators such as Kubernetes.
• Analytics workloads.

Functional pattern

The functional pattern organizes subscriptions and accounts along functional lines, such as finance, sales, or IT support, using a management group hierarchy.

Business Unit pattern

The business unit pattern groups Azure subscriptions and accounts based on profit and loss category, business unit, division, profit center, or similar business structure using a management group hierarchy.

Geographic pattern

For organizations with global operations, the geographic pattern groups subscriptions and accounts based on geographic regions using a management group hierarchy.

Design Considerations

One of the most critical items in the process of designing a subscription is assessing your current environment and needs.

Understanding how each component is limited and how each impacts the others is critical to a solution that can scale and be flexible enough to support the needs of the business.

Specifically, it is important to have a thorough understanding of the following aspects:

• Business requirements such as availability, recoverability, performance, cost Centers and chargebacks.
• Technical requirements like network connectivity, AD requirement, and considerations around management tools.
• Security considerations like policies, subscription administrators, and implementation of a least privilege administrative model among others.
• Additional considerations include Scalability plans, subscription owner, Office 365 AAD tenant set up, trial Power BI evaluation, trust issues between owners of a subscription and the owner of resources to be deployed.
• Rigid financial or geopolitical controls might require separate financial arrangements for specific subscriptions.

Speaking of security concerns in Azure, read the part-3 of this article series for to know how to put together an effective operational security plan to safeguard your data, applications, and other assets in Azure.

Subscription Naming Conventions – Best Recommendation(s)

When naming Azure subscriptions, verbose names make understanding the context and purpose of each subscription clear. When working in an environment with many subscriptions, following a shared naming convention can improve clarity.

A recommended pattern for naming subscriptions is:

<Company>-<Department (optional)>-<Product Line (optional)>-<Environment>

Company would usually be the same for each subscription. However, some companies may have child companies within the organizational structure. These companies may be managed by a central IT group.

Department is a name within the organization that contains a group of individuals. This item within the namespace is optional.

Product line is a specific name for a product or function that is performed from within the department. This is typically optional for internal-facing services and applications. However, it is highly recommended to use for public-facing services that require easy separation and identification (such as for clear separation of billing records).

Environment is the name that describes the deployment lifecycle of the applications or services, such as Dev, QA, or Prod.

Nancy Bonhomme

Program Manager, Motifworks

Nancy comes with over a decade’s experience in project management and client engagement. In her past experience, she partnered cross-functionally to successfully lead the migration to a new, more modern architecture for the business.