Equivalent to Sub-accounts in AWS?

Question

What is the functional equivalent to "Subaccounts" in AWS? We utilize Azure but my background is primarily in AWS and I'd like to separate the resources completely by using a setup similar to the conventional setup in AWS where the root account just handles billing and there is a subaccount for each type of environment (i.e. dev, prod, etc). My intent is not to segment billing (which will likely happen anyways) but instead to ensure firm boundary isolation between accounts.

AWS has broad support for this within the organization, and I am sure that Azure has this as well, but I am having a hard time figuring out which approach to take to achieve this. Is a different subscription equivalent to isolation (meaning I can create the same subnet in each subscription, for example) or is Management Groups the way to go? Maybe something else entirely?

Answer 1

Use subscriptions.

You can create the same subnet even in each subscription, as long as that subnet is in a different virtual network. However, if your intention is to provide full isolation from the management standpoint, then subscriptions should work for you. You can consolidate billing at the management group level

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

@Nick Yost In Azure, the functional equivalent to AWS’s “Subaccounts” for resource separation and management is achieved through a combination of Azure Subscriptions, Management Groups, and Azure Active Directory (AAD) Tenants.

• Azure Subscriptions act as containers for resources and provide isolation from one another, similar to AWS subaccounts. You can create separate subscriptions for different environments like dev, prod, etc., and each subscription can have its own set of resources, policies, and access controls.
• Management Groups provide a level of scope above subscriptions. You can organize subscriptions into containers called management groups and apply governance policies to management groups. All subscriptions within a management group automatically inherit the policies applied to the management group.
• Azure Active Directory (AAD) Tenants are dedicated instances of Azure AD that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft 365, or Dynamics 365. AAD tenants can be used to manage users, groups, and access to applications and subscription.

Using these tools, you can achieve a setup in Azure that is functionally equivalent to the AWS setup you’re familiar with, where the root account handles billing, and subaccounts are used for different types of environments with firm boundary isolation between them.

For billing segmentation, Azure Cost Management + Billing provides tools to monitor, allocate, and optimize costs across Azure subscriptions and management groups, which can help you achieve the billing separation you mentioned as a likely outcome.

You can create a separate subscription for each type of environment and use resource groups to organize your resources within each subscription. If you need to manage access, policy, and compliance across multiple subscriptions, you can use Management Groups to provide a hierarchical structure for organizing your subscriptions.

Please let us know if you have any further queries. I’m happy to assist you further.    

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.