Manage resource groups – Manage Azure identities and governance – AZ-104 Study Guide

Manage resource groups

When creating resource groups, it is important that you consider factors for your resource group design:

  • A resource can be a member of only one resource group.
  • A resource group cannot be nested in another resource group.
  • You can move a resource from one resource group to another.
  • A resource group can be used to scope access control.
  • A resource group can be used to scope policy.
  • A resource in a resource group can interact with resources in another resource group.
  • A resource group is created in a location, also known as an Azure region. The location of a resource group specifies where the metadata for the resource group is stored. If you have compliance or geography constraints, this is an important consideration.
  • Microsoft recommends that all resources in a resource group share the same lifecycle.
  • It is not mandatory to have all Azure resources belong to a resource group.
  • Creating a resource group through the Azure portal can be an easier task. You just need

region or location details along with a valid resource group name (see Figure 1-42).

FIGURE 1-42 Create A Resource Group blade

Move resources across resource groups

Some resources in Azure can be moved between resource groups and even across subscrip- tions, but support for move operations varies based on the service. A reference of services that can be moved can be found at https://learn.microsoft.com/en-us/azure/azure-resource- manager/management/move-support-resources. In Figure 1-43, the VM in Resource Group 2 can be moved into Resource Group 1, and it can also be moved across subscriptions into the resource group in Subscription 2.

IMPORTANT MOVE OPERATIONS

Even if a resource states that it supports move operations, there can be other factors that prevent the resource from moving. To find out move operation support for Azure resources, see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-support-resources.

FIGURE 1-43 Moving resources diagram

During a move operation, your resources will be locked. Both write and delete operations to the Azure resource will be blocked, but the underlying service will continue to function. For example, if you move a web app in Azure App Service, the app will continue to serve web requests to visitors. It can take up to four hours for a move operation to complete. If the move operation fails within the four-hour window, Resource Manager will reattempt the move operation.

To move resources between subscriptions, both subscriptions must be associated with the same Entra tenant. If the subscriptions do not belong to the same tenant, you can update the target subscription to use the source Entra tenant by transferring ownership of the subscrip- tion to another account. Note that this operation can have unexpected effects because the Entra tenant associated with a subscription is used for RBAC to any currently deployed Azure services.

NEED MORE REVIEW? TRANSFER SUBSCRIPTION OR POINT TO A NEW ENTRA TENANT

To transfer ownership of an Azure subscription to another account, see https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/billing-subscription-transfer.

Also, to add an Azure subscription to a new Entra tenant, see https://learn.microsoft.com/en-us/entra/fundamentals/how-subscriptions-associated-directory.