Link between Azure subscription and Azure AD
I wanted to improve on a diagram I found in the docs for Azure RBAC which provides a really clear illustration of how Azure administrative components are connected. You can see my version here/above, or click through for a larger version. The original was a bit hidden away in an unexpected place on the MS site and it deserves more of a surface for discovery.
Key points
The rules to take away from this are:
- Each subscription in Azure belongs to only one directory (But each directory can control access for more than one subscription.)
- Each resource group belongs to only one subscription
- Each resource belongs to only one resource group