Should I create a resource group or subscription?

Question

We are a software company so we setup solutions for the other companies. I guess we are not unique in this regards :) so I would like to know if we should create a new subscription each time or just a resource group.

Requirements:

• We should be able to bill each customer/project separably
• They should be able to take control of their resources easily and move to another company
• Managing them should not be a headache

What we have tried

We've tried adding a subscription for each customer. This way, we could just change the admin profile and they could completely move away from us. The billing is also OK, since we receive a different email for each subscription, but managing them is becoming a real headache.

What I guess could work

From what I read, I guess we could work with resource groups instead of subscriptions and handle the billing part with tags (haven't tried it yet. can we?) but then I'm afraid of not being able to move it to another subscription when they've asked us.

Is it even possible? How easy is that? Does it envolve contacting support?

Has anyone tried it?

Answer 1

I would advise against billing using resource groups and tags. The reports are a real mess and 100% unusable. Also, its a lot of extra work for nothing (seriously, do you care if you have 1 subscription or 10?) and adds no real benefit.

Also, you can move resources across subscriptions of different tenants. Best way of handling this is doing a subscription move. That way you dont have to do anything else. They just link your subscription to another tenant and you are good.

I'm talking from a perspective of administering dozens of subscriptions, and believe me, if you move away from subscriptions to resource groups (as a billing\security boundary) you will get completely devastated by the increased complexity of what you are doing.

Answer 2

In my experience working with organisations that provide similar hosting services to customers, I'd say resource groups is the way to go to avoid too much segregation. It's easier for you to keep control of the resources as well as keeping the cost low if you decide to use shared compute resources such as Application Gateway, DDOS protection, etc.

Bear in mind that depending on what level of permission you're giving to your clients, they might have access to information from other clients, so it's important to come up with a good security and governance plan for the Azure environment and strictly limit what they can access.

Moving things from one subscription to another is easy as long as you're using resources within the supported move list. Check the list below:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources

You don't have to open a ticket with Microsoft to move these resources and the move can be easily done through the portal interface as long as you select all the resources and it's dependencies and you have access to both subscriptions. If your client decides to move their stuff to their own Azure subscription, they will have to give you permission on that. If the resource you're trying to move is not in the supported list, not even Microsoft can move that.

From a billing perspective, I'd say separating by RG and using tags is the way to go as that can be easily filtered in your exported Azure consumption usage report.