to navigate

to select

to close

On this page

Azure Account Setup

A well-structured Azure account prevents billing surprises, simplifies access management, and scales with your organization. This guide covers account creation, subscription design, CLI configuration, automation credentials, and cost controls.

Create an Azure Account

Visit azure.microsoft.com/free and sign in with a Microsoft account or work account
Complete identity verification (phone and credit card — free tier does not charge unless you upgrade)
New accounts receive $200 credit for 30 days plus 12 months of popular free services
Enable multi-factor authentication on the account immediately

Azure Resource Hierarchy

  Tenant (Entra ID directory)
  └── Management Group (optional, for enterprise governance)
        └── Subscription (billing and access boundary)
              └── Resource Group (logical container for a project/environment)
                    └── Resources (VMs, databases, storage accounts, etc.)

Concept	Purpose	Example
Tenant	Identity boundary (Entra ID)	`contoso.onmicrosoft.com`
Subscription	Billing unit, RBAC scope	`Production`, `Development`
Resource Group	Lifecycle container for related resources	`rg-webapp-prod`
Resource	Individual service instance	`vm-web-01`, `sql-main`

Subscription Strategy

Pattern	Subscriptions	Best For
Simple	1 subscription, multiple RGs	Learning, small teams
Environment-based	dev, staging, prod	Most production workloads
Team-based	per team + shared services	Large organizations
Enterprise	Management Groups → many subscriptions	Governance at scale

  # List subscriptions
az account list --output table

# Set active subscription
az account set --subscription "Production"

# Create resource group
az group create \
  --name rg-webapp-prod \
  --location eastus \
  --tags environment=production project=webapp owner=platform-team

Install Azure CLI

  # macOS
brew install azure-cli

# Linux
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

# Verify
az --version
# azure-cli 2.x.x

# Sign in (opens browser)
az login

# Sign in with specific tenant
az login --tenant contoso.onmicrosoft.com

# Verify current context
az account show --output table

Configure Defaults

  # Set default resource group and location
az configure --defaults group=rg-learning-dev location=eastus

# Now commands omit --resource-group and --location
az vm list --output table

Azure PowerShell (Alternative)

  # Install (cross-platform)
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

# Connect
Connect-AzAccount
Get-AzSubscription
Set-AzContext -Subscription "Production"

# Create resource group
New-AzResourceGroup -Name rg-webapp-prod -Location eastus -Tag @{environment="production"}

Use CLI for cross-platform scripting; PowerShell if your team is Windows-centric.

Service Principals for Automation

Never use personal credentials in CI/CD pipelines:

  # Create service principal with Contributor role on resource group
az ad sp create-for-rbac \
  --name "sp-cicd-webapp" \
  --role contributor \
  --scopes /subscriptions/SUBSCRIPTION_ID/resourceGroups/rg-webapp-prod \
  --output json

# Output (store securely — shown once):
# {
#   "appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
#   "displayName": "sp-cicd-webapp",
#   "password": "secret-value",
#   "tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# }

Use in GitHub Actions or Azure DevOps:

  # GitHub Actions example
- uses: azure/login@v2
  with:
    creds: ${{ secrets.AZURE_CREDENTIALS }}

Prefer Managed Identities when running on Azure resources (VMs, App Service, Functions) — no secrets to manage.

Billing and Cost Controls

  # Create a budget alert
az consumption budget create \
  --budget-name monthly-dev-budget \
  --amount 100 \
  --time-grain Monthly \
  --start-date 2024-06-01 \
  --end-date 2025-06-01 \
  --resource-group rg-learning-dev

Configure in Portal: Cost Management + Billing → Budgets → Add

Alert Threshold	Action
50% of budget	Email notification
80% of budget	Email + review resources
100% of budget	Email + consider auto-shutdown scripts

Enable Microsoft Defender for Cloud

Free tier provides security recommendations and Secure Score:

  # Enable Defender for Cloud on subscription
az security pricing create \
  --name VirtualMachines \
  --tier Free

# Check secure score
az security secure-scores list --output table

Portal vs CLI vs Bicep

Tool	Best For	Learning Curve
Azure Portal	Visual exploration, one-off changes	Low
Azure CLI	Scripting, automation, daily ops	Medium
Bicep/ARM templates	Repeatable, version-controlled IaC	Medium-High
Terraform	Multi-cloud IaC	Medium-High

Start with Portal to learn services, adopt CLI for daily work, and Bicep/Terraform for production deployments.

Real-World Scenario: Team Onboarding

A startup with 5 developers:

One Entra ID tenant with MFA enforced
Three subscriptions: Development, Staging, Production
RBAC roles: Owner (CTO), Contributor (developers on dev), Reader (developers on prod)
Service principal for CI/CD with Contributor on staging/prod resource groups
Budget alerts at $50, $100, $200 per subscription
Azure Policy enforcing required tags on all resources

Common Mistakes

Everything in one subscription — no billing isolation between environments
Personal account for production — use work accounts with proper governance
Service principal secrets in Git — use Key Vault or Managed Identities
No default location set — resources scattered across regions unintentionally
Ignoring naming conventions — adopt {type}-{project}-{environment}-{region} early
No budget alerts — configure on day one

Troubleshooting

Error	Cause	Fix
`Please run 'az login'`	Session expired	Run `az login` again
`SubscriptionNotFound`	Wrong subscription ID	`az account list` and `az account set`
`AuthorizationFailed`	Insufficient RBAC	Request Contributor or specific role
`LocationNotAvailable`	Service not in region	Choose supported region or request feature
`InvalidResourceGroupName`	Invalid characters	Use alphanumeric, underscores, hyphens, parentheses

Best Practices Summary

Separate subscriptions for production and non-production
Apply tags to every resource from the first deployment
Use service principals or Managed Identities for automation — never personal credentials
Configure budget alerts before deploying any resources
Enable Defender for Cloud for security posture visibility
Adopt naming conventions and enforce with Azure Policy
Store infrastructure as Bicep or Terraform from the start

Next: Azure Active Directory.

Introduction to Azure

Azure Active Directory

Azure Account Setup

Create an Azure Account link

Azure Resource Hierarchy link

Subscription Strategy link

Install Azure CLI link

Configure Defaults link

Azure PowerShell (Alternative) link

Service Principals for Automation link

Billing and Cost Controls link

Enable Microsoft Defender for Cloud link

Portal vs CLI vs Bicep link

Real-World Scenario: Team Onboarding link

Common Mistakes link

Troubleshooting link

Best Practices Summary link