Some quick thoughts on using many Azure subscriptions vs many resource groups in one subscription
- Limits are applied at the subscription (+ sometimes region) level. If one RG uses 500 cores, other business units may be blocked until you open a support request.
- Preview features are applied at the subscription level - other RG's can't opt-in/out. Ex: if you wanted to use the AKS + VMSS preview, you need to be sure that all teams want (and can support) the feature
- This is really hit & miss, but there are some actions that can't be performed based on other resources being present in the same subscription
https://docs.microsoft.com/bs-latn-ba/azure/storage/common/storage-auth-aad-rbac-portal
If your subscription includes an Azure DataBricks namespace, roles assigned at the subscription scope will be blocked from granting access to blob and queue data.
- Azure Cost Management works across both Subscriptions & Resource Groups (and Management Groups!)
- You can apply RBAC across subscriptions (if they are in the same AAD tenant) to grant read-only, "attach to VNET", etc. So it's not an either/or scenario
- The management challenge is present in both approaches - you still want to figure out how to define & manage N groups. Your scripts/tools might change, but the concepts are the same