How to Check the Azure Subscription and Its Entire Hierarchy

To check your Azure subscription and its entire hierarchy, you'll want to start by accessing the Azure portal. The Azure portal is the primary interface for managing your Azure resources, and it's where you'll find the information you need to check your subscription and its hierarchy.

You can access the Azure portal by going to the Azure website and signing in with your Azure account credentials. Once you're signed in, you'll see a dashboard that displays an overview of your Azure resources, including your subscription and its hierarchy.

Your Azure subscription is the top-level entity in your Azure hierarchy, and it contains all of your Azure resources, including virtual machines, storage accounts, and databases. To view your subscription, click on the "Subscriptions" link in the navigation menu.

Azure Subscription Management is a crucial aspect of working with Azure. An Azure subscription is a logical unit of Azure services linked to an Azure account, serving as a single billing unit for Azure resources used in that account.

You can have more than one subscription, often for billing purposes, since each subscription generates its own set of billing reports and invoices. The person who creates an Azure subscription becomes the global administrator for that subscription and has full access to every aspect of that subscription.

To manage your Azure subscriptions, you can use the Azure CLI. You can specify which subscription to work in by using the `--subscription` parameter in your command. If you don't specify a subscription, the command uses your current, active subscription.

To see the subscription you're currently using or to get a list of available subscriptions, run the `az account show` or `az account list` command. You can also store subscription information in a variable for use within a script.

Here are the steps to list Azure subscriptions:

To set the Azure CLI to use a specific subscription, you can run the `az account set` command with the `--subscription` parameter. Be sure to replace the placeholders with the actual id or name for the Azure subscription you want to target.

Here are the details of the `az account set` command:

Azure's hierarchy is a key concept to understand when working with subscriptions. Resources like virtual machines and databases are grouped within resource groups, which are then part of a subscription that defines quotas and limits.

Subscriptions are further grouped into management groups, which provide centralized management for access, policies, or compliance. This hierarchy creates a problem when trying to monitor subscription creations, as it requires prior knowledge of the subscription.

Global administrators cannot view all subscriptions by default, and must first elevate access through Azure Active Directory properties and uncheck the global subscription filter.

To list Azure Subscriptions, you can run the az account list command in the Azure CLI. This command will return a JSON response with information about all the Azure Subscriptions your current login has access to.

The JSON output will contain the details for each Azure Subscription, including the tenantId of Azure AD, the user you're logged in with, and the cloudName for which type of Azure cloud that Azure Subscription resides in. However, only the name and id are necessary for verifying and setting which Azure Subscription you want to run Azure CLI commands against.

Here are some key details you can expect to see in the JSON output:

By running the az account list command, you can easily view a list of all the Azure Subscriptions you have access to, and use the name or id to set the correct subscription for your Azure CLI commands.

Azure's hierarchy is complex, but understanding it is key to navigating subscription creations and monitoring. Resources like virtual machines and databases are grouped within resource groups, which serve as logical containers for similar resources.

Resource groups are part of a subscription, which defines quotas and limits. This hierarchy implies that monitoring and logging are often scoped to a specific set of subscriptions.

Subscriptions are part of management groups, which provide centralized management for access, policies, or compliance. Most Azure components are resources, including monitoring solutions like Azure Sentinel.

Creating an Azure Sentinel instance requires prior creation of a subscription, highlighting the chicken or the egg problem of monitoring subscription creations. You need prior knowledge of the subscription to monitor it.

Even global administrators can't view all subscriptions by default. To view all subscriptions, you need to elevate access through Azure Active Directory properties and uncheck the global subscription filter.

To get subscription information, you can use the az account show command. This command will display the subscription you're currently using or a list of available subscriptions.

The az account list command is another way to get a list of available subscriptions. This command will return a JSON response with information about all the subscriptions your current login has access to.

You can store subscription information in a variable for use within a script. This can be helpful when automating tasks or workflows that require specific subscriptions.

To view which Azure Subscription the Azure CLI's context is currently set to target, run the az account show command. This will display a JSON response with information about the specific subscription the Azure CLI is currently set to work with.

The az account list command will list out the details for all the Azure Subscriptions you have access to. This includes the tenantId of Azure AD, the user you're logged in with, and the cloudName for which type of Azure cloud that subscription resides in.

To set the Azure CLI to use a specific subscription, you'll need to run the az account set command. Be sure to replace the placeholders in the command with the actual id or name of the subscription you want to target.

If the az account set command is executed successfully, the terminal will not return a response. However, if there's an error setting the Azure CLI to a specific subscription, an error message will be returned.

Detecting and preventing rogue Azure subscriptions is crucial for maintaining the security of your enterprise accounts. You can use tools like NVISO Labs to detect and prevent rogue subscriptions.

Monitoring new subscriptions in enterprise accounts is also essential. ITSec365 recommends monitoring new subscriptions to prevent unauthorized access.

Here are some key points to consider when monitoring new subscriptions:

Pingbacks can be used to track and monitor new subscriptions, as seen in the example from NVISO Labs. This feature can help you stay on top of your subscription security.

To collect and log Azure subscriptions, start by creating a new empty logic app with system-assigned identity enabled. This will grant your logic app permissions to read the list of subscriptions.

Ensure your logic app has the Reader role assigned to its managed identity, which will allow it to read the list of subscriptions. The Reader role is a crucial permission for this process.

You can then proceed to build the logic to collect the subscriptions by selecting a Recurrence trigger in the logic app's designer, which will trigger the collection at a set interval. We recommend lowering the original hourly recurrence to 5 minutes or less for faster alerting.

The trigger defined, click the New step button to add an operation, and search for and select the Azure Resource Manager List Subscriptions action. This action will recover the list of subscriptions.

Once you've recovered the list of subscriptions, you can add another operation to send them into a log analytics workspace by searching for and selecting the Azure Log Analytics Data Collector Send Data operation. This requires the target Log Analytics' workspace ID and primary key.

To set the Azure CLI to target a specific subscription, you will run the az account set command with the id or name of the subscription. Be sure to replace the placeholders with the actual id or name of the subscription returned from the az account list command.

If the az account set command executed successfully, the terminal will not return a response, so it's essential to run the az account show command afterwards to verify the correct subscription is set.

You can verify the correct subscription is set by running the az account show command.