Organize Your Azure Resources with Management Groups
Organize Your Azure Resources with Management Groups
If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance across those subscriptions. Azure management groups provide a governance scope above subscriptions, allowing you to organize your subscriptions into a hierarchical structure for unified policy and access management.
Hierarchy of Management Groups and Subscriptions
You can build a flexible hierarchy of management groups and subscriptions to organize your Azure resources. Management groups allow you to apply policies and access controls that cascade down to all associated subscriptions and resources.
For example, you could create a hierarchy that applies a policy to limit virtual machine (VM) locations to the West US region within a specific management group called “Corp”. This policy would then be inherited by all subscriptions and resources under that management group, ensuring consistent governance across your environment.
Another common use case for management groups is to provide user access to multiple subscriptions. By grouping subscriptions under a single management group, you can assign Azure roles at the management group level, granting users access to everything they need in one assignment, rather than scripting access controls across individual subscriptions.
The Root Management Group
Each Azure Active Directory (Azure AD) tenant is given a single top-level management group called the “root” management group. The root management group serves as the entry point for the hierarchy, with all management groups and subscriptions folding up to it. This allows global policies and Azure role assignments to be applied at the directory level.
The Azure AD Global Administrator must initially elevate themselves to the User Access Administrator role on the root management group before they can assign any other roles to manage the hierarchy. As an administrator, you can then assign your account as the owner of the root management group.
Management Group Access and Custom Roles
Azure management groups support Azure role-based access control (Azure RBAC) for defining permissions and roles. Roles assigned at the management group level will inherit down to all child resources. You can also define custom Azure roles that can be assigned at the management group scope.
There are some important limitations to be aware of when working with custom roles and management groups. For example, you can only define one management group in the assignable scopes of a custom role, and custom roles with data actions cannot be assigned at the management group level.
Moving Management Groups and Subscriptions
When moving management groups or subscriptions within the hierarchy, you need the appropriate permissions on both the child and parent management groups. This includes management group write and role assignment write permissions on the item being moved, as well as management group write access on the target parent management group.
There are some exceptions to these permission requirements if the target or existing parent is the root management group, as the root group is the default landing spot for new items.
Auditing Management Groups
Azure Activity Log provides visibility into all events and operations performed on your management groups, including role assignments, policy changes, and more. You can query the activity log to see detailed information about what’s happening within your management group hierarchy.
Next Steps
To learn more about managing your Azure resources with management groups, check out these resources:
- Create management groups to organize Azure resources
- How to change, delete, or manage your management groups
- How to protect your resource hierarchy
Source: Azure Management Groups Overview