What should IT leaders know about Azure management groups?

February 27 2019

In my journeys learning and using Microsoft Azure, I have tried to keep things simple by creating only as many subscriptions as needed to accomplish any given organizational work.  In the early days, subscriptions had limits and those limits helped decide whether your subscriptions needed to sprawl.  This was mostly based on whether or not you were supporting customer or breaking up your subscriptions across different departments.  The biggest issue with this sprawl was how to manage it, both from a security and policies standpoint.  Then Azure management groups entered the picture.

Azure management groups provide a way for an organization to control and manage access, compliance, and policies for their subscription within their tenant. These containers provide scope above subscriptions, allowing a level of inheritance applied to that management group or any parent group.  This allows a single mechanism to leverage RBAC (role-based access control) to your subscriptions rather than assigning them individually. 

Now some quick rules to remember before using Azure management groups with your subscriptions:

  • A subscription can belong to one management group
  • Management groups can only be six levels deep
  • You are allowed 10,000 management groups in a single tenant
  • There is a single top-level root management group that cannot be deleted
  • New subscriptions are automatically placed under the root
  • Any user access assigned to a management group is applied to all resources and child management groups

Let's take a quick look at the hierarchy for building out management groups. Remember that you can create any structure that makes sense for you and helps your organization with subscription management.

About Greg Leonardo

I currently am a Cloud Architect and Azure MVP, helping organizations with cloud adoption and innovation. I'm a father, developer, teacher, speaker, and an early adopter. I'm president of TampaDev, a community meetup, that runs #TampaCC, Azure User Group, Azure Medics, and various technology events throughout Tampa.

Since my time in the Military, I have become a technically savvy cloud technology professional with proven leadership ability with a diverse knowledge for a wide range of organizations, programming languages, and technology while utilizing both traditional and agile methodologies. Have a demonstrated ability to work with all levels of management, with a unique ability to provide solutions to meet a variety of business goals, infrastructure needs, and budget requirements with a focus on on-time delivery, security, performance, and quality. I am a decisive leader capable of architecting innovations and cutting-edge solutions while building or training results-oriented organizations that achieve success with all facets of the development life-cycle. An accomplished Microsoft community leader and speaker that has presented at various regional code camps, bar camps, user groups, and Microsoft Tech Events on a variety of development and soft skill topics.

Main Technical Expertise: Enterprise solution delivery, cloud architecture, Azure MVP, software architecture, security, development, and automated testing around mobile and web development platforms.

Business Specialties: Executive Leadership and Communications, Visionary Architect, Team Development, Mentoring and Instruction, Strategic Planning and Assessment, R&D and Full Development Life-cycle, Infrastructure Management, and Proven Entrepreneur

More about Greg Leonardo