What should IT leaders know about Azure management groups?

February 27 2019

In my journeys learning and using Microsoft Azure, I have tried to keep things simple by creating only as many subscriptions as needed to accomplish any given organizational work.  In the early days, subscriptions had limits and those limits helped decide whether your subscriptions needed to sprawl.  This was mostly based on whether or not you were supporting customer or breaking up your subscriptions across different departments.  The biggest issue with this sprawl was how to manage it, both from a security and policies standpoint.  Then Azure management groups entered the picture.

Azure management groups provide a way for an organization to control and manage access, compliance, and policies for their subscription within their tenant. These containers provide scope above subscriptions, allowing a level of inheritance applied to that management group or any parent group.  This allows a single mechanism to leverage RBAC (role-based access control) to your subscriptions rather than assigning them individually. 

Now some quick rules to remember before using Azure management groups with your subscriptions:

  • A subscription can belong to one management group
  • Management groups can only be six levels deep
  • You are allowed 10,000 management groups in a single tenant
  • There is a single top-level root management group that cannot be deleted
  • New subscriptions are automatically placed under the root
  • Any user access assigned to a management group is applied to all resources and child management groups

Let's take a quick look at the hierarchy for building out management groups. Remember that you can create any structure that makes sense for you and helps your organization with subscription management.

Now as you can see Azure management groups provide a simple yet powerful way to help manage access with your Azure environment.  While this alone is extremely helpful, Azure management groups also use Blueprints and, as the name sounds, it provides a way to automatically create your environment.  While this isn't a replacement for Azure DevOps, it is a great way for an organization to initially setup environments by simply placing a subscription in your management groups. 

Azure management groups also allow you to to create policies and compliance rules for each group. For instance, I can create policies that require a VM to have security agent installed and apply it to production but not non-production. Or I can create a policy that all App Services be connected to App Insights, which I could apply globally by attaching it to the root.  At the end of the day, Azure management groups are very helpful when it comes to managing your subscriptions' base access while providing a way to apply policies and compliance and leverage blueprints to align environment resources.

Now, you may wonder, how much will all this cost me?  It's free. So, what's the next step?

I always tell people to Visio it out and discuss.  The reason for this is that root cannot be deleted and while you are able to change the name of a management group, you can't change the ID.  You will also need to clean up your ownership because as you add a management group level you will be added as an owner even if you are the owner of the parent.  Always remember, once you assign a subscription to a management group you can remove it from management groups but you can only move it to another group.  You also can't add individuals or groups to individual subscriptions. Rather create groups with your management groups to add people. Management groups also can't manage RBAC to resource groups, although this can be managed through an ARM (Azure Resource Manager) template. They can be affected by management groups directly but will need an Azure DevOps deployment.

If you're trying to simplify your subscription management, Azure management groups offers a way forward.

FREE Membership Required to View Full Content:

Become a MemberLogin
Joining MSDynamicsWorld.com gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more, and it’s all FREE. You’ll also have the option to receive periodic email newsletters with the latest relevant articles and content updates. Learn more about us here
About Greg Leonardo

I currently am a Cloud Architect and Azure MVP, helping organizations with cloud adoption and innovation. I'm a father, developer, teacher, speaker, and an early adopter. I'm president of TampaDev, a community meetup, that runs #TampaCC, Azure User Group, Azure Medics, and various technology events throughout Tampa.

Since my time in the Military, I have become a technically savvy cloud technology professional with proven leadership ability with a diverse knowledge for a wide range of organizations, programming languages, and technology while utilizing both traditional and agile methodologies. Have a demonstrated ability to work with all levels of management, with a unique ability to provide solutions to meet a variety of business goals, infrastructure needs, and budget requirements with a focus on on-time delivery, security, performance, and quality. I am a decisive leader capable of architecting innovations and cutting-edge solutions while building or training results-oriented organizations that achieve success with all facets of the development life-cycle. An accomplished Microsoft community leader and speaker that has presented at various regional code camps, bar camps, user groups, and Microsoft Tech Events on a variety of development and soft skill topics.

Main Technical Expertise: Enterprise solution delivery, cloud architecture, Azure MVP, software architecture, security, development, and automated testing around mobile and web development platforms.

Business Specialties: Executive Leadership and Communications, Visionary Architect, Team Development, Mentoring and Instruction, Strategic Planning and Assessment, R&D and Full Development Life-cycle, Infrastructure Management, and Proven Entrepreneur

More about Greg Leonardo