Setting Up & Managing Azure Management Groups

This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage.

Common RBAC - Roles:

Owner: Has full access to all resources, including the ability to delegate access to other users.
Contributor: Can create and manage Azure resources.
Reader: Can view only existing Azure resources.

Roles to manage Management groups:

Therefore we now fetch the User Access Admin - Permissions \ Global Admin - Permissions to be allowed to create Management groups.

By default, Subscription will always be directly under the root management group.

Management groups can mirror your billing hierarchy.
You use Management groups to model your organization.
Azure Subscriptions can be grouped based on a need for common roles assigned along with Azure Policies and Initiatives.
You can actively control access, policies, and compliance for more than one subscriptions with ease. All subscription objects within a Management group receive a copy of the role-based access control and policy settings applied to the Management group.
Management group can contain other Management groups or subscriptions, but it cannot contain an Azure Resource.
Management groups and subscriptions can only support one parent.
Management group trees can support up to six levels of depth, not including the root level or the subscription level.
All subscriptions and Management groups within a hierarchy share a common directory.
Management groups reside within a tenant and cannot contain subscriptions of different tenants.
A single directory can have up to 10,000 Management groups.

Root Management group

Create separate Subscriptions/Management groups for each Customer.
Create separate Subscriptions/Management groups for each Project.
Create separate Subscriptions for different Environments (e.g. Dev, Stage, Prod).
Create separate Subscriptions for all the various Departments with independent roles and access to all the users.