This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage.
Obtain the right permissions:
Common RBAC - Roles:
- Owner: Has full access to all resources, including the ability to delegate access to other users.
- Contributor: Can create and manage Azure resources.
- Reader: Can view only existing Azure resources.
Roles to manage Management groups:
- User Access Administrator: Can manage access to Azure resources.
- Global Admin
Therefore we now fetch the User Access Admin - Permissions \ Global Admin - Permissions to be allowed to create Management groups.
Creating a Management group:
Moving a subscription to a Management group:
By default, Subscription will always be directly under the root management group.
Azure Resource Management Hierarchy:
Azure Management group design principles and capabilities:
- Management groups can mirror your billing hierarchy.
- You use Management groups to model your organization.
- Azure Subscriptions can be grouped based on a need for common roles assigned along with Azure Policies and Initiatives.
- You can actively control access, policies, and compliance for more than one subscriptions with ease. All subscription objects within a Management group receive a copy of the role-based access control and policy settings applied to the Management group.
- Management group can contain other Management groups or subscriptions, but it cannot contain an Azure Resource.
- Management groups and subscriptions can only support one parent.
- Management group trees can support up to six levels of depth, not including the root level or the subscription level.
- All subscriptions and Management groups within a hierarchy share a common directory.
- Management groups reside within a tenant and cannot contain subscriptions of different tenants.
- A single directory can have up to 10,000 Management groups.
Root Management group
- All Management groups in the Azure AD are under the root Management group.
- Root Management group cannot be moved or deleted.
- You can only have one root Management group.
- Create separate Subscriptions/Management groups for each Customer.
- Create separate Subscriptions/Management groups for each Project.
- Create separate Subscriptions for different Environments (e.g. Dev, Stage, Prod).
- Create separate Subscriptions for all the various Departments with independent roles and access to all the users.
Varun Saklani - Azure Role based access control (RBAC) - Link