Setting Up & Managing Azure Management Groups

by Thomas Bründl

This article has not been completed yet. However, it may already contain  helpful Information and therefore it has been published at this stage.

Obtain the right permissions:

Common RBAC - Roles:

  • Owner: Has full access to all resources, including the ability to delegate access to other users.
  • Contributor: Can create and manage Azure resources.
  • Reader: Can view only existing Azure resources.

Roles to manage Management groups:

  • User Access Administrator: Can manage access to Azure resources.
  • Global Admin

Therefore we now fetch the User Access Admin - Permissions \ Global Admin - Permissions to be allowed to create Management groups.

Creating a Management group:

Moving a subscription to a Management group:

By default, Subscription will always be directly under the root management group.

Azure Resource Management Hierarchy:

Example design:

Azure Management group design principles and capabilities:

  • Management groups can mirror your billing hierarchy.
  • You use Management groups to model your organization.
  • Azure Subscriptions can be grouped based on a need for common roles assigned along with Azure Policies and Initiatives.
  • You can actively control access, policies, and compliance for more than one subscriptions with ease. All subscription objects within a Management group receive a copy of the role-based access control and policy settings applied to the Management group.
  • Management group can contain other Management groups or subscriptions, but it cannot contain an Azure Resource.
  • Management groups and subscriptions can only support one parent.
  • Management group trees can support up to six levels of depth, not including the root level or the subscription level.
  • All subscriptions and Management groups within a hierarchy share a common directory.
  • Management groups reside within a tenant and cannot contain subscriptions of different tenants.
  • A single directory can have up to 10,000 Management groups.

Root Management group

  • All Management groups in the Azure AD are under the root Management group.
  • Root Management group cannot be moved or deleted.
  • You can only have one root Management group.

Best Practices

  • Create separate Subscriptions/Management groups for each Customer.
  • Create separate Subscriptions/Management groups for each Project.
  • Create separate Subscriptions for different Environments (e.g. Dev, Stage, Prod).
  • Create separate Subscriptions for all the various Departments with independent roles and access to all the users.

References:

Organize your resources with management groups - Azure Governance - Azure governance
Learn about the management groups, how their permissions work, and how to use them.
timwarner-msftMicrosoft Docs
Quickstart: Create a management group with portal - Azure governance
In this quickstart, you use Azure portal to create a management group to organize your resources into a resource hierarchy.
rthorn17Microsoft Docs

Varun Saklani - Azure Role based access control (RBAC) -  Link

Azure — Organize and Manage Multiple Azure Subscriptions and Resources with Management Groups
Azure Management Groups, Subscriptions, and Resource Groups are used together to establish the entire organizational structure in Azure, and they are designed to be flexible to organize Azure…
Ashish PatelAwesome Azure
Azure Management Groups