100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cloud

Azure Management Groups

By Microsoft

IntermediateService4.8K learners

Azure Management Groups are containers that Azure administrators use to organize multiple subscriptions into a hierarchy so that access, policy, and compliance controls can be applied consistently across them.

Definition

Azure Management Groups are containers that Azure administrators use to organize multiple subscriptions into a hierarchy so that access, policy, and compliance controls can be applied consistently across them.

Overview

Azure's resource hierarchy has four levels: management groups sit above subscriptions, which contain resource groups, which in turn contain individual resources. Management Groups exist specifically to solve the governance problem that arises once an organization has more than a handful of subscriptions — rather than assigning Azure Policy definitions or role-based access control (RBAC) individually to each subscription, administrators can group subscriptions into a tree of management groups and apply policies or role assignments once, at whatever level makes sense, and have them inherit down to every subscription and resource beneath it. Every Azure tenant is created with a single root management group at the top of the hierarchy, and organizations typically build a small number of levels beneath it — commonly separating groups by business unit, environment (production versus non-production), or compliance requirement. Azure Policy assignments, RBAC role assignments, and Azure Blueprints can all be scoped to a management group, which is what makes them useful as an enforcement point rather than just an organizational label; a policy that requires encryption at rest, for instance, can be applied once at a management group and automatically govern every subscription created underneath it, including ones created later. Management Groups are central to the Azure Cloud Adoption Framework's landing zone design, where they are used to separate platform subscriptions (identity, management, connectivity) from landing zone subscriptions (the actual application workloads), giving enterprises a consistent governance backbone as they scale to dozens or hundreds of subscriptions. The concept mirrors AWS Organizations' organizational units and Google Cloud's Resource Manager folders.

Key Features

  • Hierarchical grouping of Azure subscriptions, up to six levels deep beneath the root
  • Azure Policy assignments that inherit down from a management group to all subscriptions and resources within it
  • RBAC role assignments scoped at the management group level for centralized access control
  • A single root management group automatically present in every Azure Active Directory tenant
  • Support for Azure Blueprints to deploy consistent resource sets across a management group
  • Central to the Azure Cloud Adoption Framework's landing zone architecture
  • Ability to move subscriptions between management groups as organizational needs change

Use Cases

Applying compliance policies, such as required tags or encryption, across many subscriptions at once
Separating production, non-production, and sandbox subscriptions under distinct governance rules
Structuring a landing zone that distinguishes platform subscriptions from workload subscriptions
Delegating administrative access at a business-unit level without managing each subscription individually
Enforcing regional or cost-control restrictions organization-wide
Providing a consistent RBAC and policy baseline for newly created subscriptions

Alternatives

Frequently Asked Questions

From the Blog