Organize your resources with management groups - Azure Governance - Azure governance (2023)

  • Article
  • 12 minutes to read

If your organization has many Azure subscriptions, you may need a way to efficiently manage access,policies, and compliance for those subscriptions. Management groups provide a governance scopeabove subscriptions. You organize subscriptions into management groups; the governance conditions you applycascade by inheritance to all associated subscriptions.

Management groups give youenterprise-grade management at scale no matter what type of subscriptions you might have.However, all subscriptions within a single management group must trust the same Azure Active Directory (Azure AD)tenant.

For example, you can apply policies to a management group that limits the regions available forvirtual machine (VM) creation. This policy would be applied to all nested management groups,subscriptions, and resources, and allow VM creation only in authorized regions.

Hierarchy of management groups and subscriptions

You can build a flexible structure of management groups and subscriptions to organize your resourcesinto a hierarchy for unified policy and access management. The following diagram shows an example ofcreating a hierarchy for governance using management groups.

Organize your resources with management groups - Azure Governance - Azure governance (1)

Diagram of a root management group holding both management groups and subscriptions. Some child management groups hold management groups, some hold subscriptions, and some hold both. One of the examples in the sample hierarchy is four levels of management groups with the child level being all subscriptions.

You can create a hierarchy that applies a policy, for example, which limits VM locations to theWest US region in the management group called "Production". This policy will inherit onto all the EnterpriseAgreement (EA) subscriptions that are descendants of that management group and will apply to all VMsunder those subscriptions. This security policy cannot be altered by the resource or subscriptionowner allowing for improved governance.

Note

Management groups aren't currently supported in Cost Management features for Microsoft Customer Agreement (MCA) subscriptions.

Another scenario where you would use management groups is to provide user access to multiplesubscriptions. By moving multiple subscriptions under that management group, you can create oneAzure role assignment on the management group, whichwill inherit that access to all the subscriptions. One assignment on the management group can enableusers to have access to everything they need instead of scripting Azure RBAC over differentsubscriptions.

Important facts about management groups

  • 10,000 management groups can be supported in a single directory.
  • A management group tree can support up to six levels of depth.
    • This limit doesn't include the Root level or the subscription level.
  • Each management group and subscription can only support one parent.
  • Each management group can have many children.
  • All subscriptions and management groups are within a single hierarchy in each directory. SeeImportant facts about the Root management group.

Root management group for each directory

Each directory is given a single top-level management group called the root management group. Theroot management group is built into the hierarchy to have all management groups and subscriptionsfold up to it. This root management group allows for global policies and Azure role assignments tobe applied at the directory level. The Azure AD Global Administrator needs to elevatethemselves to the User AccessAdministrator role of this root group initially. After elevating access, the administrator canassign any Azure role to other directory users or groups to manage the hierarchy. As administrator,you can assign your own account as owner of the root management group.

Important facts about the root management group

  • By default, the root management group's display name is Tenant root group and operates itself as a management group. The ID is the same value as the Azure Active Directory (Azure AD) tenant ID.
  • To change the display name, your account must be assigned the Owner or Contributor role on theroot management group. SeeChange the name of a management group to updatethe name of a management group.
  • The root management group can't be moved or deleted, unlike other management groups.
  • All subscriptions and management groups fold up to the one root management group within thedirectory.
    • All resources in the directory fold up to the root management group for global management.
    • New subscriptions are automatically defaulted to the root management group when created.
  • All Azure customers can see the root management group, but not all customers have access to managethat root management group.
    • Everyone who has access to a subscription can see the context of where that subscription is inthe hierarchy.
    • No one is given default access to the root management group. Azure AD Global Administrators arethe only users that can elevate themselves to gain access. Once they have access to the rootmanagement group, the global administrators can assign any Azure role to other users to manageit.

Important

Any assignment of user access or policy on the root management group applies to allresources within the directory. Because of this, all customers should evaluate the need to haveitems defined on this scope. User access and policy assignments should be "Must Have" only at thisscope.

Initial setup of management groups

When any user starts using management groups, there's an initial setup process that happens. Thefirst step is the root management group is created in the directory. Once this group is created, allexisting subscriptions that exist in the directory are made children of the root management group.The reason for this process is to make sure there's only one management group hierarchy within adirectory. The single hierarchy within the directory allows administrative customers to apply globalaccess and policies that other customers within the directory can't bypass. Anything assigned on theroot will apply to the entire hierarchy, which includes all management groups, subscriptions,resource groups, and resources within that Azure AD tenant.

Trouble seeing all subscriptions

A few directories that started using management groups early in the preview before June 25, 2018could see an issue where not all the subscriptions were within the hierarchy. The process to haveall subscriptions in the hierarchy was put in place after a role or policy assignment was done onthe root management group in the directory.

How to resolve the issue

There are two options you can do to resolve this issue.

  • Remove all role and policy assignments from the root management group
    • By removing any policy and role assignments from the root management group, the servicebackfills all subscriptions into the hierarchy the next overnight cycle. This process is sothere's no accidental access given or policy assignment to all of the tenants subscriptions.
    • The best way to do this process without impacting your services is to apply the role or policyassignments one level below the root management group. Then you can remove all assignments fromthe root scope.
  • Call the API directly to start the backfill process
    • Any customer in the directory can call the TenantBackfillStatusRequest orStartTenantBackfillRequest APIs. When the StartTenantBackfillRequest API is called, it kicksoff the initial setup process of moving all the subscriptions into the hierarchy. This processalso starts the enforcement of all new subscription to be a child of the root management group.This process can be done without changing any assignments on the root level. By calling the API,you're saying it's okay that any policy or access assignment on the root can be applied to allsubscriptions.

If you have questions on this backfill process, contact: managementgroups@microsoft.com

Management group access

Azure management groups supportAzure role-based access control (Azure RBAC) for allresource accesses and role definitions. These permissions are inherited to child resources thatexist in the hierarchy. Any Azure role can be assigned to a management group that will inherit downthe hierarchy to the resources. For example, the Azure role VM contributor can be assigned to amanagement group. This role has no action on the management group, but will inherit to all VMs underthat management group.

The following chart shows the list of roles and the supported actions on management groups.

Azure Role NameCreateRenameMove**DeleteAssign AccessAssign PolicyRead
OwnerXXXXXXX
ContributorXXXXX
MG Contributor*XXXXX
ReaderX
MG Reader*X
Resource Policy ContributorX
User Access AdministratorXX

*: The Management Group Contributor and Management Group Reader roles allow users to perform those actions only on the management group scope.

**: Role assignments on the root management group aren't required to move a subscription ormanagement group to and from it.

See Manage your resources with management groups fordetails on moving items within the hierarchy.

Azure custom role definition and assignment

Azure custom role support for management groups is currently in preview with somelimitations. You can define the management group scope in the Role Definition'sassignable scope. That Azure custom role will then be available for assignment on that managementgroup and any management group, subscription, resource group, or resource under it. This custom rolewill inherit down the hierarchy like any built-in role.

Example definition

Defining and creating a custom role doesn'tchange with the inclusion of management groups. Use the full path to define the management group/providers/Microsoft.Management/managementgroups/{groupId}.

Use the management group's ID and not the management group's display name. This common error happenssince both are custom-defined fields when creating a management group.

...{ "Name": "MG Test Custom Role", "Id": "id", "IsCustom": true, "Description": "This role provides members understand custom roles.", "Actions": [ "Microsoft.Management/managementgroups/delete", "Microsoft.Management/managementgroups/read", "Microsoft.Management/managementgroup/write", "Microsoft.Management/managementgroup/subscriptions/delete", "Microsoft.Management/managementgroup/subscriptions/write", "Microsoft.resources/subscriptions/read", "Microsoft.Authorization/policyAssignments/*", "Microsoft.Authorization/policyDefinitions/*", "Microsoft.Authorization/policySetDefinitions/*", "Microsoft.PolicyInsights/*", "Microsoft.Authorization/roleAssignments/*", "Microsoft.Authorization/roledefinitions/*" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/providers/microsoft.management/managementGroups/ContosoCorporate" ]}...

Issues with breaking the role definition and assignment hierarchy path

Role definitions are assignable scope anywhere within the management group hierarchy. A roledefinition can be defined on a parent management group while the actual role assignment exists onthe child subscription. Since there's a relationship between the two items, you'll receive an errorwhen trying to separate the assignment from its definition.

For example, let's look at a small section of a hierarchy for a visual.

Organize your resources with management groups - Azure Governance - Azure governance (2)

The diagram focuses on the root management group with child I T and Marketing management groups. The I T management group has a single child management group named Production while the Marketing management group has two Free Trial child subscriptions.

Let's say there's a custom role defined on the Marketing management group. That custom role is thenassigned on the two free trial subscriptions.

If we try to move one of those subscriptions to be a child of the Production management group, thismove would break the path from subscription role assignment to the Marketing management group roledefinition. In this scenario, you'll receive an error saying the move isn't allowed since it willbreak this relationship.

There are a couple different options to fix this scenario:

  • Remove the role assignment from the subscription before moving the subscription to a new parentMG.
  • Add the subscription to the role definition's assignable scope.
  • Change the assignable scope within the role definition. In the above example, you can update theassignable scopes from Marketing to the root management group so that the definition can be reached byboth branches of the hierarchy.
  • Create another custom role that is defined in the other branch. This new role requires the roleassignment to be changed on the subscription also.

Limitations

There are limitations that exist when using custom roles on management groups.

  • You can only define one management group in the assignable scopes of a new role. This limitationis in place to reduce the number of situations where role definitions and role assignments aredisconnected. This situation happens when a subscription or management group with a roleassignment moves to a different parent that doesn't have the role definition.
  • Resource provider data plane actions can't be defined in management group custom roles. Thisrestriction is in place as there's a latency issue with updating the data plane resourceproviders. This latency issue is being worked on and these actions will be disabled from the roledefinition to reduce any risks.
  • Azure Resource Manager doesn't validate the management group's existence in the roledefinition's assignable scope. If there's a typo or an incorrect management group ID listed, therole definition is still created.

Important

Adding a management group to AssignableScopes is currently in preview. This preview version isprovided without a service-level agreement, and it's not recommended for production workloads.Certain features might not be supported or might have constrained capabilities. For moreinformation, seeSupplemental Terms of Use for Microsoft Azure Previews.

Moving management groups and subscriptions

To move a management group or subscription to be a child of another management group, three rulesneed to be evaluated as true.

If you're doing the move action, you need:

  • Management group write and role assignment write permissions on the child subscription ormanagement group.
    • Built-in role example: Owner
  • Management group write access on the target parent management group.
    • Built-in role example: Owner, Contributor, Management Group Contributor
  • Management group write access on the existing parent management group.
    • Built-in role example: Owner, Contributor, Management Group Contributor

Exception: If the target or the existing parent management group is the root management group,the permissions requirements don't apply. Since the root management group is the default landingspot for all new management groups and subscriptions, you don't need permissions on it to move anitem.

If the Owner role on the subscription is inherited from the current management group, your movetargets are limited. You can only move the subscription to another management group where you havethe Owner role. You can't move it to a management group where you're a Contributor because you wouldlose ownership of the subscription. If you're directly assigned to the Owner role for thesubscription (not inherited from the management group), you can move it to any management groupwhere you're assigned the Contributor role.

Important

Azure Resource Manager caches management group hierarchy details for up to 30 minutes.As a result, moving a management group may not immediately be reflected in the Azure portal.

Audit management groups using activity logs

Management groups are supported withinAzure Activity log. You can search allevents that happen to a management group in the same central location as other Azure resources. Forexample, you can see all role assignments or policy assignment changes made to a particularmanagement group.

Organize your resources with management groups - Azure Governance - Azure governance (3)

When looking to query on management groups outside the Azure portal, the target scope formanagement groups looks like "/providers/Microsoft.Management/managementGroups/{management-group-id}".

Note

Using the Azure Resource Manager REST API, you can enable diagnostic settings on a management group to send related Azure Activity log entries to a Log Analytics workspace, Azure Storage, or Azure Event Hub. For more information, see Management Group Diagnostic Settings - Create Or Update.

Next steps

To learn more about management groups, see:

  • Create management groups to organize Azure resources
  • How to change, delete, or manage your management groups
  • See options for How to protect your resource hierarchy
Top Articles
Latest Posts
Article information

Author: Rev. Porsche Oberbrunner

Last Updated: 02/22/2023

Views: 5892

Rating: 4.2 / 5 (73 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Rev. Porsche Oberbrunner

Birthday: 1994-06-25

Address: Suite 153 582 Lubowitz Walks, Port Alfredoborough, IN 72879-2838

Phone: +128413562823324

Job: IT Strategist

Hobby: Video gaming, Basketball, Web surfing, Book restoration, Jogging, Shooting, Fishing

Introduction: My name is Rev. Porsche Oberbrunner, I am a zany, graceful, talented, witty, determined, shiny, enchanting person who loves writing and wants to share my knowledge and understanding with you.