If you are responsible for managing multiple Azure subscriptions, you would have notice that there are lot of issues maintaining consistency in resource deployment, organization and management across subscriptions. This is primarily because different subscriptions are designed to target different needs such as products or departments and therefore the Azure Resources being used by different set of people everywhere. To help with bringing consistency across subscriptions, one can use recently launched Azure Management Groups. Azure Management Groups helps to apply governance controls based on access controls, policies and compliance.
How does Azure Management Groups Work?
Azure management groups are scoped one level above subscriptions. Management Groups are logical collections of one or more Azure Subscriptions which needs to managed together After this, you can create and apply your governance conditions to the management groups. All subscriptions irrespective of their type, whether pay-as-you-go or Enterprise Agreement etc. within a management group, automatically inherit the conditions applied to the management group. The only caveat is that all subscriptions within a single management group must trust the same Azure Active Directory tenant and therefore should have the same tenant Id.
Charges for using Management Groups
There is no additional cost for using Azure Management Groups themselves. So it will not impact your organizational bill at all. However, you can certainly save costs by more effectively managing your resources.
Hierarchy of Management Groups and Subscriptions
One can build a flexible structure of management groups and subscriptions to organize resources for the organization and also arrange them in the hierarchy as required. For example, consider below hierarchy:
Subscriptions can be moved across management groups flexibly and also remain independent, if need so. Also, one can have upto 6 levels of depth for management group hierarchy tree. This limit does not include root management group or the subscription level.
Concept of Root Management Group
As you can deduce from the picture shared above, the hierarchy begins at ‘Root Management Group’ and it is named as “Tenant Root Group”. Root management group is nothing but the single top level management groups and is created at very first. All other management groups are then children of root management groups. Also, any existing subscriptions in the directory becomes part of this group. Note that root management group cannot be deleted or removed once created.
One can choose to apply the governance control at Root Management Groups as well and it will flow down to all the other subscriptions and groups below it. Therefore, it can be used to apply global policies and RBAC assignments to be applied at the directory level in the Organization. However, one needs to carefully analyze the effect of applying any access controls and policy levels at this level. Anything assigned on the root will apply to the entire hierarchy, which includes all management groups, subscriptions, resource groups, and resources within that Azure AD Tenant.
Create Management Groups using Azure Portal
To create a management group, one needs to go to ‘All Services’ -> Everything -> Management Group:
After this, click on the ‘Start using management groups’:
After this, you just need to provide Id and name for the management group:
Note that Id of the management group cannot be changed later. However you can change the display name as long as you need. You can also select if the new management group is a part of existing management group or not.
Create and Manage Management Groups Using PowerShell
Create Management Group
We can use the New-AzManagementGroup cmdlet to create a new management group:
New-AzManagementGroup -GroupName "mohitgoyal-co"
where GroupName is a unique identifier being created. This ID is used by other commands to reference this group and as mentioned above, it can not be changed later.
One can also use the DisplayName parameter to assign a different group name for the display purposes. For example, to create a management group with the GroupName of mohitgoyal-co and the display name of “mohitgoyal-co group”, use the following cmdlet:
New-AzManagementGroup -GroupName "mohitgoyal-co" -DisplayName "mohitgoyal-co group"
In the preceding examples, the new management group is created under the root management group. To specify a different management group as the parent, use the ParentId parameter. For example, we can create a sub-level management group named as “azpolicy-demo-group” and child of “mohitgoyal-co” group using below commands:
$parentGroup = Get-AzManagementGroup -GroupName mohitgoyal-co New-AzManagementGroup -GroupName "azpolicy-demo-group" -DisplayName "azure policies demo group" -ParentId $parentGroup.id
Update Management Group
One can also update the display name of existing group using cmdlet ‘Update-AzManagementGroup’:
Update-AzManagementGroup -GroupName "mohitgoyal-co" -DisplayName "mohitgoyal-co group"
View Existing Management Group
To view all existing management groups, one can use ‘Get-AzManagementGroup’ cmdlet:
Delete Management Group
To delete group, one can use the “Remove-AzManagementGroup” cmdlet:
Remove-AzManagementGroup -GroupName "azpolicy-demo-group"
No error indicates the operation completed successfully.
There are lot more variations of commands available based on the operation you need to perform such as moving subscription in/out of management groups etc. and more details are covered here.
We can also use Azure CLI to create/update/manage management groups and those are covered at above link as well.
Summary and Notes
Azure Management Groups are definitely one of the good ways to manage Azure Resources for your organization across subscriptions and at the subscription level also. They are very flexible as well and supports multiple levels of depth. However, one needs to carefully analyze the effect of applying any access controls and policy levels and evaluate the same in depth and proceed accordingly.