Organizations and individuals often utilize multiple Subscriptions across their Azure environment. Depending on the needs of an organization, these may be split up by department, life-cycle, business unit, etc., and result in one or hundreds of Azure Subscriptions. The more Azure Subscriptions we have, the more difficult it becomes to manage each Subscriptions access controls and Azure Policy, often resulting in Subscription sprawl. With the introduction of Azure Management Groups, we can now more effectively manage our Azure Subscriptions by grouping them into containers, similar to the way we group like Azure Resources into Resource Groups.
Azure Management Groups Scenario
To demonstrate Azure Management Groups, we will create the below hierarchy for our 3 Azure Subscriptions, which are segmented by life-cycle, Prod, Test, and Dev. In this case, we’ll create 2 Management Groups for “Prod” and “Testing”. We want to ensure that our Dev and Test Subscriptions have similar levels of access for our Developers, but we need to restrict Prod access.
Azure Management Group Details
- Azure Management Groups can be assigned Access Controls and Azure Policies
- Azure Policy and access controls assigned to a Management Group are inherited by child Subscriptions and Management Groups
- A Subscription can be assigned to 1 Management Group
- Management Groups can be renamed
- Management Groups can contain multiple Subscriptions and/or Management Groups
- Management Groups can be moved to other Management Groups
- New Subscriptions are assigned to the Tenant Root Group
Creating Our Azure Management Group Hierarchy
To start building our Management Group hierarchy, we’ll begin by navigating to the “Management Groups” blade.
We’ll start by enabling Azure Management Groups which will also create our “Tenant Root Group”, the root or highest level Management Group.
Create Azure Management Groups
Now we can create our child Management Groups. We’ll create 2 Management Groups per our above hierarchy, “Prod” and “Testing”.
Our Management Groups are made up of a name and ID. We will correlate these names and IDs to our “Prod” and “Testing” environments.
Assign Subscriptions to Azure Management Groups
With both of our Management Groups created, we need to assign our Subscriptions to our Management Groups. Under our “Testing” Management Group, we’ll click on the “(details)” link.
Within our “Testing” Management Group, we can assign access control, Azure Policy and assign any child Management Groups or Subscriptions. We’ll click on the “+ Add subscription” button to assign our “Dev” and “Test” Subscriptions.
A drop-down will allow us to choose from our list of available Subscriptions.
IMPORTANT NOTE: Existing access controls assigned to our Subscription will be removed once assigned to the new Management Group. Therefore, if we are migrating any subscriptions to this new model, we want to first assign their existing permissions set at the Subscription level, to the Management Group level. When migrating to Azure Management Groups, we want to ensure that we don’t lose any permissions.
We’ll copy this same process with our remaining Subscriptions and we’ve now successfully created our defined Management Group hierarchy.