So, you have your subscriptions and your resources are neatly bundled together within resource groups but now, as you’re growing you find yourself having to repeat the configuration of you IAM, Security Centre policies and compliance as the number of subscriptions etc. is increased. Microsoft has thought of this and introduced Management groups a while ago.
Management groups sit over your subscriptions as another layer in the architecture. A subscription can be associated with a management group, a subscription can only be associated with a single management group but a management group can be associated with another management group (as you’ll see from the Microsoft Docs diagram below).
You can then assign policies, access and compliance to these management groups and those policies roll down the tree (a little like Group Policies roll down an organisational unit although you can’t block inheritance etc. like you could with a GPO being applied).
Taken from the Docs website but the key facts are:
- 10,000 management groups can be supported in a single directory. That will be more than enough for the majority of environments!
- A management group tree can support up to six levels of depth.
- This limit doesn’t include the Root level or the subscription level.
- Each management group and subscription can only support one parent.
- Each management group can have many children.
- All subscriptions and management groups are within a single hierarchy in each directory.
On that last point – in every environment, there is a root level management group that all management groups eventually roll up into. Anything you set on this root group will roll down. It’s worth noting though that even if you have global admin permissions within the environment you will still to be able to manage your root management group. If you want/need to manage this root group you’ll need to elevate your permissions – https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin.
Also, The root management group can’t be moved or deleted, unlike other management groups which if you have the necessary permissions you can.
How do I get started?
Setup is incredibly simple. First, go to the ‘All Services’ blade and search for (obviously) “Management Groups”.
Once you have run through the quick setup a root group is created, all existing subscriptions that exist in the directory are made children of the root management group. Again bear in mind that and policies and access rights assigned on the root will apply to the entire hierarchy!
I would highly recommend building Management Groups into your basic Azure architecture, it’s a simple concept with the possibility for a big impact on your management your environement grows.