Configuring Management Groups
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Configuring Management Groups in Microsoft Azure
Introduction: The Foundation of Azure Governance
When you start working with Microsoft Azure, it is common to begin by deploying a few resources into a single subscription. However, as your organization grows, the number of subscriptions, resource groups, and individual resources expands rapidly. Without a structured approach to organization, you quickly lose visibility over who is doing what, where your costs are coming from, and whether your resources comply with internal security policies. This is where Management Groups become essential.
Management Groups provide a level of scope above subscriptions. They allow you to organize your subscriptions into a hierarchy, enabling you to apply governance, compliance, and access control policies across multiple subscriptions simultaneously. Instead of configuring settings for each subscription individually, you can define them at a higher level in the hierarchy, and they will automatically inherit down to all child subscriptions. This ensures consistency and reduces the administrative burden of managing large-scale cloud environments.
In this lesson, we will explore the architecture of Management Groups, how to design an effective hierarchy, how to implement policies at scale, and the best practices for maintaining a clean and secure Azure environment. Understanding these concepts is a prerequisite for anyone tasked with managing cloud infrastructure at scale.
Understanding the Management Group Hierarchy
The Azure resource hierarchy is structured as a tree. At the very top, we have the Root Management Group. Below this, you can create various levels of Management Groups, which then contain your Azure subscriptions. Within those subscriptions, you have resource groups, and finally, the actual resources like virtual machines, storage accounts, or databases.
The Root Management Group
The Root Management Group is a special entity that exists by default in every Azure Active Directory (now Microsoft Entra ID) tenant. All other Management Groups and subscriptions within that directory roll up into this root group. It is important to know that you cannot move or delete the root management group, but you can control who has access to it. It serves as the ultimate container for all policies and role-based access control (RBAC) assignments that should apply to the entire organization.
Designing Your Hierarchy
Designing your Management Group hierarchy requires careful planning. There is no one-size-fits-all approach, but most successful organizations structure their hierarchy based on one of the following criteria:
- Business Unit or Department: This is the most common approach. You might have a "Finance" management group, a "Marketing" management group, and an "Engineering" management group. This allows for clear cost center alignment.
- Environment-Based: Some organizations prefer to separate "Production," "Staging," and "Development" environments. This ensures that policies for production environments (which are often stricter) do not accidentally interfere with development workflows.
- Geography: If your organization operates in multiple countries, you may need to comply with specific data sovereignty laws. A geography-based hierarchy allows you to apply regional policies easily.
Callout: Management Groups vs. Resource Groups It is a common point of confusion to mistake Management Groups for Resource Groups. A Resource Group is a container for individual resources like VMs or web apps and exists inside a subscription. A Management Group is a container for subscriptions and exists outside of them. Think of Management Groups as the administrative "umbrella" for your subscriptions, whereas Resource Groups are the "folders" for your actual project assets.
Setting Up and Configuring Management Groups
Configuring Management Groups can be done through the Azure Portal, Azure PowerShell, or the Azure CLI. For most administrators, the Azure Portal provides the most intuitive interface for visualizing the hierarchy, while CLI tools are better for automation and infrastructure-as-code (IaC) workflows.
Creating a Management Group via the Azure Portal
- Navigate to the "Management groups" blade in the Azure Portal.
- Click on "+ Add management group."
- Provide a unique "Management group ID." This ID is permanent and cannot be changed later, so choose it wisely.
- Provide a "Management group display name," which is what you will see in the interface.
- Click "Save."
Once created, you can begin moving subscriptions into this group. You can move a subscription from the root or from another management group by selecting the subscription in the list and choosing the "Move" option.
Using Azure CLI for Management Group Operations
For teams that prefer automation, Azure CLI is a powerful tool. Here is how you might create a new management group and move a subscription into it using the CLI:
# Create a new management group
az account management-group create --name "Engineering-Dept" --display-name "Engineering Department"
# Move a subscription into the new management group
az account management-group subscription add --management-group "Engineering-Dept" --subscription "your-subscription-id-here"
Tip: Always use descriptive, standardized naming conventions for your Management Group IDs. Avoid using IDs like "MG1" or "GroupA." Instead, use "Corp-Prod-West" or "Dept-Finance-Global." This helps in scripting and identifying resources when looking at logs or audit trails.
Implementing Governance with Policies
The primary power of Management Groups lies in the ability to apply Azure Policy at scale. Azure Policy allows you to enforce rules on your resources, such as restricting the regions where resources can be deployed or requiring specific tags for cost tracking.
Applying a Policy at the Management Group Level
When you assign a policy to a Management Group, that policy automatically applies to every subscription beneath it. If you have a requirement that all storage accounts must be encrypted, you can apply this policy once at the top level of your hierarchy.
- Navigate to the "Policy" service in the Azure Portal.
- Select "Assignments" and click "Assign policy."
- Under "Scope," click the ellipsis (...) and select your Management Group.
- Select the policy definition (e.g., "Storage accounts should have encryption enabled").
- Configure the parameters and click "Review + create."
The Inheritance Model
Policies are inherited by default. If you have a policy at the Root Management Group that mandates all resources must have a "CostCenter" tag, you cannot override this at a child management group or subscription level. This "enforcement" capability is what makes Management Groups a cornerstone of enterprise security.
Warning: Be extremely cautious when applying "Deny" policies at the Root Management Group. If you accidentally deny a resource type that is required for core infrastructure (like virtual networks or key vaults), you can effectively break your entire cloud environment. Always test policies in a sandbox or development management group before promoting them to the root level.
Role-Based Access Control (RBAC) at Scale
Management Groups are not just for policies; they are also for access control. If you have a team of cloud platform engineers who need to manage infrastructure across ten different subscriptions, you don't want to assign them permissions in each subscription one by one.
Instead, you assign the "Contributor" or "Owner" role to the Management Group. By doing this, the user automatically gains those permissions across all subscriptions contained within that group. If you later add an eleventh subscription to that group, the team automatically receives access to it without any extra configuration.
Best Practices for RBAC
- Principle of Least Privilege: Only assign the minimum level of access required. If a team only needs to read resource status, assign "Reader" rather than "Contributor."
- Use Groups, Not Individuals: Always assign roles to Microsoft Entra ID groups rather than individual user accounts. This makes onboarding and offboarding much easier.
- Audit Regularly: Use the "Access control (IAM)" tab on your Management Group to periodically review who has access to your environment.
Comparison: Governance Methods
| Feature | Resource Group | Subscription | Management Group |
|---|---|---|---|
| Primary Purpose | Logical grouping of resources | Billing and limit boundary | Governance and hierarchy |
| Scope | Single project/app | Collection of resource groups | Collection of subscriptions |
| Policy Enforcement | Possible, but hard to scale | Common, but repetitive | Best for large scale |
| Access Control | Fine-grained for specific resources | Broad access to project | Broad access to many projects |
Common Pitfalls and How to Avoid Them
1. The "Too-Flat" Hierarchy
Many organizations start with a single management group under the root and dump all subscriptions there. While this works initially, it prevents you from applying different governance rules to different business units.
- The Fix: Spend time designing a hierarchy that reflects your business structure. Use the "Business Unit" approach to allow for granular policy application.
2. Over-Reliance on "Deny" Policies
As mentioned earlier, "Deny" policies are powerful but dangerous. A common mistake is creating a policy that denies resource creation in certain regions, only to realize later that a new global service requires those regions.
- The Fix: Use "Audit" policies first. An audit policy will flag non-compliant resources without actually blocking them. Once you are confident that the policy works as expected, you can switch it to "Deny."
3. Ignoring the Root Management Group
Some administrators treat the Root Management Group as a "black box" and never touch it. However, the root is the best place for organization-wide security baselines, such as enforcing multi-factor authentication (MFA) or mandating specific logging configurations.
- The Fix: Treat the Root Management Group as your "Enterprise Policy Center." Keep it clean and focused on high-level security standards that apply to everyone.
4. Lack of Documentation
Because Management Groups allow you to change settings for hundreds of subscriptions with a single click, it is very easy to lose track of why a policy was created.
- The Fix: Use the "Description" field in your policy assignments to document the purpose of the policy and the contact person for the initiative.
Practical Example: Implementing a Cost-Tracking Governance Strategy
Imagine you work for a large retail company. You have 50 subscriptions across three regions (US, Europe, Asia). Your management wants to ensure that every single resource has a "Department" tag for chargeback purposes.
Step 1: Create the Hierarchy
You create three Management Groups: Retail-US, Retail-Europe, and Retail-Asia. You move the relevant subscriptions into these groups.
Step 2: Create a Policy Definition
You create a custom policy definition that requires the "Department" tag.
{
"policyRule": {
"if": {
"field": "tags['Department']",
"exists": "false"
},
"then": {
"effect": "deny"
}
}
}
Step 3: Apply at the Top Level
You assign this policy to the Root Management Group. Now, across all 50 subscriptions, no one can create a resource unless they provide a "Department" tag. If they try, the deployment will fail, and they will receive an error message explaining that the tag is missing.
Step 4: Exception Handling
A specific project in the US region needs an exception for a legacy database that doesn't support tags. You can apply an "Exemption" at the subscription level. This allows you to maintain strict governance globally while still providing flexibility where it is genuinely needed.
Advanced Topics: Governance as Code
In modern DevOps environments, you should not be clicking through the Azure Portal to manage your governance. Instead, you should manage your Management Groups and Policies as code using tools like Terraform or Bicep.
Using Bicep for Management Groups
Bicep is a domain-specific language for deploying Azure resources. It is highly readable and perfect for managing governance structures.
targetScope = 'managementGroup'
resource engineeringMG 'Microsoft.Management/managementGroups@2021-04-01' = {
name: 'Engineering-Dept'
properties: {
displayName: 'Engineering Department'
}
}
By keeping your hierarchy defined in a Bicep file, you can version control your governance structure. If you need to add a new Management Group, you simply update the file and trigger a deployment pipeline. This ensures that your environment remains consistent and provides an audit log of every change made to your governance structure.
Note: When using Infrastructure-as-Code (IaC) to manage Management Groups, ensure that your service principal (or the identity running the pipeline) has the "User Access Administrator" role at the root level. This is required for the service to create and manage the hierarchy.
Monitoring and Compliance
Governance is not a "set it and forget it" task. You must continuously monitor the state of your environment. Azure provides the "Azure Policy Compliance" dashboard, which gives you a bird's-eye view of how well your organization is adhering to your governance rules.
Key Metrics to Watch
- Compliance Score: This is a high-level percentage of how many resources are compliant with your policies.
- Non-Compliant Resources: Drill down into this list to identify specific subscriptions or resource groups that are violating your policies.
- Policy Exemption Trends: Monitor how many exemptions are being requested. If you see a high number of exemptions, it might indicate that your policies are too rigid or that your teams need more training.
The Role of Management Groups in Security
Security is arguably the most critical reason for implementing a robust Management Group structure. By using Management Groups, you can enforce security baselines that are impossible to bypass. For example, you can ensure that all network traffic is routed through a central firewall by applying a policy that denies the creation of public IP addresses on virtual machines.
Furthermore, Management Groups allow you to integrate with Microsoft Defender for Cloud more effectively. You can enable security recommendations for an entire management group, ensuring that all subscriptions within that group are protected by the same security standards. This provides a unified security posture across the entire organization.
Industry Standards and Compliance Frameworks
Many industries, such as healthcare (HIPAA) or finance (PCI-DSS), require strict adherence to regulatory standards. Management Groups make this significantly easier. Instead of manually auditing every subscription to ensure compliance, you can assign pre-built compliance policy initiatives to a Management Group.
Azure provides "Policy Initiatives," which are collections of policies grouped together to achieve a specific goal. For example, you can assign the "ISO 27001" initiative to your production management group. Azure will then automatically audit all resources in those subscriptions against the ISO 27001 requirements and flag any deviations. This turns a months-long manual audit process into a continuous, automated check.
Common Questions (FAQ)
Q: Can a subscription belong to more than one management group? A: No. A subscription can only have one parent management group at any given time.
Q: What happens if I delete a management group? A: You cannot delete a management group if it contains active subscriptions. You must first move the subscriptions to another management group (or the root) before the management group can be deleted.
Q: Does moving a subscription to a different management group change the subscription ID? A: No. Moving a subscription only changes its location in the hierarchy. All your resources, billing data, and access configurations remain intact.
Q: Can I automate the movement of subscriptions? A: Yes, you can use Azure CLI or PowerShell to automate the movement of subscriptions, which is useful when re-organizing your environment or onboarding new business units.
Q: Are there limits on how many management groups I can have? A: Yes, there are limits on the depth of the hierarchy (up to 6 levels, excluding the root) and the total number of management groups. Always check the official Azure subscription limits documentation for the most current numbers.
Summary and Key Takeaways
Configuring Management Groups is one of the most impactful actions you can take to bring order to a sprawling Azure environment. By moving away from a flat, subscription-centric management style and adopting a hierarchical approach, you gain the ability to govern your cloud resources at scale.
Here are the key takeaways from this lesson:
- Hierarchy is Essential: Organize your Management Groups based on business needs, such as department, environment, or geography, to create a clear and manageable structure.
- Inheritance is Your Best Friend: Use the inheritance model of policies to apply security and compliance rules once at the top level, ensuring they propagate automatically to all child subscriptions.
- Start with Audit, Move to Deny: Always test your policies in "Audit" mode before switching to "Deny" to avoid accidentally breaking production applications.
- Use Infrastructure-as-Code: Manage your Management Group hierarchy and policy assignments using tools like Bicep or Terraform to ensure version control and repeatability.
- Focus on the Root: The Root Management Group is your enterprise governance center. Use it to enforce organization-wide standards that should never be bypassed.
- Monitor Constantly: Governance is a continuous process. Use the Azure Policy compliance dashboard to identify gaps and adjust your policies as your business evolves.
- Least Privilege: Use Management Groups to assign roles at scale, but always adhere to the principle of least privilege, ensuring teams have only the access they need to perform their jobs.
By mastering Management Groups, you move from being a reactive administrator to a proactive governor of your cloud environment. This structured approach not only makes your job easier but also significantly lowers the risk profile of your organization, ensuring that your cloud journey is both secure and scalable.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons