top of page
  • Writer's picturevP

Azure management groups

We talked a little bit about management groups in the previous post. Management groups are nothing but a logical entity and it give a grouping of subscriptions and even other management groups. This is helpful if your company has numerous subscriptions and you want to apply and manage policies, access, and compliance on scope outside of the subscription.


In this post, lets discuss more about the Management Groups.


For unified policy and access control, you can design a flexible structure of management groups and subscriptions to arrange your resources into a hierarchy. A management group-based hierarchy for governance is demonstrated in the diagram below.

Image Courtesy - Microsoft

The Root Management Group created by default for each directory. All of your other management groups and subscriptions are formed here and are located here in order to give the structure a correct hierarchy. All newly created subscriptions initially sit here alone and may later be transferred to the appropriate Management Group.


You can create upto 10,000 management groups in a single directory. A management group tree can support up to six levels of depth excluding root level.


Also, Each management group and subscription can only support one parent but can have multiple children.


Important facts about the root management group -

- By default, the root management group's display name is Tenant root group and operates itself as a management group. The ID is the same value as the Azure Active Directory (Azure AD) tenant ID.


- To change the display name, your account must be assigned the Owner or Contributor role on the root management group.


- Unlike other management groups, the root management group can't be moved or deleted.


- All Azure customers can see the root management group, but not all customers have access to manage that root management group.


Management group access -

Azure management groups support Azure role-based access control (Azure RBAC) for all resource accesses and role definitions. These permissions are inherited to child resources that exist in the hierarchy.


The set of roles and the supported actions for management groups are displayed in the chart below.

Image Courtesy - Microsoft

I hope this has helped to clarify the ideas behind management groups a little bit.


Thank you for reading!


*** Explore | Share | Grow ***

6 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page