Azure management groups

For your subscriptions, Azure management groups help you efficiently manage:

• Access

• Policies

• Compliance

Each management group contains one or more subscriptions.

Azure arranges management groups in a single hierarchy. You define this hierarchy in your Azure Active Directory (Azure AD) tenant to align with your organization's structure and needs. The top level is called the root management group. You can define up to six levels of management groups in your hierarchy. A subscription will be a direct member of only one management group.

Azure provides four levels of management scope:

• Management groups

• Subscriptions

• Resource groups

• Resources

If you apply any access or policy at one level in the hierarchy, it propagates down to the lower levels. A resource owner or subscription owner can't alter an inherited policy. This limitation helps improve governance.

This inheritance model lets you arrange the subscriptions in your hierarchy, so each subscription follows appropriate policies and security controls.

Any access or policy assignment on the root management group applies to all resources in the directory. Carefully consider which items you define at this scope. Include only the assignments you must have.

Create your management group hierarchy

When you define your management group hierarchy, first create the root management group. Then move all existing subscriptions in the directory into the root management group. New subscriptions always go into the root management group initially. Later, you can move them to another management group.

What happens when you move a subscription to an existing management group? The subscription inherits the policies and role assignments from the management group hierarchy above it. Establish many subscriptions for your Azure workloads. Then create other subscriptions to contain Azure services that other subscriptions share.

Example use cases

Some basic examples of using management groups to separate different workloads include:

Production versus nonproduction workloads: Use management groups to more easily manage different roles and policies between production and nonproduction subscriptions. For example, developers might have contributor access in nonproduction subscriptions, but only reader access in production subscriptions.

Internal services versus external services: Enterprises often have different requirements, policies, and roles for internal services versus external customer-facing services.

How to protect your resource hierarchy

Your resources, resource groups, subscriptions, management groups, and tenants collectively make up your resource hierarchy. Settings at the root management group, such as Azure custom roles or Azure Policy policy assignments, can impact every resource in your resource hierarchy. It's important to protect the resource hierarchy from changes that could negatively impact all resources.

Management groups now have hierarchy settings that enable the tenant administrator to control these behaviors. This article covers each of the available hierarchy settings and how to set them.

Azure RBAC permissions for hierarchy settings

Configuring any of the hierarchy settings requires the following two resource provider operations on the root management group:

• Microsoft.Management/management groups/settings/write

• Microsoft.Management/management groups/settings/read

These operations only allow a user to read and update the hierarchy settings. The operations don't provide any other access to the management group hierarchy or resources in the hierarchy. Both of these operations are available in the Azure built-in role Hierarchy Settings Administrator.

Set default management group in portal

To configure this setting in the Azure portal, follow these steps:

1. Use the search bar to search for and select 'Management groups'.

2. On the root management group, select details next to the name of the management group.

3. Under Settings, select Hierarchy settings.

4. Select the Change default management group button.

5. Select a management group from your hierarchy and use the Select button.

   Setting - Require authorization

   Any user, by default, can create new management groups within a tenant. Admins of a tenant may wish to only provide these permissions to specific users to maintain consistency and conformity in the management group hierarchy. If enabled, a user requires .Management/management Groups/write operation on the root management group to create new child management groups.

   Set require authorization in the portal

   To configure this setting in the Azure portal, follow these steps:

   1. Use the search bar to search for and select 'Management groups'.

   2. On the root management group, select details next to the name of the management group.

   3. Under Settings, select Hierarchy settings.

   4. Toggle the Required permissions for creating new management groups. option to on.