Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Microsoft Announces General Availability of Azure Management Groups

Microsoft Announces General Availability of Azure Management Groups

This item in japanese

Microsoft has announced the general availability of Azure management groups, which provide the ability to organize and apply governance to all subscriptions in a management group. Azure management groups do this by implementing centralized management of Azure policies, role-based access control and more.

All three major cloud providers offer a way to group their subscriptions these days. Amazon does this with AWS Organizations, Google uses the Resource Manager hierarchy, and Microsoft now has introduced Azure management groups. In all cases, the vendors claim that these grouping services help implement overall access control, improve security and compliance through organization-wide policies, and give better visibility and maintainability of cloud consumption. This release of Azure management groups gives the option to group all kinds of subscriptions, - including Enterprise Agreement, Pay-As-You-Go, and Certified Solution Partner.


Organizations can now apply governance and compliance rules at all levels within the management group, which consequently get inherited by all subscriptions in the hierarchy under the specific group. One of these is setting Azure policies, which enforce rules and effects on Azure resources, like permitting only a subset of SKUs for virtual machines or conforming to a naming standard. Another option of Azure management groups is implementing access management over multiple subscriptions using role-based access control (RBAC).

Policies and rules defined in a management group cannot be overridden at a lower level in the hierarchy, therefore giving strict guidance over the subscriptions. Some essential restrictions should be adhered to when working with Azure management groups:

  • A single directory supports a maximum of 10000 management groups.
  • The management group tree can support up to eight levels of depth, which includes the root level and subscriptions level.
  • A management group can have multiple children; however, subscriptions and management groups can only have a single parent.
  • The subscriptions and management groups are all part of a single hierarchy in each directory.
  • Custom RBAC roles are currently not supported on management groups.

Implementation of Azure management groups starts with creating a management group, for which Benoit Hamet created a step-by-step overview. The implementation process will construct the root management group and then move all existing subscriptions here. After creation of a management group, the directory administrator must elevate themselves as the owner of the group. Subsequently, additional management groups can be added to build up the complete hierarchy tree. To place a group on another level in the hierarchy it needs to be made a child of another management group. The same goes for subscriptions, by moving these between the groups. Accordingly, repositioning subscriptions or management groups within the hierarchy allows the re-use of governance controls, as these will then inherit rules and policies of the parent management group.

According to Aidan Finn, Azure expert and Microsoft MVP, Azure management groups will help improve governance and compliance for organizations with many subscriptions.

If you have a complex organisation with lots of subscriptions in a single tenant, then management groups will be of huge value for setting up your RBAC model and Azure Policy governance at the organisational and subscription levels.

Rate this Article