If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Management groups provide a governance scope above subscriptions. You organize subscriptions into management groups the governance conditions you apply cascade by inheritance to all associated subscriptions.
Management groups give you enterprise-grade management at scale no matter what type of subscriptions you might have. However, all subscriptions within a single management group must trust the same Azure Active Directory (Azure AD) tenant.
Hierarchy of management groups and subscriptions
You can build a flexible structure of management groups and subscriptions to organize your resources into a hierarchy for unified policy and access management. The following diagram shows an example of creating a hierarchy for governance using management groups.
Diagram of a root management group holding both management groups and subscriptions. Some child management groups hold management groups, some hold subscriptions, and some hold both. One of the examples in the sample hierarchy is four levels of management groups with the child level being all subscriptions.
You can create a hierarchy that applies a policy, for example, which limits VM locations to the West US region in the management group called "Production". This policy will inherit onto all the Enterprise Agreement (EA) subscriptions that are descendants of that management group and will apply to all VMs under those subscriptions. This security policy cannot be altered by the resource or subscription owner allowing for improved governance.
Important facts about management Groups
10,000 management groups can be supported in a single directory.
A management group tree can support up to six levels of depth.
o This limit doesn't include the Root level or the subscription level.
Each management group and subscription can only support one parent.
Each management group can have many children.
All subscriptions and management groups are within a single hierarchy in each directory.
Root management group for each directory
Each directory is given a single top-level management group called the root management group. The root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level. The Azure AD Global Administrator needs to elevate themselves to the User Access Administrator role of this root group initially. After elevating access, the administrator can assign any Azure role to other directory users or groups to manage the hierarchy. As administrator, you can assign your own account as owner of the root management group.
Important facts about the root management Group
By default, the root management group's display name is Tenant root group and operates itself as a management group. The ID is the same value as the Azure Active Directory (Azure AD) tenant ID.
To change the display name, your account must be assigned the Owner or Contributor role on the root management group.
The root management group can't be moved or deleted, unlike other management groups.
All subscriptions and management groups fold up to the one root management group within the directory.
o All resources in the directory fold up to the root management group for global management.
o new subscriptions are automatically defaulted to the root management group when created.
All Azure customers can see the root management group, but not all customers have access to manage that root management group.
o Everyone who has access to a subscription can see the context of where that subscription is in the hierarchy.
o No one is given default access to the root management group. Azure AD Global Administrators are the only users that can elevate themselves to gain access. Once they have access to the root management group, the global administrators can assign any Azure role to other users to manage it.
Limitations
There are limitations that exist when using custom roles on management groups.
You can only define one management group in the assignable scopes of a new role. This limitation is in place to reduce the number of situations where role definitions and role assignments are disconnected. This situation happens when a subscription or management group with a role assignment moves to a different parent that doesn't have the role definition.
Resource provider data plane actions can't be defined in management group custom roles. This restriction is in place as there's a latency issue with updating the data plane resource providers. This latency issue is being worked on and these actions will be disabled from the role definition to reduce any risks.
The Azure Resource Manager doesn't validate the management group's existence in the role definition's assignable scope. If there's a typo or an incorrect management group ID listed, the role definition is still created.
Role assignment of a role with dataActions isn't supported. Create the role assignment at the subscription scope instead.
Moving management groups and subscriptions
To move a management group or subscription to be a child of another management group, three rules need to be evaluated as true.
If you're doing the move action, you need:
Management group write and role assignment write permissions on the child subscription or management group.
o Built-in role example: Owner
Management group write access on the target parent management group.
o Built-in role example: Owner, Contributor, Management Group Contributor
Management group write access on the existing parent management group.
o Built-in role example: Owner, Contributor, Management Group Contributor