Azure Management Group

Author: Sakaldeep

February 18, 2019

The Azure management group is one more good step towards azure resource governance. It creates a hierarchical structure based on business division, geographic location, or function which gives more control in applying policy and compliance. It is very helpful in multiple subscriptions environment. It is very similar to the organizational unit (OU) in Microsoft Active Directory. We create OU structure to apply group policy based on the department or based on any other required structure. Azure management group gives us the same experience for the Azure subscription to apply policy and compliance. Applied group policy for the OU gets reflected on Active Directory’s objects such as user and computer account where applied policy for the management group get reflected on the resources of the subscription under that management group.

Let’s understand the need of management group by this example. Suppose, we don’t want to allow anyone to provision resource without a tag. In this case, create management group hierarchy and apply the policy at the root level. All the subscription will inherit the policy from the root management group. Another example, we want all the VMs for the Dev&Test environment should be provisioned on the West Europe region only. In this case, apply the policy to the management group which contains all the Dev&Test subscriptions.  The policy will be inherited by the subscriptions under the Dev&Test management group only. If anyone creates any resource in other than West Europe for Dev&Test then it will fail. One more example, we want the VM size for Dev&Test environment should be DS3_V2 only then it can be achieved easily by applying the policy to the Dev&Test management group.

Another use case of management group is to assign role-based access control (RBAC). The subscription will inherit the user access according to the management group. Here, we are going to have a quick look at how to create a management group and assign subscriptions to it. We will create two management group Production Environment and Dev&Test for this demonstration. Root level management will be created automatically once we create the first management group in the directory.

Creating Management Groups

  1. Click All Services and search for Management groups, and click on it. In the new window click on Add management group.

2. Select Create new and specify the following parameters and click on Save.

  • Management group ID: ProductionEnvironment
  • Management group display name: Production Environment

Repeat the above step to create Dev&Test management group.

3. After that, we need to move the subscription to the desired management group. Here, I am moving the Microsoft Azure Sponsorship subscription to the Production Environment management group.  Click on Move as highlighted.

4. Select Production Environment from the drop-down list and click on Save.

Repeat the above step to move other subscription to the desired management group.

5. Click on Production Environment management group and we can see all the subscription under it. We can also find all the applied policies for the management group by clicking on Policies if there is any.

For enterprise scaffold and best practices refer to Microsoft Documentation. Implementation of the Azure management group and policy will help in mitigating security risk and achieving the organization’s mission.

Total visits : 585