Management groups are the primary way to organize Azure subscriptions for governance and policy.
Here’s a quick look at how they work in practice. Imagine you have a few subscriptions: one for "Production," another for "Development," and a third for "Shared Services."
Root (Tenant Root Group)
├── Production (Management Group)
│ ├── App A (Subscription)
│ └── App B (Subscription)
├── Development (Management Group)
│ ├── Dev Env (Subscription)
│ └── Test Env (Subscription)
└── Shared Services (Management Group)
└── Networking (Subscription)
This hierarchy allows you to apply policies and access controls at a higher level, and have them automatically inherit down to the subscriptions. For instance, you could enforce a policy that all virtual machines must have disk encryption enabled. Apply this policy to the "Production" management group, and it will apply to both "App A" and "App B" subscriptions without you needing to configure it individually for each.
The core problem management groups solve is the administrative overhead of managing policies, access, and compliance across a growing number of Azure subscriptions. Without them, you’d be repeating configuration tasks endlessly. They provide a structured, hierarchical way to group subscriptions, enabling consistent governance at scale.
Internally, Azure management groups are part of the Azure Resource Manager (ARM) control plane. When you assign a policy or role-based access control (RBAC) role to a management group, ARM traverses the hierarchy. It identifies all the subscriptions that are descendants of that management group and applies the assignment to them. The inheritance is additive; a policy assigned at the root level applies to all management groups and subscriptions beneath it. You can also assign policies or RBAC at lower levels to override or refine inherited settings for specific groups of subscriptions.
The primary levers you control are:
- Hierarchy: How you structure your management groups. This is crucial for reflecting your organizational structure or compliance boundaries.
- Assignments: Applying policies, RBAC roles, and resource locks to management groups.
- Scope: Understanding that assignments at a higher level flow down to lower levels.
The az cli can be used to manage management groups. To create a new management group named "Marketing" under the tenant root group:
az management group create --name Marketing --parent ""
The empty string "" for --parent signifies the tenant root group.
To assign a built-in policy, like "Append tags to resources," to the "Marketing" management group:
# First, find the policy definition ID
POLICY_ID=$(az policy definition list --query "[?displayName=='Append tags to resources'].id" -o tsv)
# Then, assign it
az policy assignment create --name "Append-Tags-Marketing" --display-name "Append tags to marketing resources" --scope "/providers/Microsoft.Management/managementGroups/Marketing" --policy "$POLICY_ID" --params '{"tagName":{"value":"CostCenter"}, "tagValue":{"value":"Marketing"}}'
This command assigns the policy to the "Marketing" management group, and all subscriptions within it will inherit this policy. The --params argument provides the specific values for the policy’s parameters, in this case, ensuring that resources within the "Marketing" management group get a CostCenter tag with the value Marketing.
The most surprising thing about management groups is how deeply the hierarchy can be nested, and how granularly you can apply assignments. You can have dozens of levels, and while it’s generally advised to keep it flatter for manageability, the technical capability allows for very intricate governance models. This often leads people to over-simplify their initial structure, only to realize later they need to refactor it as their needs grow and they encounter situations where a specific policy needs to apply to a very narrowly defined subset of subscriptions that aren’t conveniently grouped.
Understanding the nuances of exclusion and precedence in policy assignments across different levels is the next crucial step.