Once you have set up your first subscription, you can set up your Management Group.
In Azure, management groups are a way to group your subscriptions. When you apply policies and governance to your management group, all of the subscriptions within a management group automatically inherit the conditions applied. Enterprises want management groups as a way to scale your operations no matter how many subscriptions you may have.
For example, you may want to restrict the regions available for your resources to those within a particular region. A policy that reflects that can be applied to a management group and will automatically be applied to all management groups, all subscriptions, and all resources under that management group.
IMPORTANT: All subscriptions within a single management group must trust the same Azure Active Directory tenant.
Managing Policies and Role Base Access Controls at scale
As an enterprise admin, you will need to manage multiple subscriptions. And you will want to be able to show how each subscription meets the goals of your compliance. There are two tools that help you manage these in Azure.
- Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Use Policies to impplement governance for resource consistency, regulatory compliance, security, cost, and management.
- Azure role-based access control is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.
Each of these can be deployed in management group and automatically inherited by the subscriptions and resources.
In addition, you can apply resource templates to management groups.
Each Azure Active Directory directory is given a single top-level management group called the “Root” management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it.
You can create a heirarchy that you can apply a policy, for example the regions in available for resources. This policy will inherit onto all the subscriptions that are descendants of that management group and will apply to all VMs under those subscriptions.
You can slso use management groups is to provide user access to multiple subscriptions. By moving multiple subscriptions under that management group, you can create one role-based access control (RBAC) assignment on the management group.
The following illustration shows a simple heirarchy with policies applied to the Root Management Group and others.
Create a management group
The Azure AD Global Administrator needs to elevate themselves to the User Access Administrator role of this root group initially. After elevating access, the administrator can assign any RBAC role to other directory users or groups to manage the hierarchy. As administrator, you can assign your own account as owner of the root management group.
The documentation shows how you can set up a Management Group using the portal, PowerShell, and the Azure CLI.
Sample PowerShell cmdlet to set up your Azure management groups
You may want to use scripts so you can support subscriptions and resources using your management groups at scale that support a consistent naming convention. The following code creates a root management group.
Next, use the root management group to create a new sub group for developers. The following code shows how you can create a subgroup.
Finally, use the following code to set the subscription to your subgroup.
You have now created a management group, a sub-management group and and assigned the subscription to the sub-management group.
In our next post, you will learn how to create policies that you want to apply to all the subscriptions in your management group using Azure Blueprints.
You will want to learn more about:
- Azure Policy built-in policy that you can apply to your management group
- Azure built-in roles that provide a good starting point to assign to users, groups, service principals, and managed identities.
- Azure Blueprints that provide sets of pre-built policies, role based access controls, and Rsource Manager templates that you can apply to a management group to support specific compliance initiatives, such as ISO, PCI, NIST and many others.