Monday , January 30 2023

Azure Management Group

Azure Management Group, which was made publicly available by Microsoft in July 2018, helps you manage your Azure subscriptions by grouping them together.

if you have a large number of subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions.

Azure management groups provide a level of coverage above subscriptions.

All subscriptions within a management group automatically inherit the controls applied to the management group.

Whether you have an Enterprise Agreement, Certified Solution Partner, Pay as you Go, or other subscription, this service provides enterprise-level management at scale to all Azure customers at no additional cost.

Management groups not only allow you to group subscriptions, but also group other management groups to create a hierarchy.

The following diagram shows an example of creating a hierarchy for management using management groups.

Because the Policy you apply is inherited from the subscriptions from the management group, this security policy cannot be changed by the resource or subscription owner to allow for enhanced management.

By using management groups, you can reduce your workload and reduce the risk of errors by avoiding duplicate assignments.

Instead of applying multiple assignments across multiple resources and subscriptions, you can apply a single assignment to a single management group containing target resources.

This will save time in the implementation of assignments, create a point for maintenance, and allow better controls over who can control the assignment.

Another scenario where you would use administrative groups is to provide user access to multiple subscriptions.

By moving multiple subscriptions under this management group, you have the ability to create an RBAC assignment that will inherit this access to all subscriptions in the management group.

Without the need to script RBAC assignments across multiple subscriptions, an assignment in the management group can give users access to everything they need.

I recommend keeping the management group hierarchy reasonably simple.

Ideally you should not create more than three or four levels.

Managing a hierarchy with many levels will be difficult.

However, 10,000 management groups can be supported in a single directory.

A management group tree can support up to six depth levels.

Management groups, all subscriptions within a single management group must trust the same Azure Active Directory (Azure AD) tenant.

About Çağlar Özenç

Leave a Reply

Your email address will not be published. Required fields are marked *