I am very excited about the new management groups feature in Azure and thought I’d do a post to talk about it.

Management groups – finally – address a common limitation around Azure Governance. So far we were only able to assign policies and role based access at three levels:

  • Subscriptions
  • Resource Groups
  • Resources

Management groups introduce an additional multi layer element on top of subscriptions. They can receive RBAC assignments and policy assignments.

This means that you can get a setup like this:

  • Organisation
    • Department
      • Subscription A
      • Subscription B
    • Department
      • Another Team
        • Subscription E
      • Subscription C
      • Subscription D

This might seem familiar to the Enterprise Agreement model, but there is a couple of key differences.

  • Everyone can use them (not just people with EAs)
  • You are not limited to the Org > Department > Subscription structure, additional layers are supported

There are a few limitations that apply to the root management group, which are worth reviewing. Find them here along with additional information about Management Groups->

Management groups enable some key scenarios like:

  • Policy assignment across several subscriptions
  • Central permission management

They are managed at the directory level and the root needs to be created by the directory admin. (similar but not the same as EA)

You can start using Azure Management Groups by going to the relevant resource section in the portal. Then simply choose the option to “Add a management group”

Once your group is created you can add other management groups or subscriptions into it.

Below you can see my management group with two different subscriptions in.

As mentioned you can then apply role based access management and policies at the group level. This also supports exceptions for particular parts of the group.