Diving into Azure Management Groups
What are Management Groups and how to configure
When I first heard of Management Groups I thought it was just a way to group subscriptions in Azure. After in depth research on the feature, I found there was more you can do with them so in this post I will cover what are Management Groups and what can you do with them.
What are Management Groups
Management Groups is a feature of Azure used to control RBAC (Role Based Access Control), apply governance via policies and implement cost management to subscriptions that are organised within these groups. You might be familiar with these features already within subscriptions but being able to duplicate configurations from one subscription to another can be a headache to manage. What Management Groups allows us to do is add these subscriptions to one group and then apply these configurations to the group which then populates to the subscriptions and its resources. You can also add a Management Group within a Management Group which will also inherit the configurations set.
Where and how to create
To create a Management Group is straight forward, first we need to locate where to find this feature. Within the Azure Portal search for Management Groups and select the result as per the below image.
On the page you will notice there is already a Management Group called Tenant Root Group. This will contain all your subscriptions. When you create a group it will appear under the Tenant Root. To create a Management Group, select Add from the top menu.
Here you enter the ID and display name for the group you want to create.
Once fields are completed, select Submit. Once created, you can select it to start configuring.
If you create multiple Management Groups and want to move them inside of each other, select the Move option while in one of these groups and select the location.
Within the group you created, select Subscriptions from the side menu. Here you can select the Add option from the top menu to add the subscriptions you want within this group.
A subscription can only be in one management group at one time.
Select IAM from the side menu within the Management Group. Here you can configure RBAC in the same way as you would do within a subscription. This will populate down to other Management Groups under this one, subscriptions and their resource groups.
Click here for more information assigning roles in IAM.
Within the Security option, you can review all subscriptions and resource groups security recommendations. You will also see an overall security score rating for the Management Group with a summary of the lowest rated subscriptions.
Click here for more information on using the Security blade to enable Security Center.
The Policy side menu option allows you to apply governance policies, either pre-built or custom. This will populate down to your subscriptions.
Click here for more information on implementing policies.
To analyse what the costs of resources within a Management Group, select Cost Analysis within the side menu. Here you will get an overview of resource costs and cost breakdown based on each subscription within the group.
Click here for more information on using Cost Analysis.
You can set budgets to the top level of a Management Group to monitor and control costs. Select Budgets from the side menu, here you can create a budget for the group.
Click here for more information on how to create budgets.