Configure management groups

Manage Azure subscriptions and governance

📘Microsoft Certified: Azure Administrator Associate (AZ-104)

1. What Are Azure Management Groups?

Management Groups are containers in Azure that allow you to organize and manage multiple Azure subscriptions at scale.

They help you:

  • Apply Azure Policies across many subscriptions
  • Assign RBAC roles at a higher level
  • Maintain consistent governance
  • Set compliance requirements
  • Group subscriptions logically (e.g., Production, Development)

All subscriptions inside a management group inherit the rules (policies, RBAC assignments) applied at the management group level.

Hierarchy Concept

Azure uses a tree-like structure:

Root Management Group
   ├── Department MG
   │       ├── Subscription A
   │       └── Subscription B
   └── Environment MG
           ├── Production Subscription
           └── Development Subscription

This structure makes governance much easier.

2. The Root Management Group

When you create your first management group, Azure automatically creates a Root Management Group.

Important points:

  • It sits at the top of the hierarchy.
  • All management groups and subscriptions fall underneath it.
  • Only Azure AD Global Administrators or User Access Administrators can assign permissions on it initially.
  • You can use it to apply organization-wide policies, such as:
    • Enforce security standards
    • Allow only specific Azure regions
    • Require tags on all resources

Exam tip:
You cannot delete the Root Management Group.

3. Why Use Management Groups? (Governance Benefits)

1. Centralized Policy Enforcement

For example:

  • Your organization wants to ensure all resources use a specific naming convention.
  • You apply an Azure Policy at the management group level.
  • Every subscription under that management group inherits the policy automatically.

2. Role-Based Access Control (RBAC) at Scale

You can assign roles at the management group level, such as:

  • Security Administrator
  • Cost Management Reader
  • Policy Contributor

This ensures consistent access across all subscriptions.

3. Subscription Organization

You can group subscriptions by:

  • Department (IT, HR, Finance)
  • Workload (Application A, Application B)
  • Environment (Production, Test, Development)

4. Consistency Across All Teams

Makes it easier for IT operations and cloud governance teams to:

  • Enforce standards
  • Maintain compliance
  • Prevent misconfiguration

4. Creating and Configuring Management Groups

You can create and manage management groups using:

  • Azure Portal
  • Azure PowerShell
  • Azure CLI
  • ARM templates
  • Bicep
  • Terraform

Below are the key AZ-104 points.

5. Creating Management Groups (Portal)

Steps

  1. Go to Azure Portal
  2. Search for Management Groups
  3. Select Create management group
  4. Provide:
    • Management Group ID (must be unique)
    • Display Name
  5. Click Create

Exam Notes:

  • The Management Group ID is immutable once created.
  • You can change the Display Name later.
  • You can nest management groups up to 6 levels deep (excluding the Root MG).

6. Moving Subscriptions Between Management Groups

You can move a subscription:

  • From one management group to another
  • From root to a child management group
  • Between child management groups

Requirements:

  • You need Owner or Management Group Contributor permissions on the target management group.
  • You need Owner permissions on the subscription being moved.

Scenarios:

  • You reorganize IT workloads
  • A project is moved to a different department
  • Production and Development subscriptions are separated for governance

7. Assigning RBAC Roles to Management Groups

Instead of assigning permissions subscription by subscription, you can assign a role once at the management group level.

Example (IT-Specific):

Your Security Team needs read-only access to all resources in your organization.

You assign the Reader role at the Root Management Group.

This gives them:

  • Read access to all management groups
  • Read access to all subscriptions
  • Read access to all resources under them

Role Inheritance:

Roles assigned at a management group:

Apply to child management groups

Apply to all subscriptions inside them

Apply to all resources in the subscriptions

8. Assigning Azure Policies to Management Groups

This is one of the most important exam points.

Policies applied at the management group level enforce compliance across all child subscriptions.

Example IT use cases:

  • Restrict resource deployment to specific regions
  • Enforce tagging requirements across all subscriptions
  • Require virtual machines to use managed disks
  • Audit unencrypted storage accounts

Important:

  • Policy Assignments at the management group propagate to all subscriptions below.
  • You can apply:
    • Policy Definitions
    • Policy Initiatives (group of policies)

9. Management Group Best Practices (Exam-Relevant)

✔ Use management groups before creating subscriptions

This ensures subscriptions inherit governance from the beginning.

✔ Separate Production vs Non-Production

Useful for policies like:

  • Stricter security for Production
  • Relaxed requirements for Dev/Test environments

✔ Apply policies at the highest level possible

This reduces administrative overhead.

✔ Use dedicated management groups for departments

E.g., create Finance MG, IT MG, HR MG, etc.

✔ Assign roles at the appropriate level

To avoid excessive permissions.

10. Limitations You Must Know for the Exam

Azure Management Groups have certain rules:

1. 6-Level Limit

  • Maximum 6 levels of management groups
  • Does not include the Root MG

2. Subscriptions can only belong to ONE management group

3. Only Azure AD tenant-level admins can manage the Root Management Group

4. You cannot rename or delete the Management Group ID

5. Moving subscriptions may take a few minutes due to backend validation

11. Common AZ-104 Exam Questions on Management Groups

Below are typical exam-style concepts:

Question: Where should you assign policy to affect all subscriptions in the organization?

Answer: Root Management Group

Question: What happens when you assign a role at a management group level?

Answer:
All subscriptions and resources below inherit the role.

Question: Can a subscription belong to multiple management groups?

Answer:
No. Only one.

Question: Can you apply Azure Policy at the management group level?

Answer:
Yes. It is one of its main purposes.

Question: Who can manage the Root Management Group?

Answer:
Azure AD Global Administrator or User Access Administrator (initially).

Conclusion

Azure Management Groups are essential for centralized governance when working with multiple subscriptions. They help you:

  • Organize subscriptions
  • Apply policies and RBAC consistently
  • Maintain compliance
  • Build a scalable governance structure

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by