Management Group is a key aspect in the Azure management and governance and not many people know about that, and Microsoft released this feature many months ago.
Management Groups provide the possibility to organize our subscriptions in subgroups, and everything we do will affect all the subscriptions and subgroups.
This is very useful for many aspects:
- We can manage RBAC and policies from one place into multiple subscriptions;
- We can monitor the cost usage for multiple subscriptions very easy;
- We can organize our department and business much better;
How you can manage Azure and save your money without them? The Management Group is a must!
Below is a diagram on how we need to look and define our Azure governance strategy:
Think about a simple scenario as below:
Let put some more interesting aspects like a base subscription with our shared appliances:
And now using management groups for much better governance:
How to use them?
As usual, simply look for the Management Group in the Azure portal:
- Create a new management group and assign your subscription to it, extremely simple.
- To move a subscription click on the right
Now let’s focus on the important things you need to know:
- On top you see
- Click on the details link to manage the management group, like RBAC, etc…
The tenant group is the root one and it is associated to your Azure tenant (this is very important to understand)
Everything you do at the root level will affect all the subscription and all Azure EA in that tenant
The same thing is with policies, if you disable a policy at root level then it will affect all the subscriptions and Azure EA in that tenant.
Maybe in the future, this design will change and it will keep tenant and management groups more separated, I am sure they will do.
Earlier I mention policies because these are another must to know and we manage policies from management groups.
I will write something about policies in a future blog post, there is so much to say, but for now let stay focus on the important things: How Azure policies work?
The rule is very simple, the disable win over the enable one.
Actually, if we want to disable a policy we need to first disable from the top and then enable the bottom one.
So… we need to disable from root and enable into the bottom group, it is actually a top down approach where disable win.
As I said, maybe this design will change soon…