Management group are a key aspect in the Azure management and governance and not many people know about that, and Microsoft released this feature many months ago.
Management Groups provide the possibility to organise our subscriptions in sub groups, everything we do will affect all the subscriptions and sub groups.
This is very useful for many aspects.
- We can manage RBAC and policies from on place into multiple subscriptions.
- We can monitor the cost usage for multiple subscriptions very easy
- We can organize our department and business much better
How you can manage Azure and save your money without them?
Management group it is a must!
Below how we need to look at our Azure governance
Think about a simple scenario as below
Let put some more interesting aspects like a base subscription with our shared appliances
And now using management groups for a much better governance
How to use them?
As usual, simply look for management group in the azure portal.
Create a new management group and assign your subscription into it, extremely simple.
To move a subscription click on the right
Let be focus about the important things to know.
On top you see
Click on details link to manage the management group, like RBAC etc…
The tenant group is the root one and it is associated to your azure tenant (this is very important to understand)
Everything you do at root level will affect all the subscription and all Azure EA in that tenant
Same thing is with policies, if you disable a policy at root level then it will affect all the subscriptions and azure EA in that tenant.
Maybe in the future this design will change and it will keep tenant and management groups more separated, I am sure they will do.
I mention policies because these are another must to know and we manage policies from management groups.
I will write something about policies, there is so much to say, but let stay focus on the important things, how Azure policies work?
The rule is very simple, the disable win over the enable one.
Actually, if we want to disable a policy we need to fist disable from the top and enable the bottom one.
So… we need to disable from root and enable into the bottom group, it is actually a top down approach where disable win.
As I said, maybe this design will change soon…