Month: March 2020

When we were discussing accounts and subscriptions, you saw that an account can have multiple subscriptions. If you think of it from an organizational perspective, there will be multiple accounts, and there will be multiple subscriptions meant for different environments and workloads. Using management groups, you can logically group subscriptions. This way, management groups offer a new scope above the subscriptions, which can be used for granting access, assigning policies, and analyzing costs.

FIGURE 2.7 Managing resource groups using the Azure CLI

All access or policies assigned to the management group will be inherited to the subscriptions that are part of the management group. We will cover how access and policy management is performed later in this chapter. Figure 2.8 shows a sample hierarchy where management groups are used.

Management groups enable administrators to do the following:

• They can logically group subscriptions into different containers.
• They can apply policies and access a set of subscriptions easily.
• Cost management can be scoped at the management group level for tracking the costs of multiple subscriptions in a single shot.
• Budgets can be created at the management group level, which is ideal for teams and projects having multiple subscriptions.

Management groups can be created from the Azure portal, PowerShell, and the CLI. There will be a default management group that will be provisioned along with your tenant called the root management group. All new management groups will be created as children of this root management group.

Creating a management group is a straightforward process you can perform by searching and navigating to management groups in the Azure portal. You can click Add (refer to Figure 2.9) to add a new management group. In Figure 2.9, you could also see a couple of management groups created for demonstration purposes.

FIGURE 2.8 Understanding management groups

FIGURE 2.9 Creating management groups

Two parameters are required while you create a management group. The first one is Management Group ID; this identifier is used to denote the management group when you want to run commands against the management group. Second, you need to add a display name, which will act like a friendly name for your management group. Whenever you are making PowerShell, Azure CLI, or REST API calls, you will be using the identifier to point to the management group. Management Group ID cannot be modified once the management group is created.

While discussing management groups, you read that it can be leveraged to apply policies and grant access easily on a larger scope. Now, we will see what these policies are and what role they play in governance.