Azure Management Groups: A quick guide for planning your Azure Management Group structure

Updated: Aug 3



Firstly, you may ask, what is an Azure Management Group?

Azure Management Groups allow you to group subscriptions together and then take actions in bulk at the Management Group level. This enables you to reduce management and complexity in your Azure environment.

A well designed structure will also improve governance, administration, and enable efficiencies.


The three key areas that Management Groups are used for:

  1. Azure Policies

  2. Cost Management

  3. Role Assignment (RBAC)


Management Groups are the highest level where these key areas can be administered.





Azure Policies

Azure Policies are particularly useful to enforce security, compliance and standards across your Azure environment.

You can enforce policies on your resources to set guardrails and make sure future configurations will be compliant with organisational or external standards and regulations.

Utilizing Management Groups enable you to apply an Azure Policy (or a PolicySet) once and then the policy will be applied to multiple Azure subscriptions (and underlying resources) that are hosted underneath the Management Group.

Without the use of Management Groups you would need to apply an Azure Policy individually to each Azure subscription.





Cost Management

Track resource usage and manage costs across multiple subscriptions with a single, unified view, and access rich operational and financial insights to make informed decisions.

Without the use of Management Groups you would only be able to see the cost up to the Azure subscription level. If you have a particular Business Unit with multiple subscriptions, in most cases you would like to see an single, unified view for the Business Unit, and then have the ability to further drill down on the underlying subscriptions, resource groups, and resources.





Role Assignment (RBAC)

Having an Azure Management Group structure in place will enable you to assign access and grant roles to multiple subscriptions with a single assignment at the Management Group level.

Without the use of Management Groups, the highest level of RBAC assignment would be the Azure subscription level and you would need to assign access to each subscription individually.





There are a number of factors that should be considered when planning the structure for your Azure Management Groups. They all tie in with the three key focus areas listed above.

Below we have listed a few questions that you want to ask to help determine your most ideal structure:

  1. Where do I have subscriptions that share common factors based on the key focus areas?

  2. Are there subscriptions that can be grouped together that need the same security policies and controls?

  3. Are there subscriptions that can be grouped together that would simplify cost management?

  4. Are there subscriptions that can be grouped together that would simplify role assignments?


If you are unsure and do not have clearly defined requirements, a good starting point would be to use Microsoft’s guidelines for an Azure Management Group structure.

More information can be found here:

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions


You are welcome to reach out to us for a free consultation on planning and designing your Azure Management Group structure.

7 views0 comments