If your enterprise cloud environment has started to sprawl out beyond one or two Azure subscriptions, chances are you’ll need to implement some form of management and policy enforcement across your Enterprise Agreement to control costs and ensure compliance. Enter Azure Management Groups.
Management Groups can be used to apply conditions to subscriptions based on Azure regions, SKU sizes, server versions, resource type, and more. They work in conjunction with Azure Policy and Azure Role Based Access Controls (RBAC) and are similar to Active Directory in their setup and administration.
When many departments or individuals each require different Azure subscriptions and they have the ability to deploy their own services and servers within their subscriptions, you need some way to enforce corporate Azure policy. A management group hierarchy spans from a root group down through branches for each relevant department or user.
Each group placed under another will inherit the policies of those above. A higher-level Management Group can set policies for those below it. Those below it can not change those policies. Each of these Management Group “trees” can run up to six levels beyond the Root level.
The Root group is built into the directory hierarchy and enables all global policies and RBAC assignments. New subscriptions are placed under the Root group when they are created and must be moved within the hierarchy.
Image sourced from Microsoft, Organize Your Resources with Azure Management Groups
Azure Management Groups work in concert with Role Based Access Controls to assign resource access and role definitions according to the group directory.
You can assign the default RBAC roles of Owner, Contributor, Reader, and so forth to a Management Group. All Virtual Machines under that Management group will inherit the abilities of that Role. Custom RBAC is not currently supported within Management Groups.
This helps you control which subscriptions and users within your organization have which levels of control over their infrastructure. You can set Management Groups to have any combination over the creation, naming, movement, deletion, access control, policy assignments, and reading of Virtual Machines within a given Group.
For more on what RBAC can do, read What is role-based access control?
Azure Policies are configured to audit VMs based on disk type, size, name convention, tags with or without default values, locations, VM image source, encryption, diagnostics, network interfaces, network security groups, and much more.
When you create a policy, you select the Management Group you wish to assign it to under the Policy definition page.
For large scale Azure use across a variety of users and departments, Management Groups are an essential tool for administrators, enabling an easy way to implement a policy-based hierarchy for access control, security requirements, VM configuration compliance, and more. Consider implementing them if your subscription users have started to create VMs that are out-of-bounds in relation to your Azure use policies.