We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
LEARN MORE
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
8
30
2018
3.1.2023

Azure Management Groups Simplify Subscription Administration

Last updated:
9.16.2020
3.1.2023
No items found.

If your enterprise cloud environment has started to sprawl out beyond one or two Azure subscriptions, chances are you’ll need to implement some form of management and policy enforcement across your Enterprise Agreement to control costs and ensure compliance. Enter Azure Management Groups.

Management Groups can be used to apply conditions to subscriptions based on Azure regions, SKU sizes, server versions, resource type, and more. They work in conjunction with Azure Policy and Azure Role Based Access Controls (RBAC) and are similar to Active Directory in their setup and administration.

 

Management Group Hierarchies

When many departments or individuals each require different Azure subscriptions and they have the ability to deploy their own services and servers within their subscriptions, you need some way to enforce corporate Azure policy. A management group hierarchy spans from a root group down through branches for each relevant department or user.

Each group placed under another will inherit the policies of those above. A higher-level Management Group can set policies for those below it. Those below it can not change those policies. Each of these Management Group “trees” can run up to six levels beyond the Root level.

The Root group is built into the directory hierarchy and enables all global policies and RBAC assignments. New subscriptions are placed under the Root group when they are created and must be moved within the hierarchy.

Image sourced from Microsoft, Organize Your Resources with Azure Management Groups

 

Management Groups and RBAC

Azure Management Groups work in concert with Role Based Access Controls to assign resource access and role definitions according to the group directory.

You can assign the default RBAC roles of Owner, Contributor, Reader, and so forth to a Management Group. All Virtual Machines under that Management group will inherit the abilities of that Role. Custom RBAC is not currently supported within Management Groups.

This helps you control which subscriptions and users within your organization have which levels of control over their infrastructure. You can set Management Groups to have any combination over the creation, naming, movement, deletion, access control, policy assignments, and reading of Virtual Machines within a given Group.

For more on what RBAC can do, read What is role-based access control? 

 

Management Groups and Azure Policies

Azure Policies are configured to audit VMs based on disk type, size, name convention, tags with or without default values, locations, VM image source, encryption, diagnostics, network interfaces, network security groups, and much more

When you create a policy, you select the Management Group you wish to assign it to under the Policy definition page

 

For large scale Azure use across a variety of users and departments, Management Groups are an essential tool for administrators, enabling an easy way to implement a policy-based hierarchy for access control, security requirements, VM configuration compliance, and more. Consider implementing them if your subscription users have started to create VMs that are out-of-bounds in relation to your Azure use policies.

Recent Blog Posts

lunavi logo alternate white and yellow
3.27.2024
03
.
27
.
2024
Utilizing Bicep Parameter Files with ALZ-Bicep

Ready to achieve more efficient Azure Deployments? You can use Bicep parameters instead of JSON which opens new opportunities for deployment. Let Lunavi expert, Joe Thompson, show you how.

Learn more
lunavi logo alternate white and yellow
3.26.2024
03
.
04
.
2024
Anticipating Surges in Cyber Attacks and Bolstering Your InfoSec Defenses in 2024

Learn how to navigate 2024 with the right InfoSec defenses to protect your organization against a rising number of cyber attacks.

Learn more
lunavi logo alternate white and yellow
3.26.2024
01
.
03
.
2024
Microsoft Copilot is Re-Shaping the Innovation Frontier

Microsoft 365 Copilot has been released, and it's changing the way we work. More than OpenAI or ChatGPT, read how Copilot can seamlessly integrate with your workflow.

Learn more