Tutorial / Cram Notes
Understanding Azure Management Groups
Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.
Management groups are arranged in a hierarchical structure, like a tree, where each node in the tree represents a management group. At the top of this hierarchy is the “Root” management group which is built into every Azure tenant.
Benefits of Using Azure Management Groups
- Hierarchy Management: They allow for flexible management across subscriptions.
- Inheritance: Policies and access permissions are inherited from parent management group to child management groups and subscriptions, providing consistency.
- Access Control: Grant or restrict user actions at any level of the hierarchy, enabling fine-grained access management.
- Policy Assignment: Apply Azure policies to a group of subscriptions instead of individually.
Steps to Configure Management Groups in Azure
Here’s a brief outline of the steps involved in setting up Azure Management Groups.
- Plan Your Hierarchy
Before creating management groups, devise a hierarchy that makes the most sense for your organization. Consider the separation of duties, organizational structures, and specific governance requirements. Each Azure tenant can support up to six levels of depth in this hierarchy, not including the Root level.
- Create a Management Group
- Navigate to the Azure portal and select “Management Groups”.
- Click on “+ Add management group” to create a new group.
- Enter a unique management group ID and display name.
- Select a parent management group if necessary (otherwise, it will be a child of the Root management group).
- Click “Save”.
- Move Subscriptions into the Management Group
- Within the Management Groups interface, navigate to the created management group.
- Select “Details” and then “+ Add subscription” to move subscriptions to the management group.
- Select the subscriptions you wish to move into the management group.
- Assign Governance Conditions
Assign policies and role-based access controls at the management group level.
- For policies, go to the Azure Policy service within the Azure portal, select the management group scope, and assign a built policy or create a new one.
- For role assignments, navigate to the management group and use the “Access control (IAM)” blade to set roles.
Example Hierarchy
Here’s a simple example of a management group hierarchy for an organization:
– Root
– Infrastructure
– Prod-Infra
– Test-Infra
– Applications
– Prod-Apps
– Test-Apps
– Security
– SecurityPolicies
Each management group can contain zero or more management groups and subscriptions. You can apply different policies at each level, depending on your organizational needs. For instance, the security team can manage policies in the “Security” management group that applies to all underlying subscriptions.
Best Practices while using Management Groups
- Start small: Begin with a simple structure and evolve as necessary.
- Limit hierarchy depth: Avoid going too deep with many levels to minimize complexity.
- Use descriptive names: Clear names for management groups are essential for understanding and managing the hierarchy.
- Delegate responsibility: Assign management permissions at different levels of the hierarchy to distribute governance.
- Regularly review and adapt: Business needs and compliance requirements can change, necessitate periodic reviews, and adjustments of your management group hierarchy and assignments.
By carefully setting up management groups and considering their implications on governance, you can effectively organize your Azure resources, streamline administration processes, and enforce policies consistently across your Azure environment. As you prepare for the AZ-104 Microsoft Azure Administrator exam, understanding management groups will be vital to demonstrate your ability to manage Azure resources and their hierarchies effectively.
Practice Test with Explanation
True or False: Management groups can be used to apply governance conditions such as Azure policies and Azure role-based access control (RBAC) across multiple subscriptions.
- A) True
- B) False
Answer: A) True
Explanation: Management groups allow for the application of governance policies across multiple subscriptions, providing a level of scope above subscriptions.
How many levels of management groups can be created in a single hierarchy in Azure?
- A) 2
- B) 6
- C) 10
- D) No limit
Answer: C) 10
Explanation: Azure allows a hierarchy of management groups up to 10 levels deep.
What is the maximum number of management groups that an Azure environment can have?
- A) 10,000
- B) 1,000
- C) 100
- D) No limit
Answer: A) 10,000
Explanation: An Azure environment can have a maximum of 10,000 management groups.
True or False: You must have an Azure subscription to create a management group.
- A) True
- B) False
Answer: B) False
Explanation: It is not necessary to have an Azure subscription to create a management group. You just need the appropriate permissions.
Which Azure role is required to create or manage management groups?
- A) Owner
- B) Contributor
- C) User Access Administrator
- D) Global Administrator
Answer: D) Global Administrator
Explanation: To create or manage management groups, you must be assigned the Global Administrator role or User Access Administrator role. The Global Administrator role is required for certain management group actions.
True or False: Management groups can only be used to manage policies within a single Azure Active Directory tenant.
- A) True
- B) False
Answer: A) True
Explanation: Management groups are tenant-scoped, meaning they can only be used to manage policies within a single Azure Active Directory tenant.
What is the purpose of the “Root” management group in Azure?
- A) To contain all other management groups and subscriptions
- B) To provide a starting point for RBAC
- C) To hold retired subscriptions
- D) To separate test environments from production environments
Answer: A) To contain all other management groups and subscriptions
Explanation: The “Root” management group is the top-level management group that contains all other management groups and subscriptions in the directory.
Management groups in Azure are organized in a hierarchy. How is access control managed in this hierarchy by default?
- A) Access is uniquely set at each level and does not inherit.
- B) Access granted on a parent management group is inherited by the children.
- C) Access is randomized for security purposes.
- D) Access must be configured manually at each level.
Answer: B) Access granted on a parent management group is inherited by the children.
Explanation: By default, any access granted to a management group is inherited by all the child resources, including child management groups and subscriptions.
True or False: Subscriptions can be moved from one management group to another without any restrictions.
- A) True
- B) False
Answer: B) False
Explanation: There can be some restrictions and prerequisites that need to be met before moving subscriptions between management groups, such as the need for sufficient permissions and no conflicting policies.
What Azure service can be integrated with management groups for an enhanced security posture?
- A) Azure Monitor
- B) Azure Logic Apps
- C) Azure Security Center
- D) Azure Automation
Answer: C) Azure Security Center
Explanation: Azure Security Center can be integrated with management groups to provide security management and threat protection across multiple subscriptions.
True or False: Once created, an Azure management group’s ID cannot be changed.
- A) True
- B) False
Answer: A) True
Explanation: The management group ID is immutable and cannot be changed once the management group has been created.
What must be done before a management group can be deleted?
- A) Remove all Azure policies from the management group
- B) Ensure there are no child resources, such as other management groups or subscriptions
- C) Move it to another tenant
- D) Convert it to a subscription
Answer: B) Ensure there are no child resources, such as other management groups or subscriptions
Explanation: Before deleting a management group, you must ensure that there are no child resources within it. All subscriptions and other management groups must be moved or deleted before the management group itself can be removed.
Interview Questions
What are management groups in Azure?
Management groups in Azure are containers that help you organize and manage access, policies, and compliance for multiple subscriptions.
How do I create a new management group in Azure?
To create a new management group in Azure, you can use the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API.
What are the benefits of using management groups in Azure?
Management groups provide a hierarchical structure for organizing resources, policies, and permissions across multiple subscriptions. They allow you to manage access, policies, and compliance at scale for your Azure environment. They simplify the process of applying policies and permissions to multiple subscriptions and resources at once.
How do I manage management groups in Azure?
You can manage management groups in Azure using the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API. You can view and modify management group properties, assign policies and role-based access control (RBAC) roles, and move subscriptions and management groups within the hierarchy.
How do I assign policies to a management group?
To assign policies to a management group, you can use the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API. You can assign built-in or custom policies to a management group to ensure compliance and governance across all subscriptions and resources in the hierarchy.
How do I assign role-based access control (RBAC) roles to a management group?
To assign RBAC roles to a management group, you can use the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API. You can assign built-in or custom RBAC roles to a management group to manage access and permissions for users and groups across all subscriptions and resources in the hierarchy.
Can I move a subscription from one management group to another?
Yes, you can move a subscription from one management group to another by using the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API.
How many management groups can I create in Azure?
You can create up to 10,000 management groups in an Azure AD tenant.
How can I manage access to management groups in Azure?
You can manage access to management groups in Azure by using role-based access control (RBAC) and Azure AD groups. You can assign RBAC roles and permissions to users and groups to control access to management groups and their resources.
Can I create nested management groups in Azure?
Yes, you can create nested management groups in Azure to create a more complex hierarchy for managing resources and policies. However, it’s important to keep in mind that there is a limit of six levels of nesting for management groups.
How can I view the hierarchy of management groups in Azure?
You can view the hierarchy of management groups in Azure by using the Azure portal or Azure PowerShell. The hierarchy is displayed as a tree view, with the top-level management group at the root and its child management groups below it.
Can I delete a management group in Azure?
Yes, you can delete a management group in Azure by using the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API. However, you cannot delete a management group that has one or more child management groups or subscriptions.
How can I add a subscription to a management group in Azure?
You can add a subscription to a management group in Azure by using the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API. You can move an existing subscription to a management group, or you can create a new subscription and add it directly to a management group.
I’ve been trying to set up management groups in Azure and it’s a bit confusing. Any tips?
Does creating management groups improve Azure policy enforcement?
I’m struggling to assign roles at the management group level. Any pointers?
Thanks, this blog post on configuring management groups was very helpful!
I don’t see much practical use for management groups in a small organization.
How often do you review and adjust your management group structure?
This helped me pass my AZ-104 exam, much appreciated!
What is the best way to structure management groups for a multi-region deployment?