A new capability feature has been released on Azure: Azure Management Groups.

This new capability will help you managing and organizing your Azure subscriptions while ensuring compliance and governance is properly applied.

By using Azure Management Groups you can now reduce the workloads and risks associated with user assignments; like granting access to multiple subscriptions to a user or ensuring users have appropriate permissions while reducing the complexity of the management.

The below diagram (courtesy Microsoft) explains how Azure Management Groups can work

image

To start using it, logon to your Azure administration portal (https://portal.azure.com) and search for Management Groups (or go directly using this URL https://aka.ms/azuremg)

As first step, you may need to self elevate your global administrator privileges

This is done through the Azure AD\Properties configuration blade and turning on the option “Global admin can manage Azure Subscriptions and Management Groups” (once the initial setup is completed you can switch back to your configuration if you want)

image

If you do not have the proper permissions you will see the below blue ribbon; so apply the above action

“You are registered as a directory admin but do not have the necessary permissions to access the root management group”

image

Then you can start creating your Azure management groups

imageimage

You can create your first management group; the management group ID can not be changed after the creation

You can define what ever you want for the management group ID

imageimage

Once the management group is successfully created the Tenant Root Group list is refreshed and display your new group

image

Once you have created your first/root management group, you can create child groups by creating a new group and then choose the Move option from the contextual menu; the UI should be updated soon to provide you the ability to select a parent group when creating the management group

imageimage

NOTE you can not delete a management group if the group has child group

Then once you group(s) is/are created, click on their name to access their child group list (if any) but more importantly to access their details

image

From this details link, you will then be able to associated Azure subscription(s), define the access control list (IAM) – aka who can do what on resources associated with the group, as well as the associated policies

image