Table of Contents
Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.
Management groups are arranged in a hierarchical structure, like a tree, where each node in the tree represents a management group. At the top of this hierarchy is the “Root” management group which is built into every Azure tenant.
Here’s a brief outline of the steps involved in setting up Azure Management Groups.
Before creating management groups, devise a hierarchy that makes the most sense for your organization. Consider the separation of duties, organizational structures, and specific governance requirements. Each Azure tenant can support up to six levels of depth in this hierarchy, not including the Root level.
Assign policies and role-based access controls at the management group level.
Here’s a simple example of a management group hierarchy for an organization:
– Root
– Infrastructure
– Prod-Infra
– Test-Infra
– Applications
– Prod-Apps
– Test-Apps
– Security
– SecurityPolicies
Each management group can contain zero or more management groups and subscriptions. You can apply different policies at each level, depending on your organizational needs. For instance, the security team can manage policies in the “Security” management group that applies to all underlying subscriptions.
By carefully setting up management groups and considering their implications on governance, you can effectively organize your Azure resources, streamline administration processes, and enforce policies consistently across your Azure environment. As you prepare for the AZ-104 Microsoft Azure Administrator exam, understanding management groups will be vital to demonstrate your ability to manage Azure resources and their hierarchies effectively.
Answer: A) True
Explanation: Management groups allow for the application of governance policies across multiple subscriptions, providing a level of scope above subscriptions.
Answer: C) 10
Explanation: Azure allows a hierarchy of management groups up to 10 levels deep.
Answer: A) 10,000
Explanation: An Azure environment can have a maximum of 10,000 management groups.
Answer: B) False
Explanation: It is not necessary to have an Azure subscription to create a management group. You just need the appropriate permissions.
Answer: D) Global Administrator
Explanation: To create or manage management groups, you must be assigned the Global Administrator role or User Access Administrator role. The Global Administrator role is required for certain management group actions.
Answer: A) True
Explanation: Management groups are tenant-scoped, meaning they can only be used to manage policies within a single Azure Active Directory tenant.
Answer: A) To contain all other management groups and subscriptions
Explanation: The “Root” management group is the top-level management group that contains all other management groups and subscriptions in the directory.
Answer: B) Access granted on a parent management group is inherited by the children.
Explanation: By default, any access granted to a management group is inherited by all the child resources, including child management groups and subscriptions.
Answer: B) False
Explanation: There can be some restrictions and prerequisites that need to be met before moving subscriptions between management groups, such as the need for sufficient permissions and no conflicting policies.
Answer: C) Azure Security Center
Explanation: Azure Security Center can be integrated with management groups to provide security management and threat protection across multiple subscriptions.
Answer: A) True
Explanation: The management group ID is immutable and cannot be changed once the management group has been created.
Answer: B) Ensure there are no child resources, such as other management groups or subscriptions
Explanation: Before deleting a management group, you must ensure that there are no child resources within it. All subscriptions and other management groups must be moved or deleted before the management group itself can be removed.
Management groups in Azure are containers that help you organize and manage access, policies, and compliance for multiple subscriptions.
To create a new management group in Azure, you can use the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API.
Management groups provide a hierarchical structure for organizing resources, policies, and permissions across multiple subscriptions. They allow you to manage access, policies, and compliance at scale for your Azure environment. They simplify the process of applying policies and permissions to multiple subscriptions and resources at once.
You can manage management groups in Azure using the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API. You can view and modify management group properties, assign policies and role-based access control (RBAC) roles, and move subscriptions and management groups within the hierarchy.
To assign policies to a management group, you can use the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API. You can assign built-in or custom policies to a management group to ensure compliance and governance across all subscriptions and resources in the hierarchy.
To assign RBAC roles to a management group, you can use the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API. You can assign built-in or custom RBAC roles to a management group to manage access and permissions for users and groups across all subscriptions and resources in the hierarchy.
Yes, you can move a subscription from one management group to another by using the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API.
You can create up to 10,000 management groups in an Azure AD tenant.
You can manage access to management groups in Azure by using role-based access control (RBAC) and Azure AD groups. You can assign RBAC roles and permissions to users and groups to control access to management groups and their resources.
Yes, you can create nested management groups in Azure to create a more complex hierarchy for managing resources and policies. However, it’s important to keep in mind that there is a limit of six levels of nesting for management groups.
You can view the hierarchy of management groups in Azure by using the Azure portal or Azure PowerShell. The hierarchy is displayed as a tree view, with the top-level management group at the root and its child management groups below it.
Yes, you can delete a management group in Azure by using the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API. However, you cannot delete a management group that has one or more child management groups or subscriptions.
You can add a subscription to a management group in Azure by using the Azure portal, Azure PowerShell, Azure CLI, or Azure REST API. You can move an existing subscription to a management group, or you can create a new subscription and add it directly to a management group.
If this material is helpful, please leave a comment and support us to continue.