Azure Management Groups: Organize Subscriptions at Scale

As cloud estates grow, a single Azure subscription quickly becomes dozens. Azure Management Groups give you an enterprise-grade governance scope above subscriptions, so policy and RBAC flow downward automatically.

Why management groups exist

• Policy at scale - assign an Initiative once; every child subscription inherits it.
• Consistent RBAC - grant Reader at the root and the security team sees the whole estate.
• Clear billing lenses - split subs by BU or environment for cleaner reports.

Important facts

• One Tenant root group is created automatically; it can’t be deleted or moved.
• Up to 10 000 management groups per tenant.
• Six-level depth beneath the root (root and subscription levels don’t count).
• Each node has one parent and many children; all subs in a group must share the same Microsoft Entra tenant.

Anatomy of the hierarchy

Tenant root group
├─ Corp
│  ├─ Prod-Apps
│  └─ NonProd-Apps
└─ Shared
   ├─ Networking
   └─ Security

Creating your first management group

1. Portal → Management Groups → + Create.
2. Give it a unique ID and friendly Display Name.
3. (Optional) move existing subscriptions under it.

Assigning Policy & RBAC

Policy - Azure Policy service

1. Search for Policy and open Azure Policy.
2. Left nav → Authoring → Assignments.
3. Click + Assign initiative (or Assign policy).
4. In Scope, choose your management group.
5. Select a built-in initiative like “Audit VMs that aren’t using approved SKUs”, adjust parameters, then Create.

RBAC

1. Still on the management group, open Access control (IAM).
2. + Add → Add role assignment, choose a role (e.g., Reader) and principal, then Save.
3. Both the policy and role inherit automatically to every child subscription and resource.

Design tips & gotchas

• Root lock-down - treat the Tenant root group like Domain Admins; only break-glass accounts should own it.
• Environment split - separate Prod and NonProd branches so test SKUs don’t touch production.
• Depth sanity - most orgs need two or three MG levels, not all six.

Terraform snippet

resource "azurerm_management_group" "corp" {
  name         = "corp"
  display_name = "Corp"
}

resource "azurerm_management_group_subscription_association" "prod" {
  management_group_id = azurerm_management_group.corp.id
  subscription_id     = var.prod_subscription_id
}

Key takeaways

Start early, keep the hierarchy flat, and let governance flow downward so you spend more time delivering value and less time babysitting subscriptions.

Happy organizing! 🚀