We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
LEARN MORE
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
8
30
2018
3.1.2023

Azure Management Groups Simplify Subscription Administration

Last updated:
9.16.2020
3.1.2023
No items found.

If your enterprise cloud environment has started to sprawl out beyond one or two Azure subscriptions, chances are you’ll need to implement some form of management and policy enforcement across your Enterprise Agreement to control costs and ensure compliance. Enter Azure Management Groups.

Management Groups can be used to apply conditions to subscriptions based on Azure regions, SKU sizes, server versions, resource type, and more. They work in conjunction with Azure Policy and Azure Role Based Access Controls (RBAC) and are similar to Active Directory in their setup and administration.

 

Management Group Hierarchies

When many departments or individuals each require different Azure subscriptions and they have the ability to deploy their own services and servers within their subscriptions, you need some way to enforce corporate Azure policy. A management group hierarchy spans from a root group down through branches for each relevant department or user.

Each group placed under another will inherit the policies of those above. A higher-level Management Group can set policies for those below it. Those below it can not change those policies. Each of these Management Group “trees” can run up to six levels beyond the Root level.

The Root group is built into the directory hierarchy and enables all global policies and RBAC assignments. New subscriptions are placed under the Root group when they are created and must be moved within the hierarchy.

Image sourced from Microsoft, Organize Your Resources with Azure Management Groups

 

Management Groups and RBAC

Azure Management Groups work in concert with Role Based Access Controls to assign resource access and role definitions according to the group directory.

You can assign the default RBAC roles of Owner, Contributor, Reader, and so forth to a Management Group. All Virtual Machines under that Management group will inherit the abilities of that Role. Custom RBAC is not currently supported within Management Groups.

This helps you control which subscriptions and users within your organization have which levels of control over their infrastructure. You can set Management Groups to have any combination over the creation, naming, movement, deletion, access control, policy assignments, and reading of Virtual Machines within a given Group.

For more on what RBAC can do, read What is role-based access control? 

 

Management Groups and Azure Policies

Azure Policies are configured to audit VMs based on disk type, size, name convention, tags with or without default values, locations, VM image source, encryption, diagnostics, network interfaces, network security groups, and much more

When you create a policy, you select the Management Group you wish to assign it to under the Policy definition page

 

For large scale Azure use across a variety of users and departments, Management Groups are an essential tool for administrators, enabling an easy way to implement a policy-based hierarchy for access control, security requirements, VM configuration compliance, and more. Consider implementing them if your subscription users have started to create VMs that are out-of-bounds in relation to your Azure use policies.

Recent Blog Posts

lunavi logo alternate white and yellow
9.8.2023
June
.
29
.
2023
FinOps: The Secret Key to Cloud Cost Control?

The term 'FinOps' is being heard more frequently as organizations seek to optimize their cloud endeavors. As controlling cloud spend is typically at the top of the list for refinement, let's explore how FinOps isn't just a new buzzword in the tech community.

Learn more
lunavi logo alternate white and yellow
9.8.2023
06
.
20
.
2023
Navigating What’s Next with Top Announcements from Microsoft Build

Microsoft announced major developments at its premiere event of the year, Microsoft Build. Author and Lunavi Solution Consultant, Alec Harrison was there in-person to gain first-hand insight on these announcements and what they could mean for not only the future of Lunavi, but for you and your organization!

Learn more
lunavi logo alternate white and yellow
5.23.2023
04
.
26
.
2023
Using Azure AI and Logic Apps to Reverse Engineer SMS Search Engines

There used to be entire companies providing SMS answering services. In 2006, one such company was valued at $6 million. Come along as we build the same system in Azure, almost for free, in 2 hours or less!

Learn more