Azure Management Groups
By Microsoft
Azure Management Groups are containers that Azure administrators use to organize multiple subscriptions into a hierarchy so that access, policy, and compliance controls can be applied consistently across them.
Definition
Azure Management Groups are containers that Azure administrators use to organize multiple subscriptions into a hierarchy so that access, policy, and compliance controls can be applied consistently across them.
Overview
Azure's resource hierarchy has four levels: management groups sit above subscriptions, which contain resource groups, which in turn contain individual resources. Management Groups exist specifically to solve the governance problem that arises once an organization has more than a handful of subscriptions — rather than assigning Azure Policy definitions or role-based access control (RBAC) individually to each subscription, administrators can group subscriptions into a tree of management groups and apply policies or role assignments once, at whatever level makes sense, and have them inherit down to every subscription and resource beneath it. Every Azure tenant is created with a single root management group at the top of the hierarchy, and organizations typically build a small number of levels beneath it — commonly separating groups by business unit, environment (production versus non-production), or compliance requirement. Azure Policy assignments, RBAC role assignments, and Azure Blueprints can all be scoped to a management group, which is what makes them useful as an enforcement point rather than just an organizational label; a policy that requires encryption at rest, for instance, can be applied once at a management group and automatically govern every subscription created underneath it, including ones created later. Management Groups are central to the Azure Cloud Adoption Framework's landing zone design, where they are used to separate platform subscriptions (identity, management, connectivity) from landing zone subscriptions (the actual application workloads), giving enterprises a consistent governance backbone as they scale to dozens or hundreds of subscriptions. The concept mirrors AWS Organizations' organizational units and Google Cloud's Resource Manager folders.
Key Features
- Hierarchical grouping of Azure subscriptions, up to six levels deep beneath the root
- Azure Policy assignments that inherit down from a management group to all subscriptions and resources within it
- RBAC role assignments scoped at the management group level for centralized access control
- A single root management group automatically present in every Azure Active Directory tenant
- Support for Azure Blueprints to deploy consistent resource sets across a management group
- Central to the Azure Cloud Adoption Framework's landing zone architecture
- Ability to move subscriptions between management groups as organizational needs change
Use Cases
Alternatives
Frequently Asked Questions
From the Blog
AWS vs Azure vs Google Cloud: Which to Learn?
A comprehensive guide to aws vs azure vs google cloud: which to learn? — written for learners at every level.
Read More Cloud & CybersecurityTerraform Basics: Infrastructure as Code on AWS
Terraform lets you define cloud infrastructure in code, version it in Git, and deploy it repeatably. This guide covers providers, resources, variables, outputs, state management, and real AWS examples — from a simple S3 bucket to a complete web server setup.
Read More Learn Through HobbiesLearn React Through Game Development: Build a Chess Clock
A chess clock is the perfect React project — it's small enough to finish in an afternoon but teaches useState, useEffect, timer management, and conditional rendering in a context that makes every concept feel purposeful. No boring counter apps.
Read More