Management groups in Azure provide a level of scope in the Azure hierarchy that is above subscriptions. They provide a way to aggregate and manage access, policies, and compliance across multiple Azure subscriptions. When preparing for the AZ-104 Microsoft Azure Administrator Exam, understanding how to configure these is essential.
Configuring Management Groups in Azure
Management Groups are organization units intended to structure the resources in your organization in a hierarchical way based on your business needs. They offer a way to provide access control on your resources at a particular scope.
Here are a few steps to get started:
- Sign into the Azure portal and navigate to “Management Groups”. Here you can create/ manage your management groups.
- Click on the “+Add Management Group” to add a new group. Enter a unique ID and name for your management group.
These steps create the top-level management group. You can add other management groups or subscriptions to this group. Any Azure Policy or Azure Role Assignment applied on this group gets inherited to its child groups/subscriptions.
Note: Your Azure account must have the ‘Owner’ or ‘Contributor’ permissions for the subscription you want to add to a management group, and once a subscription is associated with a management group, only users with access to that group can manage that subscription.
Examples of Policies Implemented at Management Groups
Consider an example where your organization has several Azure subscriptions. You may want to implement a consistent policy across all subscriptions such as “Only allow virtual machine (VM) creation in certain regions”. Instead of applying this policy on each subscription (which is time-consuming and can lead to errors), the policy should be applied at the management group scope.
{
“if”: {
“allOf”: [
{
“field”: “type”,
“equals”: “Microsoft.Compute/virtualMachines”
},
{
“field”: “location”,
“in”: [
“westus”,
“eastus”,
“centralus”
]
}
]
},
“then”: {
“effect”: “deny”
}
}
In the above Azure Policy, if a user tries to create a VM in a region other than those mentioned (‘westus’, ‘eastus’, ‘centralus’), the request will be denied.
Structuring Management Groups
An effective structure helps the organization manage access, policies, and compliance. A possible structure could be:
- Root Management Group: All subscriptions
- Management Group: Environment (Prod, Test)
- Management Group: Division (Finance, HR)
- Management Group: Department (Accounts, Payroll)
The Root management group contains every resource within the directory, subdivided into environment-based (Production, Testing) groups. Then, each environment group is further divided into division groups (Finance, HR), and finally, into department groups.
Note: It’s recommended that the top-level management group should not contain any resources but only other management groups.
To conclude, understanding and configuring Azure Management Groups is a critical skill for anyone preparing for the AZ-104 Microsoft Azure Administrator exam. It provides a way of organizing your resources and enables you to implement governance on your Azure subscriptions effectively.
Practice Test
True/False: Management groups in Azure are used for managing access, policies, and compliance across multiple Azure subscriptions.
- True
- False
Answer: True
Explanation: Management groups provide a level of scope above subscriptions. You organize subscriptions into containers called “management groups” and apply your governance conditions to the management groups.
True/False: We cannot move subscriptions from one management group to another.
- True
- False
Answer: False
Explanation: You can move subscriptions from one management group to another. This provides the flexibility to adjust your management group tree structure as your business needs change.
How many levels of management groups can be created in an Azure tenant?
- a) 5
- b) 6
- c) 7
- d) 8
Answer: b) 6
Explanation: You can have up to six levels of management groups in Azure to implement a flexible structure for your business needs.
True/False: A single Azure Management Group can have multiple parent groups.
- True
- False
Answer: False
Explanation: A single Azure Management Group can only have one parent group to maintain a clear hierarchy of control.
What type of conditions can you apply to Azure management groups?
- a) Access management
- b) Policy assignments
- c) Compliance details
- d) All of the above
Answer: d) All of the above
Explanation: Azure management groups allow the management of access, policy, and compliance across multiple Azure subscriptions.
True/False: Management groups must have a Subscription as a child.
- True
- False
Answer: False
Explanation: A Management group can have another Management group or a Subscription as a child. It is not mandatory to have a Subscription as a child.
Is there a limit on how many subscriptions can be created in an individual management group?
- a) Yes
- b) No
Answer: b) No
Explanation: Azure does not specify a limit on how many subscriptions can exist within one management group.
True/False: A ‘Root’ management group is automatically created in each directory.
- True
- False
Answer: True
Explanation: A ‘Root’ management group is automatically created in each directory for all the direct child management groups to inherit.
Can the same Group ID be reused once it has been deleted?
- a) Yes
- b) No
Answer: b) No
Explanation: The Group ID of a deleted management group cannot be reused for 30 days after deletion.
True/False: Azure Management Group capabilities are available for free.
- True
- False
Answer: True
Explanation: Azure management group capabilities are not billed. They are available at no additional cost.
Which of the following is not a role for an Azure management group?
- a) Owner
- b) Contributor
- c) Reader
- d) Manager
Answer: d) Manager
Explanation: Owner, contributor, and reader are roles for an Azure management group, but manager is not.
True/False: You can assign Azure roles and Azure policies to a management group.
- True
- False
Answer: True
Explanation: You can assign Azure roles at the subscription, resource group, and resource levels. You can also assign Azure policies at the management group level to enforce organization standards.
In Azure Management Groups, how long does it take for permissions to propagate?
- a) 1 hour
- b) 2 hours
- c) 14-16 hours
- d) It’s instantaneous
Answer: c) 14-16 hours
Explanation: Permissions in Azure Management Groups can take from 14 up to 16 hours to propagate.
True/False: Management groups can manage applications in Azure Active Directory.
- True
- False
Answer: False
Explanation: Management groups only provide management capabilities at Azure subscription level. They cannot manage applications in Azure Active Directory.
What maximum number of management groups can be created in a single directory?
- a) 5,000
- b) 10,000
- c) 15,000
- d) 20,000
Answer: d) 20,000
Explanation: In a single directory, you can create up to 20,000 management groups.
Interview Questions
What is a management group in Azure?
Management groups in Azure are containers that help you manage access, policy, and compliance across multiple subscriptions.
How many levels of depth can you have in your management group tree structure?
You can have up to six levels of depth in your management group tree structure not including the Root level or the subscription level.
What is the maximum number of management groups that can be created in a single directory?
A single directory can support up to 10,000 management groups.
What is the purpose of Azure Policy in the context of management groups?
Azure Policy helps in applying and enforcing rules on your resources at the management group level, which makes it easier to govern your resources within your organization.
What is the purpose of the ‘Root’ management group in Azure?
The ‘Root’ management group is the top-level management group in the hierarchy. Every directory gets a single Root group that is built in the hierarchy to have all groups and subscriptions fold up to it. This Root group allows global policies and Azure role assignments to be applied at the directory level.
Which Azure service is used to provide access control (IAM) in management groups?
Azure Active Directory (Azure AD) is used to provide access control (IAM) in management groups.
Can the Management Group ID and Name be different?
Yes, the Management Group ID and Name can be different. The Management Group ID is the permanent, immutable identifier, whereas the Name can be changed.
Can you move a subscription from one management group to another?
Yes, a subscription can be moved from one management group to another. However, you need to have the appropriate permissions to perform this operation.
Can each subscription in Azure be assigned to only one management group?
Yes, each subscription in Azure can only be assigned to a single management group at a time.
How are Azure role assignments propagated through a hierarchy in management groups?
Provisioned Azure role assignments automatically flow down the hierarchy through inheritance. A role assignment on a parent management group means that all child subscriptions inherit that role assignment.
How to create a new management group in Azure?
A new management group in Azure can be created using Azure portal, Azure CLI, or PowerShell. The specific command or action may vary depending on the tool you are using.
How can you remove a management group?
Management groups can be deleted using Azure portal, Azure CLI, or PowerShell. However, the group must have no children (sub-groups or subscriptions) before it can be deleted.
How can you rename a management group?
To rename a management group, you can use the Azure portal, Azure CLI, or PowerShell. The specific command or action may vary depending on the tool you are using.
Are there any costs associated with using Management Groups in Azure?
No, there are no additional fees for using Management Groups in Azure.
Are Management Groups region-specific in Azure?
No, Management Groups are not region-specific, so they can manage subscriptions globally from any region.