Organize and manage multiple Azure subscriptions
If you have only a few subscriptions, then managing them independently is relatively simple. However, if you have many subscriptions, create a management group hierarchy to help manage your subscriptions and resources.
Azure management groups
Azure management groups help you efficiently manage access, policies, and compliance for your subscriptions. Each management group is a container for one or more subscriptions.
Management groups are arranged in a single hierarchy. You define this hierarchy in your Azure Active Directory (Azure AD) tenant to align with your organization's structure and needs. The top level is called the root management group. You can define up to six levels of management groups in your hierarchy. Each subscription is contained by only one management group.
Azure provides four levels of management scope:
- Management groups
- Resource groups
Any access or policy applied at one level in the hierarchy is inherited by the levels below it. A resource owner or subscription owner can't alter an inherited policy. This limitation helps improve governance.
Tag inheritance is not yet supported but will be available soon.
This inheritance model lets you arrange the subscriptions in your hierarchy so that each subscription follows appropriate policies and security controls.
Figure 1: The four scope levels for organizing your Azure resources.
Any access or policy assignment on the root management group applies to all resources in the directory. Carefully consider which items you define at this scope. Include only the assignments you must have.
Create your management group hierarchy
When you define your management group hierarchy, first create the root management group. Then move all existing subscriptions in the directory into the root management group. New subscriptions are always created in the root management group. Later, you can move them to another management group.
When you move a subscription to an existing management group, it inherits the policies and role assignments from the management group hierarchy above it. Once you have established multiple subscriptions for your Azure workloads, you can create additional subscriptions to contain Azure services that other subscriptions share.
If you expect your Azure environment to grow, you should create management groups for production and nonproduction now, and apply appropriate policies and access controls at the management group level. New subscriptions will inherit the appropriate controls as they're added to each management group.
Figure 2: An example of a management group hierarchy.
Example use cases
Some basic examples of using management groups to separate different workloads include:
Production versus nonproduction workloads: Use management groups to more easily manage different roles and policies between production and nonproduction subscriptions. For example, developers might have contributor access in nonproduction subscriptions but only reader access in production subscriptions.
Internal services versus external services: Enterprises often have different requirements, policies, and roles for internal services versus external customer-facing services.
Review the following resources to learn more about organizing and managing your Azure resources.
- Organize your resources with Azure management groups
- Elevate access to manage all Azure subscriptions and management groups
- Move Azure resources to another resource group or subscription
Review recommended naming and tagging conventions to follow when deploying your Azure resources.