Create management groups for resource organization and management

Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls. For more information on management groups, see Organize your resources with Azure management groups.

The first management group created in the directory could take up to 15 minutes to complete. There are processes that run the first time to set up the management groups service within Azure for your directory. You receive a notification when the process is complete.

Create a management group

You can create the management group by using the portal, PowerShell, or Azure CLI. Currently, you can't use Resource Manager templates to create management groups.

Create in portal

  1. Log into the Azure portal.

  2. Select All services > Management groups.

  3. On the main page, select New Management group.

    Page for working with management groups

  4. Fill in the management group ID field.

    • The Management Group ID is the directory unique identifier that is used to submit commands on this management group. This identifier isn't editable after creation as it is used throughout the Azure system to identify this group. The root management group is automatically created with an ID that is the Azure Active Directory ID. For all other management groups, assign a unique ID.
    • The display name field is the name that is displayed within the Azure portal. A separate display name is an optional field when creating the management group and can be changed at any time.

    Options pane for creating a new management group

  5. Select Save.

Create in PowerShell

For PowerShell, use the New-AzManagementGroup cmdlet to create a new management group.

New-AzManagementGroup -GroupName 'Contoso'

The GroupName is a unique identifier being created. This ID is used by other commands to reference this group and it can't be changed later.

If you want the management group to show a different name within the Azure portal, add the DisplayName parameter. For example, to create a management group with the GroupName of Contoso and the display name of "Contoso Group", use the following cmdlet:

New-AzManagementGroup -GroupName 'Contoso' -DisplayName 'Contoso Group'

In the preceding examples, the new management group is created under the root management group. To specify a different management group as the parent, use the ParentId parameter.

$parentGroup = Get-AzManagementGroup -GroupName Contoso
New-AzManagementGroup -GroupName 'ContosoSubGroup' -ParentId $parentGroup.id

Create in Azure CLI

For Azure CLI, use the az account management-group create command to create a new management group.

az account management-group create --name Contoso

The name is a unique identifier being created. This ID is used by other commands to reference this group and it can't be changed later.

If you want the management group to show a different name within the Azure portal, add the display-name parameter. For example, to create a management group with the GroupName of Contoso and the display name of "Contoso Group", use the following command:

az account management-group create --name Contoso --display-name 'Contoso Group'

In the preceding examples, the new management group is created under the root management group. To specify a different management group as the parent, use the parent parameter and provide the name of the parent group.

az account management-group create --name ContosoSubGroup --parent Contoso

Next steps

To learn more about management groups, see: