Quickstart: Create a management group with JavaScript

Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls. For more information on management groups, see Organize your resources with Azure management groups.

The first management group created in the directory could take up to 15 minutes to complete. There are processes that run the first time to set up the management groups service within Azure for your directory. You receive a notification when the process is complete. For more information, see initial setup of management groups.

Prerequisites

  • If you don't have an Azure subscription, create a free account before you begin.

  • Before you start, make sure that at least version 12 of Node.js is installed.

  • Any Azure AD user in the tenant can create a management group without the management group write permission assigned to that user if hierarchy protection isn't enabled. This new management group becomes a child of the Root Management Group or the default management group and the creator is given an "Owner" role assignment. Management group service allows this ability so that role assignments aren't needed at the root level. No users have access to the Root Management Group when it's created. To avoid the hurdle of finding the Azure AD Global Admins to start using management groups, we allow the creation of the initial management groups at the root level.

Use Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. Example of Try It for Azure Cloud Shell
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Launch Cloud Shell in a new window
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Cloud Shell button in the Azure portal

To run the code in this article in Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block to copy the code.

  3. Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code.

Application setup

To enable JavaScript to manage management groups, the environment must be set up. This setup works wherever JavaScript can be used, including bash on Windows 10.

  1. Set up a new Node.js project by running the following command.

    npm init -y
    
  2. Add a reference to the yargs module.

    npm install yargs
    
  3. Add a reference to the Azure Resource Graph module.

    npm install @azure/arm-managementgroups
    
  4. Add a reference to the Azure authentication library.

    npm install @azure/ms-rest-nodeauth
    

    Note

    Verify in package.json @azure/arm-managementgroups is version 1.1.0 or higher and @azure/ms-rest-nodeauth is version 3.0.5 or higher.

Create the management group

  1. Create a new file named index.js and enter the following code.

    const argv = require("yargs").argv;
    const authenticator = require("@azure/ms-rest-nodeauth");
    const managementGroups = require("@azure/arm-managementgroups");
    
    if (argv.groupID && argv.displayName) {
        const createMG = async () => {
           const credentials = await authenticator.interactiveLogin();
           const client = new managementGroups.ManagementGroupsAPI(credentials);
           const result = await client.managementGroups.createOrUpdate(
              groupId: argv.groupID,
              {
                  displayName: argv.displayName
              }
           );
           console.log(result);
        };
    
        createMG();
    }
    
  2. Enter the following command in the terminal:

    node index.js --groupID "<NEW_MG_GROUP_ID>" --displayName "<NEW_MG_FRIENDLY_NAME>"
    

    Make sure to replace each token <> placeholder with your management group ID and management group friendly name, respectively.

    As the script attempts to authenticate, a message similar to the following message is displayed in the terminal:

    To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code FGB56WJUGK to authenticate.

    Once you authenticate in the browser, then the script continues to run.

The result of creating the management group is output to the console.

Clean up resources

If you wish to remove the installed libraries from your application, run the following command.

npm uninstall @azure/arm-managementgroups @azure/ms-rest-nodeauth yargs

Next steps

In this quickstart, you created a management group to organize your resource hierarchy. The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy, continue to: