Create management groups for resource organization and management
Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls. For more information on management groups, see Organize your resources with Azure management groups.
The first management group created in the directory could take up to 15 minutes to complete. There are processes that run the first time to set up the management groups service within Azure for your directory. You receive a notification when the process is complete. For more information, see initial setup of management groups.
Create a management group
Any Azure AD user in the tenant can create a management group without the management group write
permission assigned to that user. This new management group will be a child of the Root Management
Group and the creator will be given an "Owner" role assignment. Management group service allows this
ability so that role assignments aren't needed at the root level. No users have access to the Root
Management Group when it's created. To avoid the hurdle of finding the Azure AD Global Admins to
start using management groups, we allow the creation of the initial management groups at the root
You can create the management group by using the portal, a Azure Resource Manager template, PowerShell, or Azure CLI.
Create in portal
Log into the Azure portal.
Select All services > Management + governance.
Select Management Groups.
Select + Add management group.
Fill in the management group ID field.
- The Management Group ID is the directory unique identifier that is used to submit commands on this management group. This identifier isn't editable after creation as it is used throughout the Azure system to identify this group. The root management group is automatically created with an ID that is the Azure Active Directory ID. For all other management groups, assign a unique ID.
- The display name field is the name that is displayed within the Azure portal. A separate
display name is an optional field when creating the management group and can be changed at any
Create in PowerShell
For PowerShell, use the New-AzManagementGroup cmdlet to create a new management group.
New-AzManagementGroup -GroupName 'Contoso'
The GroupName is a unique identifier being created. This ID is used by other commands to reference this group and it can't be changed later.
If you want the management group to show a different name within the Azure portal, add the DisplayName parameter. For example, to create a management group with the GroupName of Contoso and the display name of "Contoso Group", use the following cmdlet:
New-AzManagementGroup -GroupName 'Contoso' -DisplayName 'Contoso Group'
In the preceding examples, the new management group is created under the root management group. To specify a different management group as the parent, use the ParentId parameter.
$parentGroup = Get-AzManagementGroup -GroupName Contoso New-AzManagementGroup -GroupName 'ContosoSubGroup' -ParentId $parentGroup.id
Create in Azure CLI
For Azure CLI, use the az account management-group create command to create a new management group.
az account management-group create --name Contoso
The name is a unique identifier being created. This ID is used by other commands to reference this group and it can't be changed later.
If you want the management group to show a different name within the Azure portal, add the display-name parameter. For example, to create a management group with the GroupName of Contoso and the display name of "Contoso Group", use the following command:
az account management-group create --name Contoso --display-name 'Contoso Group'
In the preceding examples, the new management group is created under the root management group. To specify a different management group as the parent, use the parent parameter and provide the name of the parent group.
az account management-group create --name ContosoSubGroup --parent Contoso
To learn more about management groups, see: