Manage your resources with management groups

If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into containers called "management groups" and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have. To learn more about management groups, see Organize your resources with Azure management groups.

Note

This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.

Note

This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.

Change the name of a management group

You can change the name of the management group by using the portal, PowerShell, or Azure CLI.

Change the name in the portal

  1. Log into the Azure portal.

  2. Select All services > Management groups.

  3. Select the management group you would like to rename.

  4. Select details.

  5. Select the Rename group option at the top of the page.

    Rename Group option on management group page

  6. When the menu opens, enter the new name you would like to have displayed.

    Rename Group pane to rename management group

  7. Select Save.

Change the name in PowerShell

To update the display name use Update-AzManagementGroup. For example, to change a management groups display name from "Contoso IT" to "Contoso Group", you run the following command:

Update-AzManagementGroup -GroupName 'ContosoIt' -DisplayName 'Contoso Group'

Change the name in Azure CLI

For Azure CLI, use the update command.

az account management-group update --name 'Contoso' --display-name 'Contoso Group'

Delete a management group

To delete a management group, the following requirements must be met:

  1. There are no child management groups or subscriptions under the management group.

  2. You have write permissions on the management group ("Owner", "Contributor", or "Management Group Contributor"). To see what permissions you have, select the management group and then select IAM. To learn more on RBAC Roles, see Manage access and permissions with RBAC.

Delete in the portal

  1. Log into the Azure portal.

  2. Select All services > Management groups.

  3. Select the management group you would like to delete.

  4. Select details.

  5. Select Delete

    Tip

    If the icon is disabled, hovering your mouse selector over the icon shows you the reason.

    Delete group option

  6. There's a window that opens confirming you want to delete the management group.

    Delete group confirmation window

  7. Select Yes.

Delete in PowerShell

Use the Remove-AzManagementGroup command within PowerShell to delete management groups.

Remove-AzManagementGroup -GroupName 'Contoso'

Delete in Azure CLI

With Azure CLI, use the command az account management-group delete.

az account management-group delete --name 'Contoso'

View management groups

You can view any management group you have a direct or inherited RBAC role on.

View in the portal

  1. Log into the Azure portal.

  2. Select All services > Management groups.

  3. The management group hierarchy page will load. This page is where you can explore all the management groups and subscriptions you have access to. Selecting the group name takes you down a level in the hierarchy. The navigation works the same as a file explorer does.

  4. To see the details of the management group, select the (details) link next to the title of the management group. If this link isn't available, you don't have permissions to view that management group.

    Main

View in PowerShell

You use the Get-AzManagementGroup command to retrieve all groups. See Az.Resources modules for the full list of management group GET Powershell commands.

Get-AzManagementGroup

For a single management group's information, use the -GroupName parameter

Get-AzManagementGroup -GroupName 'Contoso'

To return a specific management group and all the levels of the hierarchy under it, use -Expand and -Recurse parameters.

PS C:\> $response = Get-AzManagementGroup -GroupName TestGroupParent -Expand -Recurse
PS C:\> $response

Id                : /providers/Microsoft.Management/managementGroups/TestGroupParent
Type              : /providers/Microsoft.Management/managementGroups
Name              : TestGroupParent
TenantId          : 00000000-0000-0000-0000-000000000000
DisplayName       : TestGroupParent
UpdatedTime       : 2/1/2018 11:15:46 AM
UpdatedBy         : 00000000-0000-0000-0000-000000000000
ParentId          : /providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000
ParentName        : 00000000-0000-0000-0000-000000000000
ParentDisplayName : 00000000-0000-0000-0000-000000000000
Children          : {TestGroup1DisplayName, TestGroup2DisplayName}

PS C:\> $response.Children[0]

Type        : /managementGroup
Id          : /providers/Microsoft.Management/managementGroups/TestGroup1
Name        : TestGroup1
DisplayName : TestGroup1DisplayName
Children    : {TestRecurseChild}

PS C:\> $response.Children[0].Children[0]

Type        : /managementGroup
Id          : /providers/Microsoft.Management/managementGroups/TestRecurseChild
Name        : TestRecurseChild
DisplayName : TestRecurseChild
Children    :

View in Azure CLI

You use the list command to retrieve all groups.

az account management-group list

For a single management group's information, use the show command

az account management-group show --name 'Contoso'

To return a specific management group and all the levels of the hierarchy under it, use -Expand and -Recurse parameters.

az account management-group show --name 'Contoso' -e -r

Move subscriptions in the hierarchy

One reason to create a management group is to bundle subscriptions together. Only management groups and subscriptions can be made children of another management group. A subscription that moves to a management group inherits all user access and policies from the parent management group.

To move the subscription, all of the following RBAC permissions need to be true:

  • "Owner" role on the child subscription.
  • "Owner", "Contributor", or "Management Group Contributor" role on the target parent management group.
  • "Owner", "Contributor", or "Management Group Contributor" role on the existing parent management group.

If the target or the existing parent management group is the Root management group, the permissions requirements don't apply. Since the Root management group is the default landing spot for all new management groups and subscriptions, you don't need permissions on it to move an item.

If the Owner role on the subscription is inherited from the current management group, your move targets are limited. You can only move the subscription to another management group where you have the Owner role. You can't move it to a management group where you're a contributor because you would lose ownership of the subscription. If you're directly assigned to the Owner role for the subscription (not inherited from the management group), you can move it to any management group where you're a contributor.

To see what permissions you have in the Azure portal, select the management group and then select IAM. To learn more on RBAC Roles, see Manage access and permissions with RBAC.

Move subscriptions in the portal

Add an existing Subscription to a management group

  1. Log into the Azure portal.

  2. Select All services > Management groups.

  3. Select the management group you're planning to be the parent.

  4. At the top of the page, select Add subscription.

  5. Select the subscription in the list with the correct ID.

    Available subscriptions to add to a management group

  6. Select "Save".

Remove a subscription from a management group

  1. Log into the Azure portal.

  2. Select All services > Management groups.

  3. Select the management group you're planning that is the current parent.

  4. Select the ellipse at the end of the row for the subscription in the list you want to move.

    Move option on a management group

  5. Select Move.

  6. On the menu that opens, select the Parent management group.

    Move pane to change parent group

  7. Select Save.

Move subscriptions in PowerShell

To move a subscription in PowerShell, you use the New-AzManagementGroupSubscription command.

New-AzManagementGroupSubscription -GroupName 'Contoso' -SubscriptionId '12345678-1234-1234-1234-123456789012'

To remove the link between and subscription and the management group use the Remove-AzManagementGroupSubscription command.

Remove-AzManagementGroupSubscription -GroupName 'Contoso' -SubscriptionId '12345678-1234-1234-1234-123456789012'

Move subscriptions in Azure CLI

To move a subscription in CLI, you use the add command.

az account management-group subscription add --name 'Contoso' --subscription '12345678-1234-1234-1234-123456789012'

To remove the subscription from the management group, use the subscription remove command.

az account management-group subscription remove --name 'Contoso' --subscription '12345678-1234-1234-1234-123456789012'

Move management groups in the hierarchy

When you move a parent management group, the hierarchy under that group moves with it. For the access you need to move management groups, see Management group access.

Move management groups in the portal

  1. Log into the Azure portal.

  2. Select All services > Management groups.

  3. Select the management group you're planning to be the parent.

  4. At the top of the page, select Add management group.

  5. In the menu that opens, select if you want a new or use an existing management group.

    • Selecting new will create a new management group.
    • Selecting an existing will present you with a drop-down of all the management groups you can move to this management group.

    Move a management group to new or existing group

  6. Select Save.

Move management groups in PowerShell

Use the Update-AzManagementGroup command in PowerShell to move a management group under a different group.

$parentGroup = Get-AzManagementGroup -GroupName ContosoIT
Update-AzManagementGroup -GroupName 'Contoso' -ParentId $parentGroup.id

Move management groups in Azure CLI

Use the update command to move a management group with Azure CLI.

az account management-group update --name 'Contoso' --parent ContosoIT

Audit management groups using activity logs

Management groups are supported within Azure Activity Log. You can query all events that happen to a management group in the same central location as other Azure resources. For example, you can see all Role Assignments or Policy Assignment changes made to a particular management group.

Activity Logs with management groups

When looking to query on Management Groups outside of the Azure portal, the target scope for management groups looks like "/providers/Microsoft.Management/managementGroups/{yourMgID}".

Referencing management groups from other Resource Providers

When referencing management groups from other Resource Provider's actions, use the following path as the scope. This path is used when using PowerShell, Azure CLI, and REST APIs.

"/providers/Microsoft.Management/managementGroups/{yourMgID}"

An example of using this path is when assigning a new role assignment to a management group in PowerShell

New-AzRoleAssignment -Scope "/providers/Microsoft.Management/managementGroups/Contoso"

The same scope path is used when retrieving a policy definition at a management group.

GET https://management.azure.com/providers/Microsoft.Management/managementgroups/MyManagementGroup/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming?api-version=2018-05-01

Next steps

To learn more about management groups, see: