- Azure has four management levels that help you organize, secure, manage, and monitor costs.
- So, this image shows the four levels of management scope and the relationship.
- The management group is at the top of the hierarchy. All subscriptions in a management group automatically inherit the conditions or settings specified at a management group level. So, a management group is like a container for all your subscriptions.
- As subscriptions, there can also be multiple management groups in an organization.
- For example, if an organization wants to allow Azure resources to be created only in the South India Azure region.
- To achieve this, Create a policy at the Management Group Level.
- This policy is then automatically applied to all management groups and subscriptions that come from the IT management group.
- The security policy is applicable to all resources under those subscriptions and cannot be modified in any way by the inheritance.
- So, obviously, governance becomes much easier.
Create a management group
- Open the Azure Portal
- You can create the Management Group from the More Service, or you could search the resource
- Click on the Management Groups then click on Create.
- Fill the Managment Group Id and Managment group display name and click on submit.
- Note. Management group ID Cannot be updated after creation.
- You can see that the management group is now created.
Add the Subscription to Management Group
- Open the Management group and add the subscription to it by clicking on the Add Subscription button.
- Add the Subscription to the management group and click on the save button.
- Now you can see that the Subscription is added to the management group.
Add the Policy to the Management Group
- Navigate to the Governance Blade and click on the Policy.
- We will create the policy by clicking on the Assign Policy button.
- Fill in the mandatory fields.
- The scope is your management group.
- You can provide the Exclusions, to which policies need to be excluded ex: resource group, resources.
- Policy Definition: To validate the resource group and resources.
- I will select the Allowed location policy, for which the resource groups and resources under the subscription will follow the validation.
- To select the Policy Definition, click on the 3 dots and search for the Allowed locations, then click the Add button.
- Click on Next, In the Paraments Tab select the Allowed Locations, to which the user can create the resources or resource groups in the specific location only.
- Click on Review + Create > Create
- Now you can see that the Policy has been added to the management group.
- Now the resources created under the management policy could be created in the South India location, if you try to create in another location, then it will show you the validation error.
Create a Storage Account
- Now Let us try to create the storage account in the other region rather than South India, you can see that we are not able to create the storage account with the East US location.
- Now Let us try to create the storage account in the South India Region, you can see that we are able to create the storage account with the South India location.
Conclusion
Azure Management Groups provide a scalable way to manage multiple subscriptions, and policies can be applied at the group level for consistent governance.