During last Microsoft Ignite event, two new Azure governance services were announced: Azure Management Group and Azure BluePrint. In this article we will discover why Azure Management Group will facilitate Azure subscription administration and how it’s linked with Azure BluePrint.


What is Azure Management Group

A management group is a logical Azure subscription container. Groups’ goal is to organize Azure subscriptions in a hierarchical tree. All subscriptions types (Enterprise Agreement, Pay-as-you-go…) can be gathered in a management group. RBAC Roles and Azure Policy can be defined at the management group level and will be applied in subscriptions. We can actually fully managed them using Azure Powershell and the Azure Portal.


The « root » management group

A root management group named “Tenant root group (AzureTenantId)” contains all subscriptions. It’s the base management group, it can’t be deleted or moved and all new subscription will be moved in it by default.  The interesting point is that Global Administrators can define RBAC roles and policies at the root group level.


Why is it useful?

Working every day with a lot of Azure Subscription can be a pain. Usually some subscriptions are sharing the same configuration (users, roles RBAC, policies). Each time an Azure administrator has to apply a new policy or a new RBAC role, he has to it on several subscriptions, it’s a repetitive and boring task using the Azure Portal. Even using scripts it can be quite long!

It’s valuable on two big points:

  • We can pre-configure RBAC roles and Azure Policy at the management group level. Each new subscription added in the group will inherit roles and policy.
  • A cost overview is available at the group level (working on preview only for EA subscriptions)


A concrete example

I’m used to work with Azure subscription containing a “code” name. That help me to identify them easily. For example I’m working with 5 subscriptions containing the “box” word:

  • ***box 1 (data)
  • ***box 2 (web)
  • ***box 3 (search)
  • ***box 4 (auth data)
  • ***box 5 (mail, build)


Each of my subscriptions are sharing the same users with RBAC roles. Besides some policies are defined to limit Azure resources deployment to specific type of resources (web or data for example).

Let’s do a script which will get all subscriptions containing the name “box” and group them in a management group.

The AzureRm.ManagementGroup powershell package in actually in preview, we can use this command line to download it:

Install-Module -Name AzureRM.ManagementGroups –AllowPrerelease


The following script is doing some steps:

  • Authentication to Azure
  • List all Azure subscriptions
  • Search subscriptions containing the word “box”
  • Create a Management group
  • Add each subscriptions filtered in the management group


$nameKey = "box"
$groupKey = "box"


$subscriptions = Get-AzureRmSubscription

$subscriptionsToGather = $subscriptions | Where-Object {$_.Name -like "*" + $nameKey + "*"}

if ($subscriptionsToGather.Count -gt 0){

 Write-Host $($subscriptionsToGather.Count) "subscriptions are going to be moved in a management group named " $nameKey
 Write-Host " "

 $azRmMG = New-AzureRmManagementGroup -GroupName $groupKey -DisplayName $nameKey

  foreach($sub in $subscriptionsToGather){
    Write-Host $($sub.Name) " is being moved..."
    New-AzureRmManagementGroupSubscription -GroupName $azRmMG.Name -SubscriptionId $sub.Id
    Write-Host " "


In this script we can see that the management group is defined by a “GroupName” and a “DisplayName”. The « GroupName » is the identifier of the management group, it’s unique, immutable and can’t contain spaces. We are using two cmdlet coming from AzureRM.Management modules:

  • New-AzureRmManagementGroup : Create a new MG using a group name (id) and display name
  • New-AzureRmManagementGroupSubscription : Attach a subscription to a management group using the MG name and the subscription identifier


Here is a screenshot of the management group created:

Going further in subscription management with Azure BluePrint

Azure Management Groups are really nice to define RBAC roles and policies on top of Azure subscriptions. But we can’t use them to create Azure resources in subscriptions. To achieve it, we can use Azure BluePrint. It’s a package of artifacts stored at the management group level and applicable on management group subscriptions.

A blueprint package can contain following artefacts:

  • RBAC roles
  • Azure Policies
  • Resource Groups
  • ARM templates

Azure Management Groups (AMG) and Azure BluePrint (AB) are linked services : AMG can work without using AB packages but the contrary is not true because an AB packages are stored at the management group level!

It does not exists yet an Azure BluePrint powershell module to play with, hope to play with it soon!


Happy coding 🙂

Create a log engine using Docker, Elastic Search, Kibana and Nginx – architecture & local work Manage App Service outbound ip addresses

Leave a Reply

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *