In my journeys learning and using Microsoft Azure, I have tried to keep things simple by creating only as many subscriptions as needed to accomplish any given organizational work.  In the early days, subscriptions had limits and those limits helped decide whether your subscriptions needed to sprawl.  This was mostly based on whether or not you were supporting customer or breaking up your subscriptions across different departments.  The biggest issue with this sprawl was how to manage it, both from a security and policies standpoint.  Then Azure management groups entered the picture.

Azure management groups provide a way for an organization to control and manage access, compliance, and policies for their subscription within their tenant. These containers provide scope above subscriptions, allowing a level of inheritance applied to that management group or any parent group.  This allows a single mechanism to leverage RBAC (role-based access control) to your subscriptions rather than assigning them individually. 

Now some quick rules to remember before using Azure management groups with your subscriptions:

  • A subscription can belong to one management group
  • Management groups can only be six levels deep
  • You are allowed 10,000 management groups in a single tenant
  • There is a single top-level root management group that cannot be deleted
  • New subscriptions are automatically placed under the root
  • Any user access assigned to a management group is applied to all resources and child management groups

Let's take a quick look at the hierarchy for building out management groups. Remember that you can create any structure that makes sense for you and helps your organization with subscription management.

....Read More