In this blog post, we would discuss about the Azure resource hierarchy and how you can organize and manage them effectively from the point of Security, management, and tracking the cost.
As we know that one needs to have an active Azure Subscription to create any resource in Azure account and once you have that then need to create a Resource Groups (RG) and then can create all other resources by putting them in RGs.
Now think from the perspective of an Org having multiple subscriptions, that is where you need a Scope above subscription to efficiently manage them and that is where can use Azure Management Groups. Here we can manage Access Policies & Compliance for these subscriptions as a single entity and whatever access, policy, or compliance you would configure would get inherited top-down.
How the four management-scope levels relate to each other
· Management groups: These groups are containers that help you manage access, policy, and compliance for multiple subscriptions. All subscriptions in a management group automatically inherit the conditions applied to the management group.
· Subscriptions: A subscription logically associates user accounts and the resources that were created by those user accounts. Each subscription has limits or quotas on the amount of resources you can create and use. Organizations can use subscriptions to manage costs and the resources that are created by users, teams, or projects.
· Resource groups: A a resource group is a logical container into which Azure resources like web apps, databases and storage accounts are deployed and managed.
· Resources: Resources are instances of services that you create, like virtual machines, storage, or SQL databases.
Note: All Subscriptions within a single MG must the same AAD Tenant.
This was a simple example of Management group hierarchy; you can create multiple Management Groups under Root Management Group for Azure Actively Directory. The creation of other Management groups could be part of your resource’s management planning to achieve one of the following,
· Group your subscriptions: Easily manage your Azure subscriptions by grouping them together and taking actions in bulk
· Mirror your organization’s structure: Create a hierarchy of Azure management groups tailored to your organization to efficiently manage your subscriptions and resources
· Apply policies or access control to any service Use full platform integration to apply governance conditions such as policies, access controls, or full-fledged blueprints to any Azure service
Each Directory is given a single top-level management group called the “Root Management group”. This Root management group is built into the hierarchy to have all subscriptions part of that directory fold into it. This is used to assign the global policies and Azure role assignment at the directory level. To mange access at this scope the Azure AD Global administrator need to elevate themselves to have User Access Administrator role of this root group initially. Once you have the permission then can assign any Azure role to other directory users or Groups to manage the access, compliance and related aspects.
A management group tree can support up to six levels of depth however this limit doesn’t include root or subscription level. Keep in mind that each MG or subscription can have only one parent, and all these are within a single hierarchy in each directory.
Related Demo: How-to Create and manage Azure Management Groups and related hierarchy.
Related reads:
Azure Management Groups And Hierarchy
That’s It….Thanks 😊