Azure – Azure Management Groups is now available

A new capability feature has been released on Azure: Azure Management Groups.

This new capability will help you managing and organizing your Azure subscriptions while ensuring compliance and governance is properly applied.

By using Azure Management Groups you can now reduce the workloads and risks associated with user assignments; like granting access to multiple subscriptions to a user or ensuring users have appropriate permissions while reducing the complexity of the management.

The below diagram (courtesy Microsoft) explains how Azure Management Groups can work


To start using it, logon to your Azure administration portal ( and search for Management Groups (or go directly using this URL

As first step, you may need to self elevate your global administrator privileges

This is done through the Azure AD\Properties configuration blade and turning on the option “Global admin can manage Azure Subscriptions and Management Groups” (once the initial setup is completed you can switch back to your configuration if you want)


If you do not have the proper permissions you will see the below blue ribbon; so apply the above action

“You are registered as a directory admin but do not have the necessary permissions to access the root management group”


Then you can start creating your Azure management groups


You can create your first management group; the management group ID can not be changed after the creation

You can define what ever you want for the management group ID


Once the management group is successfully created the Tenant Root Group list is refreshed and display your new group


Once you have created your first/root management group, you can create child groups by creating a new group and then choose the Move option from the contextual menu; the UI should be updated soon to provide you the ability to select a parent group when creating the management group


NOTE you can not delete a management group if the group has child group

Then once you group(s) is/are created, click on their name to access their child group list (if any) but more importantly to access their details


From this details link, you will then be able to associated Azure subscription(s), define the access control list (IAM) – aka who can do what on resources associated with the group, as well as the associated policies


Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.