A new capability feature has been released on Azure: Azure Management Groups.
This new capability will help you managing and organizing your Azure subscriptions while ensuring compliance and governance is properly applied.
By using Azure Management Groups you can now reduce the workloads and risks associated with user assignments; like granting access to multiple subscriptions to a user or ensuring users have appropriate permissions while reducing the complexity of the management.
The below diagram (courtesy Microsoft) explains how Azure Management Groups can work
As first step, you may need to self elevate your global administrator privileges
This is done through the Azure AD\Properties configuration blade and turning on the option “Global admin can manage Azure Subscriptions and Management Groups” (once the initial setup is completed you can switch back to your configuration if you want)
If you do not have the proper permissions you will see the below blue ribbon; so apply the above action
“You are registered as a directory admin but do not have the necessary permissions to access the root management group”
Then you can start creating your Azure management groups
You can create your first management group; the management group ID can not be changed after the creation
You can define what ever you want for the management group ID
Once the management group is successfully created the Tenant Root Group list is refreshed and display your new group
Once you have created your first/root management group, you can create child groups by creating a new group and then choose the Move option from the contextual menu; the UI should be updated soon to provide you the ability to select a parent group when creating the management group
NOTE you can not delete a management group if the group has child group
Then once you group(s) is/are created, click on their name to access their child group list (if any) but more importantly to access their details
From this details link, you will then be able to associated Azure subscription(s), define the access control list (IAM) – aka who can do what on resources associated with the group, as well as the associated policies