Azure Management Groups

Azure Management Groups provide a way to efficiently manage access, policies, and compliance across an enterprise through a hierarchy made up of management groups and subscriptions. Using the Azure portal, PowerShell, CLI, or the Rest API, customers are able to build a flexible structure for unified policy and access management.

Please take a few minutes to submit your idea or vote up an idea submitted by another Azure Management Group customer. All of the feedback you share in these forums are directly monitored and reviewed by the Azure Management Group engineering team.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow custom RBAC Definitions at the Management Group Level

    The customer I currently work with has several custom roles that are currently maintained in a central subscription. This has become quite burdensome as every new subscription which needs the role assigned needed to have the Role.AssignableScopes attribute appended with the custom role. We would like to centrally manage these, using management groups similar to the way we manage Policy applied over several subscriptions.

    207 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    42 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  2. Auto-Generate GUIDs for MGs

    If GUIDs for MGs could be auto-generated optional this would be a great user experience as currently having to provide your own GUID isn't the best experience.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Change Request  ·  Flag idea as inappropriate…  ·  Admin →

    Our team is looking into a way we can create a MGID field that is auto guid generated. This would mean the current Name field which is used as the unique key will not be used after that GUID is implemented. Since this is a GA service there are multiple up/down stream changes we are costing on how we can make these changes.

    No timeline as of yet

  3. Allow for the default management group in the tenant be custom selected

    When using Azure Management Groups, any new management group or subscription that is created is made a default child of the Root management group.

    This feature would allow a admin with access to the root management group to select different default group. This group will then act as the landing area for all new management groups and subscriptions that are not created with a parent already selected.

    15 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    We are testing a feature that will allow a user with new hierarchy setting permissions on the root MG to be able to set a Default MG. This Default MG will be the parent on all Subscriptions that would currently go under the Root MG.

    Planning to be rolled out by end of March 2020

  4. Splitting management group rights from subscription rights

    I would like to give an AD group 'Owner' rights on subscriptions below a management group without giving them also the 'owner' rights on the management group itself, as they should only administer subscriptions and not management groups (which is done by another group of admins), which doesn't seem to be possible right now?

    Is this something we can use the 'Deny assignments' for in the future? (as in assigning them the 'owner' role, and denying them the 'management group contributor' role for example?

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    Currently this is not possible as there are no RBAC roles that focus only on subscriptions write capabilities. We created a Management Group Contributor role so that certain users can only have write on the MG scope, but not one focused on subscriptions. This is something we can look at doing.

    We are working on Custom RBAC support for management group which will allow you to create your own role with subscription/write.

  5. Add subscription request resource group

    When adding a new subscription to a directory that has resource groups enabled the new subscription wizard should ask if you want to add the subscription to an existing resource group or create a new one.

    Would even be nice if as an admin you can toggle an option in teh directory to require subscriptions be added to a management group.

    This just simplifys the management as currently we have to tell everyone to "remember" to do this and stuck cleaning up a mess when it is not done.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Change Request  ·  Flag idea as inappropriate…  ·  Admin →
  6. Custom Role : 'DataActions' is Not Supported for a new role definition at management group level.

    We are unable to create a Custom Role with DataActions in it. e.g storage account

    DataAction
    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action

    Returns the result of adding blob content

    See the Operations Page
    https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  7. Block inheritance

    Need ability to block inheritance at Management Group level. This is keep access set at root from flowing down within special sensitive environments.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  8. One-page tree view of Management groups and subscriptions in the Portal

    This would help visualize your setup, making it easier to spot groups and subscriptions that have been placed wrong.
    If the page was exportable it could also be used as documentation, so you do not have to use Visio, etc. to document it, yourself.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  9. Set resource creation limits by user/group

    In order to control costs, the Service Administrator should be able to setup quota/limits on resources created by users/groups, e.g. max 10 Vms.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

  10. In Management Groups - Allow to view which sub belongs to a mg

    In Management Groups
    - Adding a subscription to a management group.

    Replace dropdown with a view so you can select multiple subscriptions and also see to which MG a subscription belongs.

    Also filter by MG group there and also view all subscriptions that does not belong to a MG currently.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Change Request  ·  Flag idea as inappropriate…  ·  Admin →
  11. Prevent Azure Move from circumventing destination policy restrictions

    Currently, we can circumvent Azure Policy location restrictions by creating the resource in a subscription where the policy is not applied, and then moving the resource to the locked down subscription.

    This creates a hole in our recommended governance and security policies, please address.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    triaged  ·  0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  12. Setting alerts and/or send logs to Log Analytics

    Right now, there's no way to set Alerts or Alert Rules that trigger when a specific even occurs; or even how to send those logs to a Log Analytics workspace. As such, in Log Analytics workspace, the scope cannot be changed to specify management groups.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  13. Prevent users from creating management groups in the tenant root

    Right now anyone can create management groups in the tenant root.
    We want to limit the creation of management groups at root level to a set of designated admins.
    We have defined a strict group hierarchy and want to block users from adding new groups.

    When viewing the contents of the root management group, an extra column with the owner should be shown so users know who to contact if they want to add a management group somewhere in the hierarchy.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  14. Ability to set hard spend limits on a Subscription via management Group

    It would be good to be able to set a spending limit on a Management group that all subscriptions inherit when this limit is reached the subscription is disabled.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  15. Need more than 6 levels of depth to Hierarchy

    Large organization with complex RBAC model needs ability for Management Groups to go more than 6 levels deep. There is no ideal number, but perhaps 10-15 would get us the flexibility we need?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  16. New-AzureRMSubscription missing argument to set management group scope

    If I create a new Subscription using New-AzureRMSubscription it is always created at Root Scope, seems there is missing an arguement for management group scope.

    Otherwise i need to additionally execute New-AzManagementGroupSubscription... and this command, as far as i can tell will require the user executing it too be both Contributor of the management group object and owner of the subscription object.

    The 'New Subscription' owner and 'Target Management Group' owner are different identities in my scenario.

    Added to github by alexevansigg 5/16/19

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    The Subscription Create API (version 2019-10-01-prevbiew) has been updated to include a management group ID of the parent parameter. Using this you can select the MG parent at sub create.

    Now that the API has been created, the subscriptions team will be in talks with the powershell team to get the modulus updated.

  17. New-AzManagementGroupSubscription should not move a sub that already is in a ManagementGroup

    Description
    New-AzManagementGroupSubscription should not move a sub that already is in a ManagementGroup

    Steps to reproduce
    New-AzManagementGroupSubscription -SubscriptionId 12345-x-x-x -GroupName MyNewMG
    If sub 12345-x-x-x already exists under an MG, this should throw an error. This command makes it way to easy to break established hierarchy.

    Possibly there could be a parameter -FORCE that utilized current behavior.

    From: https://github.com/Azure/azure-powershell/issues/9158

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Change Request  ·  Flag idea as inappropriate…  ·  Admin →
  18. Restrict Account and Service Admin rights for cancelling a subscription

    I believe that my request or idea is similar to the the topic "Splitting management group rights from subscription rights".

    I understand that an user with the role of Account and/or Service Admin can cancel or transfer an Azure subscription. This action can cause a business continuity impact and I want to restrict this capability under the "Four Eyes Principle" or "Segregation of Duties". Is it possible? Currently I think that this feature is not available, thus making the entire designed RBAC model at the lower scopes potentially useless.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback. Account / Service Admins are classic administration roles that are outside of the ARM RBAC Model. They have equivalent RBAC roles like “Owner”. Management Groups are ARM Resources which means they do not look or govern the classic roles.

    While we have no plans to support governing classic roles, I will keep this item open as unplanned.

    Learn more about Classic Roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#classic-subscription-administrator-roles

  19. User Access Role to Change Management Groups Only. Prevent MG or Subscription Changes

    In a hierarchy of Management Groups, I would like assign people at a parent Management Group who:


    • Have access to all resources in a Subscription

    • Cannot create new children Subscriptions or Management Groups

    • Can assign new users to their Management Group and Children

    Ultimately I want to give assigned MG "admins" the ability to manage users coming and going from Subscriptions and Management Groups, but restrict who in the company has the ability to create new Subscriptions and Management Groups anywhere in the MG heirarchy.

    I would also like ensure "users" - via the MG - have the ability to…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Question  ·  Flag idea as inappropriate…  ·  Admin →

    Hi @Jason,
    Looking at your 3 items there, the first two can be achieved by using the “Reader” role on the Management Group. This would give the “user” read access to the MG, Sub, and any resources under it. They would not be able to create new MGs under that group or move any MGs/Subs to that group as you need at least “Contributor” access on the new parent MG in a move.

    The third request is the real tricky item within Management Groups. There are 2 roles that allow users to assign user access. “Owner” and “User Access Administrator”. Giving a user “User Access Admin” allows that user to assign any role to any individual, including themselves on that assigned resource. For Example, if the user is assigned “Reader" and “User Access Admin” on a parent MG, they could at any time assign themselves “Owner” role. That is why…

  20. Alerts on Management Groups

    I want to have suppression alerts and monitoring alerts to be placed at management group level. What is the best solution to implement this. I have been through every thing and not find a way of doing this.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Question  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Azure Management Groups

Categories

Feedback and Knowledge Base