Azure Management Groups

Azure Management Groups provide a way to efficiently manage access, policies, and compliance across an enterprise through a hierarchy made up of management groups and subscriptions. Using the Azure portal, PowerShell, CLI, or the Rest API, customers are able to build a flexible structure for unified policy and access management.

Please take a few minutes to submit your idea or vote up an idea submitted by another Azure Management Group customer. All of the feedback you share in these forums are directly monitored and reviewed by the Azure Management Group engineering team.

Do you have an idea or suggestion based on your experience with Azure Management Groups?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Allow custom RBAC Definitions at the Management Group Level

    The customer I currently work with has several custom roles that are currently maintained in a central subscription. This has become quite burdensome as every new subscription which needs the role assigned needed to have the Role.AssignableScopes attribute appended with the custom role. We would like to centrally manage these, using management groups similar to the way we manage Policy applied over several subscriptions.

    107 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      7 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
    • Activity log for Management Group

      We need to have activity log for management group to audit/track who make changes to management group. The activity log should also show the status of action perform and include details error message.

      23 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        1 comment  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

        Hi Everyone,
        I wanted to let you know this work is under way and the API’s are available today in Production. The Azure portal feature will be available in the 1st Q of 2019.

        When calling the Activity Logs API, use the scope of “/providers/Microsoft.Management/{MGID}/”

        Thanks
        -Rich

      • Add subscription request resource group

        When adding a new subscription to a directory that has resource groups enabled the new subscription wizard should ask if you want to add the subscription to an existing resource group or create a new one.

        Would even be nice if as an admin you can toggle an option in teh directory to require subscriptions be added to a management group.

        This just simplifys the management as currently we have to tell everyone to "remember" to do this and stuck cleaning up a mess when it is not done.

        5 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  Change Request  ·  Flag idea as inappropriate…  ·  Admin →

          Thanks Brett for the feedback. We are looking into building features that do both of those items. 1) Have the management group selection at subscription creation, 2) Custom rules that allow admins to control where subscriptions default when they are created.

        • Splitting management group rights from subscription rights

          I would like to give an AD group 'Owner' rights on subscriptions below a management group without giving them also the 'owner' rights on the management group itself, as they should only administer subscriptions and not management groups (which is done by another group of admins), which doesn't seem to be possible right now?

          Is this something we can use the 'Deny assignments' for in the future? (as in assigning them the 'owner' role, and denying them the 'management group contributor' role for example?

          3 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

            Currently this is not possible as there are no RBAC roles that focus only on subscriptions write capabilities. We created a Management Group Contributor role so that certain users can only have write on the MG scope, but not one focused on subscriptions. This is something we can look at doing.

            We are working on Custom RBAC support for management group which will allow you to create your own role with subscription/write.

          • Allow for the default management group in the tenant be custom selected

            When using Azure Management Groups, any new management group or subscription that is created is made a default child of the Root management group.

            This feature would allow a admin with access to the root management group to select different default group. This group will then act as the landing area for all new management groups and subscriptions that are not created with a parent already selected.

            2 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
            • In Management Groups - Allow to view which sub belongs to a mg

              In Management Groups
              - Adding a subscription to a management group.

              Replace dropdown with a view so you can select multiple subscriptions and also see to which MG a subscription belongs.

              Also filter by MG group there and also view all subscriptions that does not belong to a MG currently.

              2 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                1 comment  ·  Change Request  ·  Flag idea as inappropriate…  ·  Admin →
              • Prevent Owner role unless MFA enabled

                We have a requirement to ensure all Owners have MFA enabled, using Conditional access policies we can only assign Global Admins not Owners, so would appreciate a way within a management group to ensure the "owner" of the subscription has MFA enabled, which we could assign by policy instead of audit, adding enforce MFA for Owner

                1 vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
                • Don't see your idea?

                Azure Management Groups

                Feedback and Knowledge Base