Azure Management Groups

Azure Management Groups provide a way to efficiently manage access, policies, and compliance across an enterprise through a hierarchy made up of management groups and subscriptions. Using the Azure portal, PowerShell, CLI, or the Rest API, customers are able to build a flexible structure for unified policy and access management.

Please take a few minutes to submit your idea or vote up an idea submitted by another Azure Management Group customer. All of the feedback you share in these forums are directly monitored and reviewed by the Azure Management Group engineering team.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure Policy to check whether the Management group follows naming Pattern

    Hello,
    currently, we cannot create an azure Policy which checks whether the management group follows naming pattern.
    It will be better if this feature is added to the Azure policy

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. is there any way to rotate log or purge log automatically because OMS logs taking too much disk space

    Can we rotate OMS agent log to different directory as it is taking lot of disk space

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support direct inclusion of resource groups

    Allow grouping together resource groups from multiple subscriptions and applying RBAC to them.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  4. Able to remove access inherited from Management Group with subscription admin rights.

    With subscription admin access, people are able to cleanup access inherited from Management Groups, which shouldn't ideally be allowed.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow a subscription to be part of more than one Management Group.

    Allow a subscription to be part of more than one Management Group.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow a subscription to be part of more than one Management Group.

    Allow a subscription to be part of more than one Management Group.

    0 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  7. Block inheritance

    Need ability to block inheritance at Management Group level. This is keep access set at root from flowing down within special sensitive environments.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  8. Need more than 6 levels of depth to Hierarchy

    Large organization with complex RBAC model needs ability for Management Groups to go more than 6 levels deep. There is no ideal number, but perhaps 10-15 would get us the flexibility we need?

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  9. One-page tree view of Management groups and subscriptions in the Portal

    This would help visualize your setup, making it easier to spot groups and subscriptions that have been placed wrong.
    If the page was exportable it could also be used as documentation, so you do not have to use Visio, etc. to document it, yourself.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  10. Be able to set custom names for the policies in an initiative

    It would be great if we can edit the names of the policies within an initiative.

    For example I have an initiative that has 4 instances of the "Require specified tag" build-in policy, because there are 4 tags I demand from every resource created in the subscription.

    And indeed when creating a resource it throws an error that the resource is disallowed by the initiative and it states which policy in the initiative triggered the error.... but they are all named the same, so I would not know which tag exactly am I missing.

    I want to be able to…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Auto-Generate GUIDs for MGs

    If GUIDs for MGs could be auto-generated optional this would be a great user experience as currently having to provide your own GUID isn't the best experience.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Change Request  ·  Flag idea as inappropriate…  ·  Admin →
  12. New-AzureRMSubscription missing argument to set management group scope

    If I create a new Subscription using New-AzureRMSubscription it is always created at Root Scope, seems there is missing an arguement for management group scope.

    Otherwise i need to additionally execute New-AzManagementGroupSubscription... and this command, as far as i can tell will require the user executing it too be both Contributor of the management group object and owner of the subscription object.

    The 'New Subscription' owner and 'Target Management Group' owner are different identities in my scenario.

    Added to github by alexevansigg 5/16/19

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  13. Enable ARMs Template Deployment at Management Group level with Azure DevOps

    Currently, Azure DevOps only allows Subscription level Azure Resource Group (ARMs) Deployment. If you have a scenario in which your Template contains linked Templates to create resources into other subscriptions, Azure DevOps is not able to handle it. This is needed in scenarios such as Hub And Spoke Pattern with Multi-Subscriptions. interestingly, Service Connections can be defined at Management group level, but the Resource Template deployment is lacking this feature. This is a big miss in DevOps pipeline, or maybe I'm missing something.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  14. AzManagementGroupSubscription needs Get/Delete verbs

    Description of the new feature
    Az.Resource currently implements a NEW verb for adding a sub to an MG. The corresponding GET/DELETE verbs have not been implemented.

    Get
    The azManagementGroup stuff allow for retrieving a tree of your MG and subs. Finding where a Sub in the tree is currently has no native code. You have to retrieve the entire tree and recursively search for where the sub is assigned.

    Delete
    Currently the only way to remove a Sub from an MG is to re-parent it to its new location or the "Tenant Root Group" MG. Since once MG's are turned…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  15. New-AzManagementGroupSubscription should not move a sub that already is in a ManagementGroup

    Description
    New-AzManagementGroupSubscription should not move a sub that already is in a ManagementGroup

    Steps to reproduce
    New-AzManagementGroupSubscription -SubscriptionId 12345-x-x-x -GroupName MyNewMG
    If sub 12345-x-x-x already exists under an MG, this should throw an error. This command makes it way to easy to break established hierarchy.

    Possibly there could be a parameter -FORCE that utilized current behavior.

    From: https://github.com/Azure/azure-powershell/issues/9158

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Change Request  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add Azure DevOps as cloud application in conditional access

    You can only select Azure Management and this is including Azure DevOps. Regular users are logging into DevOps and we want to exclude them from the conditional access policy

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Question  ·  Flag idea as inappropriate…  ·  Admin →
  17. Prevent Azure Move from circumventing destination policy restrictions

    Currently, we can circumvent Azure Policy location restrictions by creating the resource in a subscription where the policy is not applied, and then moving the resource to the locked down subscription.

    This creates a hole in our recommended governance and security policies, please address.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    triaged  ·  0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  18. Set resource creation limits by user/group

    In order to control costs, the Service Administrator should be able to setup quota/limits on resources created by users/groups, e.g. max 10 Vms.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

  19. Restrict Account and Service Admin rights for cancelling a subscription

    I believe that my request or idea is similar to the the topic "Splitting management group rights from subscription rights".

    I understand that an user with the role of Account and/or Service Admin can cancel or transfer an Azure subscription. This action can cause a business continuity impact and I want to restrict this capability under the "Four Eyes Principle" or "Segregation of Duties". Is it possible? Currently I think that this feature is not available, thus making the entire designed RBAC model at the lower scopes potentially useless.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback. Account / Service Admins are classic administration roles that are outside of the ARM RBAC Model. They have equivalent RBAC roles like “Owner”. Management Groups are ARM Resources which means they do not look or govern the classic roles.

    While we have no plans to support governing classic roles, I will keep this item open as unplanned.

    Learn more about Classic Roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#classic-subscription-administrator-roles

  20. User Access Role to Change Management Groups Only. Prevent MG or Subscription Changes

    In a hierarchy of Management Groups, I would like assign people at a parent Management Group who:

    - Have access to all resources in a Subscription
    - Cannot create new children Subscriptions or Management Groups
    - Can assign new users to their Management Group and Children

    Ultimately I want to give assigned MG "admins" the ability to manage users coming and going from Subscriptions and Management Groups, but restrict who in the company has the ability to create new Subscriptions and Management Groups anywhere in the MG heirarchy.

    I would also like ensure "users" - via the MG - have…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Question  ·  Flag idea as inappropriate…  ·  Admin →

    Hi @Jason,
    Looking at your 3 items there, the first two can be achieved by using the “Reader” role on the Management Group. This would give the “user” read access to the MG, Sub, and any resources under it. They would not be able to create new MGs under that group or move any MGs/Subs to that group as you need at least “Contributor” access on the new parent MG in a move.

    The third request is the real tricky item within Management Groups. There are 2 roles that allow users to assign user access. “Owner” and “User Access Administrator”. Giving a user “User Access Admin” allows that user to assign any role to any individual, including themselves on that assigned resource. For Example, if the user is assigned “Reader" and “User Access Admin” on a parent MG, they could at any time assign themselves “Owner” role. That is why…

← Previous 1
  • Don't see your idea?

Azure Management Groups

Categories

Feedback and Knowledge Base