If GUIDs for MGs could be auto-generated optional this would be a great user experience as currently having to provide your own GUID isn't the best experience.17 votes
Our team is looking into a way we can create a MGID field that is auto guid generated. This would mean the current Name field which is used as the unique key will not be used after that GUID is implemented. Since this is a GA service there are multiple up/down stream changes we are costing on how we can make these changes.
No timeline as of yet
I would like to give an AD group 'Owner' rights on subscriptions below a management group without giving them also the 'owner' rights on the management group itself, as they should only administer subscriptions and not management groups (which is done by another group of admins), which doesn't seem to be possible right now?
Is this something we can use the 'Deny assignments' for in the future? (as in assigning them the 'owner' role, and denying them the 'management group contributor' role for example?10 votes
Currently this is not possible as there are no RBAC roles that focus only on subscriptions write capabilities. We created a Management Group Contributor role so that certain users can only have write on the MG scope, but not one focused on subscriptions. This is something we can look at doing.
We are working on Custom RBAC support for management group which will allow you to create your own role with subscription/write.
When adding a new subscription to a directory that has resource groups enabled the new subscription wizard should ask if you want to add the subscription to an existing resource group or create a new one.
Would even be nice if as an admin you can toggle an option in teh directory to require subscriptions be added to a management group.
This just simplifys the management as currently we have to tell everyone to "remember" to do this and stuck cleaning up a mess when it is not done.9 votes
Thanks Brett for the feedback. We are looking into building features that do both of those items. 1) Have the management group selection at subscription creation, 2) Custom rules that allow admins to control where subscriptions default when they are created.
If I create a new Subscription using New-AzureRMSubscription it is always created at Root Scope, seems there is missing an arguement for management group scope.
Otherwise i need to additionally execute New-AzManagementGroupSubscription... and this command, as far as i can tell will require the user executing it too be both Contributor of the management group object and owner of the subscription object.
The 'New Subscription' owner and 'Target Management Group' owner are different identities in my scenario.
Added to github by alexevansigg 5/16/192 votes
The Subscription Create API (version 2019-10-01-prevbiew) has been updated to include a management group ID of the parent parameter. Using this you can select the MG parent at sub create.
Now that the API has been created, the subscriptions team will be in talks with the powershell team to get the modulus updated.
- Don't see your idea?