Azure Management Groups

Azure Management Groups provide a way to efficiently manage access, policies, and compliance across an enterprise through a hierarchy made up of management groups and subscriptions. Using the Azure portal, PowerShell, CLI, or the Rest API, customers are able to build a flexible structure for unified policy and access management.

Please take a few minutes to submit your idea or vote up an idea submitted by another Azure Management Group customer. All of the feedback you share in these forums are directly monitored and reviewed by the Azure Management Group engineering team.

Do you have an idea or suggestion based on your experience with Azure Management Groups?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Splitting management group rights from subscription rights

    I would like to give an AD group 'Owner' rights on subscriptions below a management group without giving them also the 'owner' rights on the management group itself, as they should only administer subscriptions and not management groups (which is done by another group of admins), which doesn't seem to be possible right now?

    Is this something we can use the 'Deny assignments' for in the future? (as in assigning them the 'owner' role, and denying them the 'management group contributor' role for example?

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    Currently this is not possible as there are no RBAC roles that focus only on subscriptions write capabilities. We created a Management Group Contributor role so that certain users can only have write on the MG scope, but not one focused on subscriptions. This is something we can look at doing.

    We are working on Custom RBAC support for management group which will allow you to create your own role with subscription/write.

  2. Add subscription request resource group

    When adding a new subscription to a directory that has resource groups enabled the new subscription wizard should ask if you want to add the subscription to an existing resource group or create a new one.

    Would even be nice if as an admin you can toggle an option in teh directory to require subscriptions be added to a management group.

    This just simplifys the management as currently we have to tell everyone to "remember" to do this and stuck cleaning up a mess when it is not done.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Change Request  ·  Flag idea as inappropriate…  ·  Admin →
  3. User Access Role to Change Management Groups Only. Prevent MG or Subscription Changes

    In a hierarchy of Management Groups, I would like assign people at a parent Management Group who:

    - Have access to all resources in a Subscription
    - Cannot create new children Subscriptions or Management Groups
    - Can assign new users to their Management Group and Children

    Ultimately I want to give assigned MG "admins" the ability to manage users coming and going from Subscriptions and Management Groups, but restrict who in the company has the ability to create new Subscriptions and Management Groups anywhere in the MG heirarchy.

    I would also like ensure "users" - via the MG - have…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Question  ·  Flag idea as inappropriate…  ·  Admin →

    Hi @Jason,
    Looking at your 3 items there, the first two can be achieved by using the “Reader” role on the Management Group. This would give the “user” read access to the MG, Sub, and any resources under it. They would not be able to create new MGs under that group or move any MGs/Subs to that group as you need at least “Contributor” access on the new parent MG in a move.

    The third request is the real tricky item within Management Groups. There are 2 roles that allow users to assign user access. “Owner” and “User Access Administrator”. Giving a user “User Access Admin” allows that user to assign any role to any individual, including themselves on that assigned resource. For Example, if the user is assigned “Reader" and “User Access Admin” on a parent MG, they could at any time assign themselves “Owner” role. That is why…

  • Don't see your idea?

Azure Management Groups

Feedback and Knowledge Base