Azure Management Groups
Azure Management Groups provide a way to efficiently manage access, policies, and compliance across an enterprise through a hierarchy made up of management groups and subscriptions. Using the Azure portal, PowerShell, CLI, or the Rest API, customers are able to build a flexible structure for unified policy and access management.
Please take a few minutes to submit your idea or vote up an idea submitted by another Azure Management Group customer. All of the feedback you share in these forums are directly monitored and reviewed by the Azure Management Group engineering team.
-
Block inheritance
Need ability to block inheritance at Management Group level. This is keep access set at root from flowing down within special sensitive environments.
12 votesAt this time we are not planning on introducing and “non-inheriting” permissions or capabilities.
I am going to leave this item marked as unplanned so that voting can still happen on the request.
-
In Management Groups - Allow to view which sub belongs to a mg
In Management Groups
- Adding a subscription to a management group.Replace dropdown with a view so you can select multiple subscriptions and also see to which MG a subscription belongs.
Also filter by MG group there and also view all subscriptions that does not belong to a MG currently.
7 votesWe are working closely with the UI design team to develop a better hierarchy selection tool. This will be a standard view that can be used across the portal. I don’t have a timeline yet that I can share.
-
Ability to set hard spend limits on a Subscription via management Group
It would be good to be able to set a spending limit on a Management group that all subscriptions inherit when this limit is reached the subscription is disabled.
6 votesWe are in discussions with the cost management team to see if this capability can be done and when. Nothing is planned at this time.
-
Need more than 6 levels of depth to Hierarchy
Large organization with complex RBAC model needs ability for Management Groups to go more than 6 levels deep. There is no ideal number, but perhaps 10-15 would get us the flexibility we need?
2 votesAt this time we do not have plans to increase the hierarchy depth past 6 levels.
If we receive large volume of feedback on this from customers we will re-evaluate.
-
Restrict Account and Service Admin rights for cancelling a subscription
I believe that my request or idea is similar to the the topic "Splitting management group rights from subscription rights".
I understand that an user with the role of Account and/or Service Admin can cancel or transfer an Azure subscription. This action can cause a business continuity impact and I want to restrict this capability under the "Four Eyes Principle" or "Segregation of Duties". Is it possible? Currently I think that this feature is not available, thus making the entire designed RBAC model at the lower scopes potentially useless.
2 votesThanks for the feedback. Account / Service Admins are classic administration roles that are outside of the ARM RBAC Model. They have equivalent RBAC roles like “Owner”. Management Groups are ARM Resources which means they do not look or govern the classic roles.
While we have no plans to support governing classic roles, I will keep this item open as unplanned.
Learn more about Classic Roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#classic-subscription-administrator-roles
- Don't see your idea?