Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Management Groups

Azure Management Groups provide a way to efficiently manage access, policies, and compliance across an enterprise through a hierarchy made up of management groups and subscriptions. Using the Azure portal, PowerShell, CLI, or the Rest API, customers are able to build a flexible structure for unified policy and access management.

Please take a few minutes to submit your idea or vote up an idea submitted by another Azure Management Group customer. All of the feedback you share in these forums are directly monitored and reviewed by the Azure Management Group engineering team.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow custom RBAC Definitions at the Management Group Level

    The customer I currently work with has several custom roles that are currently maintained in a central subscription. This has become quite burdensome as every new subscription which needs the role assigned needed to have the Role.AssignableScopes attribute appended with the custom role. We would like to centrally manage these, using management groups similar to the way we manage Policy applied over several subscriptions.

    226 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    46 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  2. Block inheritance

    Need ability to block inheritance at Management Group level. This is keep access set at root from flowing down within special sensitive environments.

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  3. One-page tree view of Management groups and subscriptions in the Portal

    This would help visualize your setup, making it easier to spot groups and subscriptions that have been placed wrong.
    If the page was exportable it could also be used as documentation, so you do not have to use Visio, etc. to document it, yourself.

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  4. Splitting management group rights from subscription rights

    I would like to give an AD group 'Owner' rights on subscriptions below a management group without giving them also the 'owner' rights on the management group itself, as they should only administer subscriptions and not management groups (which is done by another group of admins), which doesn't seem to be possible right now?

    Is this something we can use the 'Deny assignments' for in the future? (as in assigning them the 'owner' role, and denying them the 'management group contributor' role for example?

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    Currently this is not possible as there are no RBAC roles that focus only on subscriptions write capabilities. We created a Management Group Contributor role so that certain users can only have write on the MG scope, but not one focused on subscriptions. This is something we can look at doing.

    We are working on Custom RBAC support for management group which will allow you to create your own role with subscription/write.

  5. Setting alerts and/or send logs to Log Analytics

    Right now, there's no way to set Alerts or Alert Rules that trigger when a specific even occurs; or even how to send those logs to a Log Analytics workspace. As such, in Log Analytics workspace, the scope cannot be changed to specify management groups.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  6. Ability to set hard spend limits on a Subscription via management Group

    It would be good to be able to set a spending limit on a Management group that all subscriptions inherit when this limit is reached the subscription is disabled.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  7. Prevent Azure Move from circumventing destination policy restrictions

    Currently, we can circumvent Azure Policy location restrictions by creating the resource in a subscription where the policy is not applied, and then moving the resource to the locked down subscription.

    This creates a hole in our recommended governance and security policies, please address.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    triaged  ·  0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  8. Set resource creation limits by user/group

    In order to control costs, the Service Administrator should be able to setup quota/limits on resources created by users/groups, e.g. max 10 Vms.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to upvote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

  9. Need more than 6 levels of depth to Hierarchy

    Large organization with complex RBAC model needs ability for Management Groups to go more than 6 levels deep. There is no ideal number, but perhaps 10-15 would get us the flexibility we need?

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  10. New-AzureRMSubscription missing argument to set management group scope

    If I create a new Subscription using New-AzureRMSubscription it is always created at Root Scope, seems there is missing an arguement for management group scope.

    Otherwise i need to additionally execute New-AzManagementGroupSubscription... and this command, as far as i can tell will require the user executing it too be both Contributor of the management group object and owner of the subscription object.

    The 'New Subscription' owner and 'Target Management Group' owner are different identities in my scenario.

    Added to github by alexevansigg 5/16/19

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    The Subscription Create API (version 2019-10-01-prevbiew) has been updated to include a management group ID of the parent parameter. Using this you can select the MG parent at sub create.

    Now that the API has been created, the subscriptions team will be in talks with the powershell team to get the modulus updated.

  11. Restrict Account and Service Admin rights for cancelling a subscription

    I believe that my request or idea is similar to the the topic "Splitting management group rights from subscription rights".

    I understand that an user with the role of Account and/or Service Admin can cancel or transfer an Azure subscription. This action can cause a business continuity impact and I want to restrict this capability under the "Four Eyes Principle" or "Segregation of Duties". Is it possible? Currently I think that this feature is not available, thus making the entire designed RBAC model at the lower scopes potentially useless.

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback. Account / Service Admins are classic administration roles that are outside of the ARM RBAC Model. They have equivalent RBAC roles like “Owner”. Management Groups are ARM Resources which means they do not look or govern the classic roles.

    While we have no plans to support governing classic roles, I will keep this item open as unplanned.

    Learn more about Classic Roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#classic-subscription-administrator-roles

  12. Add Management Groups to the Global Subscription filter in the Azure Portal

    Please consider adding a Management Group filter to the Global Subscription filter settings so that you can select all Subscriptions within a Management Group tier (or nested tier) at one time. Currently to filter subscriptions within a MG in the portal you need to click on each Sub individually. The PowerShell scripts for this filtering work well, but there are times when it would be handy in the Azure Portal as well.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  13. Provide more detail in Management Groups UI for Subscriptions

    In Management Groups UI add columns to show Subscriptions status (Active/Disabled), Subscriptions Tags, Subscriptions Cost, My Role (Owner/Contributor), etc

    Also, add the same column selection to the Subscriptions UI, so we can select things like Tags, etc, to be visible when scrolling

    Add the ability to create Tags for Management Groups

    Remove the limit in the Management Groups UI and Subscriptions UI where Subscriptions are listed over multiple pages, and just let us scroll the whole list in one page.

    Also add an export option to CSV would be helpful for audit purposes in both Management Groups UI and Subscriptions…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  14. Provide more detail in Management Groups UI for Subscriptions

    In Management Groups UI add columns to show Subscriptions status (Active/Disabled), Subscriptions Tags, Subscriptions Cost, My Role (Owner/Contributor), etc

    Also, add the same column selection to the Subscriptions UI, so we can select things like Tags, etc, to be visible when scrolling

    Remove the limit in the Management Groups UI and Subscriptions UI where Subscriptions are listed over multiple pages, and just let us scroll the whole list in one page.

    Also add an export option to CSV would be helpful for audit purposes in both Management Groups UI and Subscriptions UI

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support direct inclusion of resource groups

    Allow grouping together resource groups from multiple subscriptions and applying RBAC to them.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow a subscription to be part of more than one Management Group.

    Allow a subscription to be part of more than one Management Group.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  17. Enable ARMs Template Deployment at Management Group level with Azure DevOps

    Currently, Azure DevOps only allows Subscription level Azure Resource Group (ARMs) Deployment. If you have a scenario in which your Template contains linked Templates to create resources into other subscriptions, Azure DevOps is not able to handle it. This is needed in scenarios such as Hub And Spoke Pattern with Multi-Subscriptions. interestingly, Service Connections can be defined at Management group level, but the Resource Template deployment is lacking this feature. This is a big miss in DevOps pipeline, or maybe I'm missing something.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  18. AzManagementGroupSubscription needs Get/Delete verbs

    Description of the new feature
    Az.Resource currently implements a NEW verb for adding a sub to an MG. The corresponding GET/DELETE verbs have not been implemented.

    Get
    The azManagementGroup stuff allow for retrieving a tree of your MG and subs. Finding where a Sub in the tree is currently has no native code. You have to retrieve the entire tree and recursively search for where the sub is assigned.

    Delete
    Currently the only way to remove a Sub from an MG is to re-parent it to its new location or the "Tenant Root Group" MG. Since once MG's are turned…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow a subscription to be part of more than one Management Group.

    Allow a subscription to be part of more than one Management Group.

    0 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  New Feature Request  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Azure Management Groups

Categories

Feedback and Knowledge Base