Azure Management Groups

Azure Management Groups provide a way to efficiently manage access, policies, and compliance across an enterprise through a hierarchy made up of management groups and subscriptions. Using the Azure portal, PowerShell, CLI, or the Rest API, customers are able to build a flexible structure for unified policy and access management.

Please take a few minutes to submit your idea or vote up an idea submitted by another Azure Management Group customer. All of the feedback you share in these forums are directly monitored and reviewed by the Azure Management Group engineering team.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. User Access Role to Change Management Groups Only. Prevent MG or Subscription Changes

    In a hierarchy of Management Groups, I would like assign people at a parent Management Group who:

    • Have access to all resources in a Subscription

    • Cannot create new children Subscriptions or Management Groups

    • Can assign new users to their Management Group and Children

    Ultimately I want to give assigned MG "admins" the ability to manage users coming and going from Subscriptions and Management Groups, but restrict who in the company has the ability to create new Subscriptions and Management Groups anywhere in the MG heirarchy.

    I would also like ensure "users" - via the MG - have the ability to…

    2 votes
    Sign in
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Question  ·  Flag idea as inappropriate…  ·  Admin →

    Hi @Jason,
    Looking at your 3 items there, the first two can be achieved by using the “Reader” role on the Management Group. This would give the “user” read access to the MG, Sub, and any resources under it. They would not be able to create new MGs under that group or move any MGs/Subs to that group as you need at least “Contributor” access on the new parent MG in a move.

    The third request is the real tricky item within Management Groups. There are 2 roles that allow users to assign user access. “Owner” and “User Access Administrator”. Giving a user “User Access Admin” allows that user to assign any role to any individual, including themselves on that assigned resource. For Example, if the user is assigned “Reader" and “User Access Admin” on a parent MG, they could at any time assign themselves “Owner” role. That is why…

  • Don't see your idea?

Azure Management Groups


Feedback and Knowledge Base