Hi, today I want to talk to you about Azure Management Groups. These groups help us create an effective and efficient hierarchy to manage our Azure subscriptions. If you have many subscriptions, at some point you will need a way to effectively manage access, policy, and compliance for those subscriptions. Azure Management Groups offer us a level of scope that is above subscriptions.
In this post I will show you how to create, list, update and delete Azure Management Groups using PowerShell and Azure CLI.
Prerequisites
- This tutorial assumes that you already have a Microsoft Azure account configured.
Azure PowerShell Workaround
If you want to know how to install the PowerShell Azure module on your machine, check out this link.
The simplest way to get started is to sign in interactively at the command line.
1 2 3 | Connect-AzAccount |
This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.
If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:
1 2 3 4 | Get-AzSubscription Select-AzSubscription -Subscription "My Subscription" |
Once you set your default subscription, you’re ready to start.
First, using the following command to list the cmdlets available to interact with the Management Groups.
1 2 3 | Get-Command *AzManagementGroup |
List all Management Groups
To list all management groups, you should use the Get-AzManagementGroup cmdlet.
1 2 3 | Get-AzManagementGroup |
In my case, I don’t have any group created yet and I only have the default group.
By default, each directory is given a single top-level management group called the “Tenant Root Group” management group.
Creates a Management Group
To create your management group, you should use the New-AzManagementGroup cmdlet with the following syntax.
1 2 3 4 5 6 | $tennantRootGroup = Get-AzManagementGroup -GroupName eaf2fa4d-7307-4457-bb2b-57fe577a9d21 New-AzManagementGroup -GroupName "Production" ` -DisplayName "Production" ` -ParentId $tennantRootGroup.Id |
to make the syntax easier to understand, I use a $tennantRootGroup variable to store a parent object.
Updates a Management Group
If you want to update ParentId or DisplayName for a management group, you should use the Update-AzManagementGroup cmdlet.
1 2 3 4 5 | Update-AzManagementGroup -GroupName "Production" ` -DisplayName "Production Group" ` -ParentId $tennantRootGroup.Id |
The name of the management group cannot be changed after it is created.
How to move subscriptions
Once the desired management group structure has been created, you can move or link your subscriptions in your management groups.
To move subscriptions in PowerShell, you should use the New-AzManagementGroupSubscription cmdlet.
1 2 3 4 5 | $subscription = Get-AzSubscription -SubscriptionName "My Subscription" New-AzManagementGroupSubscription -GroupName "Production" ` -SubscriptionId $subscription.Id |
If you want to remove a subscription from a management group, you should use the Remove-AzManagementGroupSubscription cmdlet.
1 2 3 4 5 | $subscription = Get-AzSubscription -SubscriptionName "My Subscription" Remove-AzManagementGroupSubscription -GroupName "Production" ` -SubscriptionId $subscription.Id |
Removes a Management Group
Finally, to delete a management group, you should use the Remove-AzManagementGroup cmdlet with the following syntax.
1 2 3 | Remove-AzManagementGroup -GroupName "Production" |
Azure CLI Workaround
In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link.
First, using the following command to list the commands available to work with the Management Groups.
1 2 3 | az account management-group -h |
List all Management Groups
To list all management groups, you should use the following command.
1 2 3 | az account management-group list |
In my case, I don’t have any group created yet and I only have the default group.
By default, each directory is given a single top-level management group called the “Tenant Root Group” management group.
Creates a Management Group
First, I will create the $tennantRootGroup variable to store a parent object, and then I will use the following command to create a management group.
1 2 3 4 5 6 | rootGroupId=$(az account management-group list --query "[].{id:id}" --output tsv) az account management-group create --name "Production_Group" \ --display-name "Production" \ --parent $rootGroupId |
Updates a Management Group
To update ParentId or DisplayName properties for a management group, you should use the following command.
1 2 3 4 5 | az account management-group update --name "Production_Group" \ --display-name "Production Group" \ --parent $rootGroupId |
How to move subscriptions
Once the desired management group structure has been created, you can move or link your subscriptions in your management groups.
To move a subscription in Azure CLI, you should use the following command.
1 2 3 4 | subscriptionid=$(az account show --subscription "My Subscription" --query "id" --out tsv) az account management-group subscription add --name "Production_Group" --subscription $subscriptionid |
If you want to remove a subscription from a management group, use the following command.
1 2 3 4 | subscriptionid=$(az account show --subscription "My Subscription" --query "id" --out tsv) az account management-group subscription remove --name "Production_Group" --subscription $subscriptionid |
Removes a Management Group
Finally, to delete a management group, you should use the following command.
1 2 3 | az account management-group delete --name "Production_Group" |
Thanks for reading my post. I hope you find it useful.
If you want to know more about Azure Management Groups, check out this link: https://docs.microsoft.com/en-us/azure/governance/management-groups/overview
