Azure Management Groups

Hi, today I want to talk to you about Azure Management Groups. These groups help us create an effective and efficient hierarchy to manage our Azure subscriptions. If you have many subscriptions, at some point you will need a way to effectively manage access, policy, and compliance for those subscriptions. Azure Management Groups offer us a level of scope that is above subscriptions. In this post I will show you how to create, list, update and delete Azure Management Groups using PowerShell and Azure CLI.

Prerequisites

• This tutorial assumes that you already have a Microsoft Azure account configured.

Azure PowerShell Workaround #

If you want to know how to install the PowerShell Azure module on your machine, check out this link. The simplest way to get started is to sign in interactively at the command line.

Connect-AzAccount

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"

Once you set your default subscription, you’re ready to start. First, use the following command to list the cmdlets available to interact with the Management Groups.

Get-Command *AzManagementGroup

List all Management Groups #

To list all management groups, you should use the Get-AzManagementGroup cmdlet.

Get-AzManagementGroup

In my case, I don’t have any group created yet and I only have the default group.

>

#

By default, each directory is given a single top-level management group called the “Tenant Root Group” management group.

Create a Management Group #

To create your management group, you should use the New-AzManagementGroup cmdlet with the following syntax.

$tennantRootGroup = Get-AzManagementGroup `
  -GroupName eaf2fa4d-7307-4457-bb2b-57fe577a9d21

New-AzManagementGroup `
  -GroupName "Production" `
  -DisplayName "Production" `
  -ParentId $tennantRootGroup.Id

to make the syntax easier to understand, I use a $tennantRootGroup variable to store a parent object.

Update a Management Group #

If you want to update ParentId or DisplayName for a management group, you should use the Update-AzManagementGroup cmdlet.

Update-AzManagementGroup `
  -GroupName "Production" `
  -DisplayName "Production Group" `
  -ParentId $tennantRootGroup.Id

The name of the management group cannot be changed after it is created.

How to move subscriptions #

Once the desired management group structure has been created, you can move or link your subscriptions to your management groups. To move subscriptions in PowerShell, you should use the New-AzManagementGroupSubscription cmdlet.

$subscription = Get-AzSubscription `
  -SubscriptionName  "My Subscription"

New-AzManagementGroupSubscription `
  -GroupName "Production" `
  -SubscriptionId $subscription.Id

If you want to remove a subscription from a management group, you should use the Remove-AzManagementGroupSubscription cmdlet.

$subscription = Get-AzSubscription `
  -SubscriptionName  "My Subscription"

Remove-AzManagementGroupSubscription `
  -GroupName "Production" `
  -SubscriptionId $subscription.Id

Remove a Management Group #

Finally, to delete a management group, you should use the Remove-AzManagementGroup cmdlet with the following syntax.

Remove-AzManagementGroup -GroupName "Production"

Azure CLI Workaround #

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. First, use the following command to list the commands available to work with the Management Groups.

az account management-group -h

>

#

List all Management Groups #

To list all management groups, you should use the following command.

az account management-group list

In my case, I don’t have any group created yet and I only have the default group.

Create a Management Group #

First, I will create the $tennantRootGroup variable to store a parent object, and then I will use the following command to create a management group.

rootGroupId=$(az account management-group list --query "\[\].{id:id}" --output tsv)
az account management-group create \
--name "Production_Group" \
--display-name "Production" \
--parent $rootGroupId

Update a Management Group #

To update ParentId or DisplayName properties for a management group, you should use the following command.

 az account management-group update \
--name "Production_Group" \
--display-name "Production Group" \
--parent $rootGroupId

How to move subscriptions #

Once the desired management group structure has been created, you can move or link your subscriptions to your management groups. To move a subscription in Azure CLI, you should use the following command.

subscriptionid=$(az account show --subscription "My Subscription" --query "id" --out tsv)
az account management-group subscription add \
--name "Production_Group" \
--subscription $subscriptionid

If you want to remove a subscription from a management group, use the following command.

subscriptionid=$(az account show --subscription "My Subscription" --query "id" --out tsv)
az account management-group subscription remove \
--name "Production_Group" \
--subscription $subscriptionid

Remove a Management Group #

Finally, to delete a management group, you should use the following command.

az account management-group delete -\
-name "Production_Group"