New-AzTenantDeployment vs New-AzManagementGroup

KFM 86 Reputation points
2023-07-14T13:30:18.5066667+00:00

When deploying management groups using New-AzTenantDeployment and setting the ARM/bicep scope to the tenant level, the principal needs inherited owner access at the tenant root group level, "/".

Yet, when using New-AzManagementGroup to create management groups (admittedly by "hand"), no such elevated permission/access is required.

My point is that in order to avoid elevating a principal to what is effectively "god mode" at the tenant root level to deploy management groups, should we instead use New-AzManagementGroup? After all, the outcome is the same—I have a hierarchy of management groups deployed.

Am I missing something here?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
883 questions
{count} votes

Accepted answer
  1. Vahid Ghafarpour 22,435 Reputation points
    2023-07-17T03:27:05.99+00:00

    In summary, both approaches allow you to deploy management groups, but they have different implications:

    New-AzTenantDeployment with an ARM template provides a more automated and scalable approach for deploying management groups. However, it requires elevated permissions at the tenant root group level ("/") to execute the deployment.

    • New-AzManagementGroup cmdlet offers a more granular approach where you can create management groups individually without requiring elevated permissions at the tenant root group level. However, this approach can be more time-consuming if you have a complex management group hierarchy.

    Consider your requirements, the level of automation you need, and the permissions you are comfortable granting when deciding between these two approaches.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.