This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article describes how to set scope with Bicep when deploying to a management group.
As your organization matures, you can deploy a Bicep file to create resources at the management group level. For example, you may need to define and assign policies or Azure role-based access control (Azure RBAC) for a management group. With management group level templates, you can declaratively apply policies and assign roles at the management group level. For more information, see Understand scope.
If you would rather learn about deployment scopes through step-by-step guidance, see Deploy resources to subscriptions, management groups, and tenants by using Bicep.
Not all resource types can be deployed to the management group level. This section lists which resource types are supported.
For Azure Blueprints, use:
For Azure Policy, use:
For access control, use:
For nested templates that deploy to subscriptions or resource groups, use:
For managing your resources, use:
Management groups are tenant-level resources. However, you can create management groups in a management group deployment by setting the scope of the new management group to the tenant. See Management group.
To set the scope to management group, use:
targetScope = 'managementGroup'
To deploy to a management group, use the management group deployment commands.
For Azure CLI, use az deployment mg create:
az deployment mg create \
--name demoMGDeployment \
--location WestUS \
--management-group-id myMG \
--template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/management-level-deployment/azuredeploy.json"
For more detailed information about deployment commands and options for deploying ARM templates, see:
For management group level deployments, you must provide a location for the deployment. The location of the deployment is separate from the location of the resources you deploy. The deployment location specifies where to store deployment data. Subscription and tenant deployments also require a location. For resource group deployments, the location of the resource group is used to store the deployment data.
You can provide a name for the deployment, or use the default deployment name. The default name is the name of the template file. For example, deploying a template named main.bicep creates a default deployment name of main.
For each deployment name, the location is immutable. You can't create a deployment in one location when there's an existing deployment with the same name in a different location. For example, if you create a management group deployment with the name deployment1 in centralus, you can't later create another deployment with the name deployment1 but a location of westus. If you get the error code InvalidDeploymentLocation, either use a different name or the same location as the previous deployment for that name.
In a Bicep file, all resources declared with the resource keyword must be deployed at the same scope as the deployment. For a management group deployment, this means all resource declarations in the Bicep file must be deployed to the same management group or as a child or extension resource of a resource in the same management group as the deployment.
However, this restriction doesn't apply to existing resources. You can reference existing resources at a different scope than the deployment.
To deploy resources at multiple scopes within a single deployment, use modules. Deploying a module triggers a "nested deployment," allowing you to target different scopes. The user deploying the parent Bicep file must have the necessary permissions to initiate deployments at those scopes.
You can deploy a Bicep module from within a management-group scope Bicep file at the following scopes:
To deploy resources to the target management group, add those resources with the resource keyword.
targetScope = 'managementGroup'
// policy definition created in the management group
resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2025-01-01' = {
...
}
To target another management group, add a module. Use the managementGroup function to set the scope property. Provide the management group name.
targetScope = 'managementGroup'
param otherManagementGroupName string
// module deployed at management group level but in a different management group
module exampleModule 'module.bicep' = {
name: 'deployToDifferentMG'
scope: managementGroup(otherManagementGroupName)
}
You can also target subscriptions within a management group. The user deploying the template must have access to the specified scope.
To target a subscription within the management group, add a module. Use the subscription function to set the scope property. Provide the subscription ID.
targetScope = 'managementGroup'
param subscriptionID string
// module deployed to subscription in the management group
module exampleModule 'module.bicep' = {
name: 'deployToSub'
scope: subscription(subscriptionID)
}
You can also target resource groups within the management group. The user deploying the template must have access to the specified scope.
To target a resource group within the management group, add a module. Use the resourceGroup function to set the scope property. Provide the subscription ID and resource group name.
targetScope = 'managementGroup'
param subscriptionID string
param resourceGroupName string
// module deployed to resource group in the management group
module exampleModule 'module.bicep' = {
name: 'deployToRG'
scope: resourceGroup(subscriptionID, resourceGroupName)
}
To create resources at the tenant, add a module. Use the tenant function to set its scope property. The user deploying the template must have the required access to deploy at the tenant.
targetScope = 'managementGroup'
// module deployed at tenant level
module exampleModule 'module.bicep' = {
name: 'deployToTenant'
scope: tenant()
}
Or, you can set the scope to / for some resource types, like management groups. Creating a new management group is described in the next section.
To create a management group in a management group deployment, you must set the scope to the tenant.
The following example creates a new management group in the root management group.
targetScope = 'managementGroup'
param mgName string = 'mg-${uniqueString(newGuid())}'
resource newMG 'Microsoft.Management/managementGroups@2023-04-01' = {
scope: tenant()
name: mgName
properties: {}
}
output newManagementGroup string = mgName
The next example creates a new management group in the management group targeted for the deployment. It uses the management group function.
targetScope = 'managementGroup'
param mgName string = 'mg-${uniqueString(newGuid())}'
resource newMG 'Microsoft.Management/managementGroups@2023-04-01' = {
scope: tenant()
name: mgName
properties: {
details: {
parent: {
id: managementGroup().id
}
}
}
}
output newManagementGroup string = mgName
To use an ARM template to create a new Azure subscription in a management group, see:
To deploy a template that moves an existing Azure subscription to a new management group, see Move subscriptions in ARM template
Custom policy definitions that are deployed to the management group are extensions of the management group. To get the ID of a custom policy definition, use the extensionResourceId() function. Built-in policy definitions are tenant level resources. To get the ID of a built-in policy definition, use the tenantResourceId() function.
The following example shows how to define a policy at the management group level, and how to assign it.
targetScope = 'managementGroup'
@description('An array of the allowed locations, all other locations will be denied by the created policy.')
param allowedLocations array = [
'australiaeast'
'australiasoutheast'
'australiacentral'
]
resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {
name: 'locationRestriction'
properties: {
policyType: 'Custom'
mode: 'All'
parameters: {}
policyRule: {
if: {
not: {
field: 'location'
in: allowedLocations
}
}
then: {
effect: 'deny'
}
}
}
}
resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = {
name: 'locationAssignment'
properties: {
policyDefinitionId: policyDefinition.id
}
}
To learn about other scopes, see:
Training
Module
Deploy resources to subscriptions, management groups, and tenants by using Bicep - Training
Learn how to deploy resources to subscription, management group, and tenant scopes within your Bicep code.
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.
Documentation
Use Bicep to deploy resources to tenant - Azure Resource Manager
Describes how to deploy resources at the tenant scope in a Bicep file.
Use Bicep to deploy resources to subscription - Azure Resource Manager
Describes how to create a Bicep file that deploys resources to the Azure subscription scope.
Use Bicep to deploy resources to resource groups - Azure Resource Manager
Describes how to deploy resources in a Bicep file. It shows how to target more than one resource group.