Organize and manage multiple Azure subscriptions
If you have only a few subscriptions, it's fairly easy to manage them independently. But what if you have many subscriptions? Then you can create a management group hierarchy to help manage your subscriptions and resources.
We recommend that organizations consider the Azure landing zone guidance for resource organization as a first step to planning subscriptions within an Azure environment to ensure the broader context of an environment intended to scale is considered
Azure management groups
For your subscriptions, Azure management groups help you efficiently manage:
Each management group contains one or more subscriptions.
Azure arranges management groups in a single hierarchy. You define this hierarchy in your Azure Active Directory (Azure AD) tenant to align with your organization's structure and needs. The top level is called the root management group. You can define up to six levels of management groups in your hierarchy. Only one management group contains a subscription.
Azure provides four levels of management scope:
- Management groups
- Resource groups
If you apply any access or policy at one level in the hierarchy, it propagates down to the lower levels. A resource owner or subscription owner can't alter an inherited policy. This limitation helps improve governance.
Azure doesn't support tag inheritance yet, but it'll be available soon.
This inheritance model lets you arrange the subscriptions in your hierarchy, so each subscription follows appropriate policies and security controls.
Figure 1: The four scope levels for organizing your Azure resources.
Any access or policy assignment on the root management group applies to all resources in the directory. Carefully consider which items you define at this scope. Include only the assignments you must have.
Create your management group hierarchy
When you define your management group hierarchy, first create the root management group. Then move all existing subscriptions in the directory into the root management group. New subscriptions always go into the root management group initially. Later, you can move them to another management group.
What happens when you move a subscription to an existing management group? The subscription inherits the policies and role assignments from the management group hierarchy above it. Establish many subscriptions for your Azure workloads. Then create other subscriptions to contain Azure services that other subscriptions share.
Do you expect your Azure environment to grow? Then create management groups for production and nonproduction now, and apply appropriate policies and access controls at the management group level. As you add new subscriptions to each management group, those subscriptions inherit the appropriate controls.
Figure 2: An example of a management group hierarchy.
Example use cases
Some basic examples of using management groups to separate different workloads include:
Production versus nonproduction workloads: Use management groups to more easily manage different roles and policies between production and nonproduction subscriptions. For example, developers might have contributor access in nonproduction subscriptions, but only reader access in production subscriptions.
Internal services versus external services: Enterprises often have different requirements, policies, and roles for internal services versus external customer-facing services.
Review the following resources to learn more about organizing and managing your Azure resources.
- Organize your resources with Azure management groups
- Elevate access to manage all Azure subscriptions and management groups
- Move Azure resources to another resource group or subscription
Review recommended naming and tagging conventions to follow when deploying your Azure resources.
Submit and view feedback for