![\"\"](\"\/wp-content\/uploads\/2025\/11\/image-1024x629.png\")
<\/figure>\n\n\n\nHow Azure Management Groups work under the hood<\/h2>\n\n\n\n
Management groups sit above subscriptions in the Azure Resource Manager (ARM) hierarchy. ARM evaluates access (RBAC) and governance (Policy) from the top down. Anything you assign at a higher scope\u2014tenant root, management group\u2014flows down to child management groups, subscriptions, resource groups, and resources unless explicitly overridden.<\/p>\n\n\n\n
Key building blocks:<\/p>\n\n\n\n
- \n
- Hierarchy<\/strong> \u2014 A tree of management groups with a single tenant root. Keep it shallow and intentional.<\/li>\n\n\n\n
- RBAC<\/strong> \u2014 Roles assigned at a management group apply to all child scopes. Use it for platform guardrails, not day-to-day app ownership.<\/li>\n\n\n\n
- Azure Policy<\/strong> \u2014 The policy engine evaluates resources against rules (deny\/audit\/append\/modify\/deployIfNotExists). Assign policy or initiatives at a management group to make standards the default.<\/li>\n\n\n\n
- Inheritance<\/strong> \u2014 Lower scopes inherit from higher ones. Exemptions can carve out controlled exceptions without weakening your baseline.<\/li>\n\n\n\n
- Automation<\/strong> \u2014 ARM\/Bicep, Azure CLI, and Git-based workflows let you define governance as code and promote changes safely.<\/li>\n<\/ul>\n\n\n\n
Design a clear and scalable hierarchy<\/h2>\n\n\n\n
Your hierarchy should mirror how you govern, not how teams are organized today. A proven pattern looks like this:<\/p>\n\n\n\n
- \n
- Root<\/strong> \u2014 The tenant root management group. Keep it minimal and tightly controlled.<\/li>\n\n\n\n
- Platform<\/strong> \u2014 Shared services like networking, identity, logging, security tooling.<\/li>\n\n\n\n
- Landing Zones<\/strong> \u2014 Where apps live. Segment by environment and risk: Prod<\/em>, NonProd<\/em>, Sandbox<\/em>.<\/li>\n\n\n\n
- Special Purpose<\/strong> \u2014 Optional groups for Research<\/em>, Partner<\/em>, or Quarantine\/Decommissioned<\/em>.<\/li>\n<\/ul>\n\n\n\n
Why this works: platform teams own the Platform<\/em> branch with stricter controls; app teams operate within Landing Zones<\/em> with guardrails but more freedom. This keeps security and cost hygiene centralized without handcuffing delivery teams.<\/p>\n\n\n\n
Naming and tagging conventions<\/h3>\n\n\n\n
- \n
- Use consistent names like
mg-plat<\/code>,mg-lz-prod<\/code>,mg-lz-nonprod<\/code>,mg-sandbox<\/code>.<\/li>\n\n\n\n- Tag at subscription\/resource levels (e.g.,
Environment<\/code>,CostCenter<\/code>,DataSensitivity<\/code>). Use policy to enforce required tags.<\/li>\n<\/ul>\n\n\n\nCore governance controls to apply at management groups<\/h2>\n\n\n\n
1) Access control with RBAC<\/h3>\n\n\n\n
- \n
- Assign Reader<\/em> broadly; restrict powerful roles.<\/li>\n\n\n\n
- Use Owner<\/em> sparingly; prefer Contributor<\/em> + scoped custom roles.<\/li>\n\n\n\n
- Enable Privileged Identity Management (PIM) for time-bound elevation on management group roles.<\/li>\n<\/ul>\n\n\n\n
# Example: Assign Reader at a management group\naz role assignment create \\\n --assignee <aadObjectId-or-upn> \\\n --role \"Reader\" \\\n --scope \"\/providers\/Microsoft.Management\/managementGroups\/mg-lz-prod\"\n<\/code><\/pre>\n\n\n\n2) Policy baseline<\/h3>\n\n\n\n
- \n
- Security<\/strong>: Deny public IP on PaaS where not needed, enforce private endpoints, restrict open RDP\/SSH, require Defender for Cloud plans.<\/li>\n\n\n\n
- Compliance<\/strong>: Restrict allowed regions and SKUs, enforce encryption, require specific tags, ensure resource locks where appropriate.<\/li>\n\n\n\n
- Operations<\/strong>: Deploy diagnostic settings to Log Analytics, enforce Azure Monitor Agent, standardize resource naming and backup policies.<\/li>\n<\/ul>\n\n\n\n
# Example: Assign 'Allowed locations' at a management group\naz policy assignment create \\\n --name restrict-locations \\\n --display-name \"Restrict allowed locations\" \\\n --policy \/providers\/Microsoft.Authorization\/policyDefinitions\/e56962a6-4747-49cd-b67b-bf8b01975c4c \\\n --params '{\"listOfAllowedLocations\": {\"value\": [\"australiaeast\",\"australiasoutheast\"]}}' \\\n --scope \/providers\/Microsoft.Management\/managementGroups\/mg-lz-prod\n<\/code><\/pre>\n\n\n\n3) Cost guardrails<\/h3>\n\n\n\n
- \n
- Apply budgets at management group or subscription scope.<\/li>\n\n\n\n
- Use policy to restrict expensive SKUs in NonProd<\/em> and Sandbox<\/em>.<\/li>\n<\/ul>\n\n\n\n
Policy at scale patterns that work<\/h2>\n\n\n\n
Deny by default, allow via exception<\/h3>\n\n\n\n
Start with deny-or-restrict policies for high-risk items (public exposure, unapproved regions). Then grant policy exemptions<\/em> for specific scopes with justifications and expiry dates. This maintains a strong baseline while unblocking edge cases.<\/p>\n\n\n\n
DeployIfNotExists for shared services<\/h3>\n\n\n\n
Use DeployIfNotExists<\/em> (DINE) policies to automatically deploy agents or settings\u2014diagnostic settings, Defender plans, Azure Monitor Agent. Assign DINE at the management group with a managed identity that has rights in child subscriptions, and use remediation tasks to backfill drift.<\/p>\n\n\n\n
Append\/Modify to shape configuration<\/h3>\n\n\n\n
Append<\/em> and Modify<\/em> can inject tags, TLS settings, or network rules without breaking developer workflows. They\u2019re excellent for progressive standardization.<\/p>\n\n\n\n
Automation and \u201cgovernance as code\u201d<\/h2>\n\n\n\n
Put your hierarchy, RBAC, and policy assignments into Git. Use Azure DevOps or GitHub Actions to validate and deploy changes via pull requests. This gives you history, reviews, and the ability to promote from NonProd<\/em> to Prod<\/em> safely.<\/p>\n\n\n\n
Bicep examples<\/h3>\n\n\n\n
Create management groups and assign policy at the management group scope. Deploy at the tenant scope for management group creation, and at the management group scope for policy assignment.<\/p>\n\n\n\n
\/\/ File: mg-hierarchy.bicep\n\/\/ Deploy at tenant scope\n\/\/ az deployment tenant create --template-file mg-hierarchy.bicep\n\ntargetScope = 'tenant'\n\n@description('Parent management group ID (e.g., the root)')\nparam parentMgId string\n\nresource lzNonProd 'Microsoft.Management\/managementGroups@2021-04-01' = {\n name: 'mg-lz-nonprod'\n properties: {\n displayName: 'Landing Zone - NonProd'\n details: {\n parent: {\n id: '\/providers\/Microsoft.Management\/managementGroups\/${parentMgId}'\n }\n }\n }\n}\n\nresource lzProd 'Microsoft.Management\/managementGroups@2021-04-01' = {\n name: 'mg-lz-prod'\n properties: {\n displayName: 'Landing Zone - Prod'\n details: {\n parent: {\n id: '\/providers\/Microsoft.Management\/managementGroups\/${parentMgId}'\n }\n }\n }\n}\n<\/code><\/pre>\n\n\n\n\/\/ File: policy-assignments.bicep\n\/\/ Deploy at management group scope\n\/\/ az deployment mg create --management-group-id mg-lz-prod --template-file policy-assignments.bicep\n\ntargetScope = 'managementGroup'\n\n@description('Allowed locations policy definition id')\nparam allowedLocationsDefId string\n\nvar allowedRegions = [ 'australiaeast', 'australiasoutheast' ]\n\nresource allowedLocationsAssignment 'Microsoft.Authorization\/policyAssignments@2021-06-01' = {\n name: 'restrict-locations'\n properties: {\n displayName: 'Restrict allowed locations'\n policyDefinitionId: allowedLocationsDefId\n parameters: {\n listOfAllowedLocations: {\n value: allowedRegions\n }\n }\n enforcementMode: 'Default'\n }\n}\n<\/code><\/pre>\n\n\n\nBaseline scripts with Azure CLI<\/h3>\n\n\n\n
# Create a management group\naz account management-group create \\\n --name mg-lz-nonprod \\\n --display-name \"Landing Zone - NonProd\"\n\n# Move a subscription into the group\naz account management-group subscription add \\\n --name mg-lz-nonprod \\\n --subscription <subscriptionId>\n\n# Assign a built-in initiative (example: audit VMs without backup)\naz policy assignment create \\\n --name audit-vm-backup \\\n --display-name \"Audit VMs without backup\" \\\n --policy-set-definition \/providers\/Microsoft.Authorization\/policySetDefinitions\/1f3afdf9-2bca-4215-8d5e-7d0df97ca9f0 \\\n --scope \/providers\/Microsoft.Management\/managementGroups\/mg-lz-nonprod\n<\/code><\/pre>\n\n\n\nSecurity operations at the management group level<\/h2>\n\n\n\n
- \n
- PIM everywhere<\/strong>: Require just-in-time elevation for Contributor\/Owner at management group scopes. Approval + MFA for production branches.<\/li>\n\n\n\n
- Break-glass accounts<\/strong>: Keep emergency access accounts with strong controls and monitor their use.<\/li>\n\n\n\n
- Centralized diagnostics<\/strong>: Use policy to push diagnostic settings for critical services into a central Log Analytics workspace and storage account.<\/li>\n\n\n\n
- Defender for Cloud<\/strong>: Assign plan enablement via policy and remediate non-compliant subscriptions regularly.<\/li>\n<\/ul>\n\n\n\n
Handling exceptions without losing control<\/h2>\n\n\n\n
Real life needs exceptions. Use policy exemptions<\/em>\u2014not manual role changes\u2014to authorize deviations. Include:<\/p>\n\n\n\n
- \n
- Business justification and risk owner<\/li>\n\n\n\n
- Scope limited to the minimum necessary<\/li>\n\n\n\n
- Expiry date with review reminders<\/li>\n<\/ul>\n\n\n\n
Monitoring, drift, and continuous improvement<\/h2>\n\n\n\n
- \n
- Track compliance posture with Azure Policy compliance reports at the management group scope.<\/li>\n\n\n\n
- Schedule remediation tasks for DINE policies to converge legacy subscriptions.<\/li>\n\n\n\n
- Log policy changes via Activity Log and route to SIEM.<\/li>\n\n\n\n
- Review hierarchy and controls quarterly as your org evolves.<\/li>\n<\/ul>\n\n\n\n
Common pitfalls and how to avoid them<\/h2>\n\n\n\n
- \n
- Deep or irregular hierarchies<\/strong>: Keep it simple\u2014Platform and Landing Zones. Too many levels complicate troubleshooting and exceptions.<\/li>\n\n\n\n
- Overusing Owner<\/strong>: Prefer least privilege and PIM. Owners everywhere = audit headaches.<\/li>\n\n\n\n
- Policies that block delivery<\/strong>: Start in Audit<\/em> mode, measure impact, then switch to Deny<\/em> with clear comms and exemptions.<\/li>\n\n\n\n
- Ignoring non-production<\/strong>: Apply guardrails in NonProd and Sandbox too, with looser SKUs and budgets but firm security controls.<\/li>\n\n\n\n
- One-off manual fixes<\/strong>: Everything should be code-driven and repeatable. If you click it, script it.<\/li>\n\n\n\n
- Relying on deprecated tooling<\/strong>: Favor Azure Policy + Bicep\/ARM + Template Specs over legacy Blueprints approaches.<\/li>\n<\/ul>\n\n\n\n
A practical rollout plan<\/h2>\n\n\n\n
- \n
- Inventory<\/strong>: List subscriptions, owners, environments, region usage, and critical controls you already have.<\/li>\n\n\n\n
- Design<\/strong>: Agree on the hierarchy (Root > Platform > LZ-Prod\/NonProd\/Sandbox), naming, and tag standards.<\/li>\n\n\n\n
- Bootstrap<\/strong>: Create management groups and move subscriptions. Assign Reader to a broad audience; lock down elevated roles with PIM.<\/li>\n\n\n\n
- Baseline policies<\/strong>: Start with audit-only for 1\u20132 weeks. Review impact; then enable deny for must-have controls.<\/li>\n\n\n\n
- Operations<\/strong>: Turn on DINE policies for diagnostics and agents. Create remediation tasks.<\/li>\n\n\n\n
- Automate<\/strong>: Store Bicep and CLI scripts in Git; deploy via pipelines; protect with PR reviews.<\/li>\n\n\n\n
- Refine<\/strong>: Add cost budgets, SKU limits in NonProd, and a clean exception process with expiry.<\/li>\n<\/ol>\n\n\n\n
Key takeaways<\/h2>\n\n\n\n
- \n
- Design a clear, shallow hierarchy that mirrors governance needs.<\/li>\n\n\n\n
- Push RBAC and Policy to management groups; inherit everywhere.<\/li>\n\n\n\n
- Use deny-by-default for high-risk items; manage exceptions with time-bound exemptions.<\/li>\n\n\n\n
- Automate everything with Bicep\/CLI and Git workflows.<\/li>\n\n\n\n
- Measure, remediate, and iterate\u2014governance is continuous.<\/li>\n<\/ul>\n\n\n\n
If you\u2019d like help tailoring this approach to your environment, the CloudProinc.com.au team can guide you from assessment to automated landing zones\u2014without slowing your builders down.<\/p>\n\n\n\n
- Design<\/strong>: Agree on the hierarchy (Root > Platform > LZ-Prod\/NonProd\/Sandbox), naming, and tag standards.<\/li>\n\n\n\n
- Overusing Owner<\/strong>: Prefer least privilege and PIM. Owners everywhere = audit headaches.<\/li>\n\n\n\n
- Deep or irregular hierarchies<\/strong>: Keep it simple\u2014Platform and Landing Zones. Too many levels complicate troubleshooting and exceptions.<\/li>\n\n\n\n
- Break-glass accounts<\/strong>: Keep emergency access accounts with strong controls and monitor their use.<\/li>\n\n\n\n
- PIM everywhere<\/strong>: Require just-in-time elevation for Contributor\/Owner at management group scopes. Approval + MFA for production branches.<\/li>\n\n\n\n
- Compliance<\/strong>: Restrict allowed regions and SKUs, enforce encryption, require specific tags, ensure resource locks where appropriate.<\/li>\n\n\n\n
- Use Owner<\/em> sparingly; prefer Contributor<\/em> + scoped custom roles.<\/li>\n\n\n\n
- Tag at subscription\/resource levels (e.g.,
- Platform<\/strong> \u2014 Shared services like networking, identity, logging, security tooling.<\/li>\n\n\n\n
- RBAC<\/strong> \u2014 Roles assigned at a management group apply to all child scopes. Use it for platform guardrails, not day-to-day app ownership.<\/li>\n\n\n\n