Azure Management Groups: Curriculum Overview
Describe management groups
Curriculum Overview: Describe Azure Management Groups
This curriculum provides a structured approach to understanding Azure Management Groups, a critical component of the Azure resource hierarchy used for enterprise-grade governance and organizational control.
[!IMPORTANT] Management groups allow you to manage access, policy, and compliance by grouping multiple Azure subscriptions together. Any policy or role-based access control (RBAC) applied to a management group is automatically inherited by all subscriptions within it.
Prerequisites
Before diving into Management Groups, learners should have a foundational understanding of the following Azure concepts:
- Azure Resources: Understanding that every entity in Azure (VMs, SQL Databases, etc.) is a resource.
- Resource Groups: Experience using logical containers to group resources for a single application or lifecycle.
- Azure Subscriptions: Understanding the billing and trust boundary where resources are provisioned.
- Azure Active Directory (Microsoft Entra ID): Basic knowledge of tenants and identities.
Module Breakdown
The following table outlines the progression of the curriculum from basic structure to advanced governance.
| Module | Topic | Difficulty | Key Focus |
|---|---|---|---|
| 1 | The Azure Hierarchy | Beginner | Relationship between MG, Subscriptions, and RGs |
| 2 | Tenant Root Group | Beginner | Default behaviors and Azure AD integration |
| 3 | Governance at Scale | Intermediate | Applying Azure Policy and RBAC across subscriptions |
| 4 | Architectural Constraints | Intermediate | Limits on depth, count, and parentage |
Module Learning Objectives
1. Visualizing the Hierarchy
Learners must be able to describe how management groups sit at the top of the organizational structure.
2. Identifying Constraints
Understand the physical and logical limits of the management group service:
- Capacity: A single Azure AD tenant can support up to 10,000 management groups.
- Depth: The management group tree can support up to six levels of depth (excluding the Root and Subscription levels).
- Parentage: Each management group or subscription can have exactly one parent.
Success Metrics
To demonstrate mastery of this topic, learners should be able to:
- Define the Tenant Root Group: Explain why every subscription starts in this default group even if no custom groups are created.
- Compare Containers: Differentiate between a Resource Group (holds resources) and a Management Group (holds subscriptions/MGs).
- Governance Scenario: Describe how applying an "Allowed Regions" policy to a high-level management group affects a resource group three levels down (Inheritance).
- Recall Limits: State the maximum number of management groups allowed in a single directory.
Real-World Application
In professional environments, Management Groups are used to mirror corporate structures.
Case Study: Global Retailer
A company has separate IT budgets for "Sales," "Marketing," and "R&D."
- Departmental Billing: By creating a Management Group for each department, they can track costs across multiple subscriptions (e.g., Sales-Dev, Sales-Prod).
- Security Isolation: The security team applies a "No Public IP" policy to the "Development" Management Group to ensure developers don't accidentally expose internal servers to the internet.
- Mergers & Acquisitions: When a company acquires a new startup, they can move the startup's existing Azure subscription into their corporate management group hierarchy to immediately bring it under corporate compliance.
[!TIP] Always give your management groups descriptive names. While Azure uses a unique ID internally, human-readable names are essential for navigating the hierarchy in the Azure Portal.