What is Azure Resource Manager?
Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.
The following image shows the Azure Resource Manager role in handling Azure requests.
What are Azure management groups?
Azure Management group provides a way for an organization to control and manage access, policies, and compliance for subscription within their tenant. In other words, Management group is logical container that allows administrators to manage multiple subscriptions under one umbrella. All subscriptions within a management group automatically inherit the conditions applied to the management group.
Hierarchy of Management Groups and Subscriptions:
The following diagram shows an example of creating a hierarchy for governance using management groups.
In the diagram above, the root management groups holding both management group and subscriptions. A few child management groups holding management groups, some hold subscriptions, and some hold both.
Facts about management groups:
- 10000 management groups can be supported in a single directory.
- A management group tree can support up to six levels of depth, this limit does not include root level or subscription level.
- Each management group and subscription can only support one parent.
- Each management group can have many children.
- All subscriptions and management groups are within a single hierarchy in each directory.
Root management group for each directory:
Each directory has a single top-level management group called ‘Root’ management group. This is built into the hierarchy by having management groups and subscriptions. Moreover, these groups give access to global policies and Azure role assignments to apply at directory level. The Azure AD Global administrator needs to elevate themself to User Access Administrator of this group initially.
Facts about root Management group:
- By default, root management group’s display name is Tenant root group. The ID is Azure active directory ID.
- To change the display name, you must be assigned to owner or contributor role on the root management group.
- The root management group cannot be moved or deleted, unlike other management groups.
- All subscriptions and management groups folding up to the one root management group within the directory.
- All resources in the directory fold up to the root management group for global management.
- New subscriptions are automatically defaulted to the root management group when created.
- All azure customers can see the root management group. However, not all customers have access to manage that group.
Create a Management group:
- If you don’t have an Azure subscription, create a free account before you login.
- Any Azure AD user can create management group. The new management group becomes a child to the root management group or the default management group and creator is given as ‘owner’ role.
Create in portal:
- Log into the Azure portal.
- Search for and select Management groups and then, on the Management groups blade, click + Add management group
- The Management Group ID is the directory unique identifier that is used to submit commands on this management group. This identifier isn’t editable after creation as it’s used throughout the Azure system to identify this group
- The display name field is the name that is displayed within the Azure portal. A separate display name is an optional field when creating the management group and can be changed at any time
- Once you specify the details, Select Save.
- Navigate to the management groups, look for the group that you created from list of management groups.
- Now, you see the group that you have just created.
In this article, we have talked about Azure resource manager, Management groups. How they play role in deploying resources and managing those.