Exercise 1 – Azure management groups
In this section, we will look at the steps to create and configure management groups.
To recap from a previous section, Azure management groups, where management groups were covered, management groups are logical containers that group Azure subscriptions; these can be considered a governance and management layer to target access control and policies.
Important note
In contrast to resource groups, which are a flat structure with no hierarchy or nested resource groups, management groups are implemented based on a hierarchy. They have a nested, that is, root and branch, or parent and child relationship.
Follow these steps to create a management group:
- Log in to the Azure portal at https://portal.azure.com. You can alternatively use the Azure desktop app: https://portal.azure.com/App/Download.
- In the search bar, type in management groups; click on Management groups from the list of services shown:
Figure 3.27 – Searching for management groups
3. In the Management groups blade, click on the Start using management groups button:
Figure 3.28 – Start using management groups
4. In the Add management group blade, you will need to enter a management group ID; see the following note and step on creating an ID:
Figure 3.29 – Add management group
Important note
The management group ID is often set the same as the display name you wish to use; although, a better practice is to use an actual GUID that you self-generate. How to create this GUID is covered in the next step.
5. From the top ribbon of the Azure portal, open Cloud Shell and, using PowerShell, run the following command to create a unique GUID to use:
[guid]::NewGuid()
The following screenshot shows an example of running the preceding command:
Figure 3.30 – Creating a GUID
6. Enter the created management group ID and add a management group display name; click Submit:
Figure 3.31 – Adding a GUID
7. You will receive a notification that this was completed successfully.
Important note
To view the created management groups, you must have the Management Group Contributor or Reader role assigned.
8. The new management group (called Projects) can be seen in the hierarchy from the Management groups blade:
Figure 3.32 – Review management groups created
9. To move subscriptions into the management group, right-click the subscription to move and select -> Move:
Figure 3.33 – Moving management groups
10. In the Move blade, select the management group to move the subscription to and click Save; repeat for each subscription to move:
Figure 3.34 – Selecting management groups
11. The new hierarchy can be seen in the management group’s blade; the Projects management group now contains two subscriptions:
Figure 3.35 – Reviewing the hierarchy
12. Clicking on the management group name opens that particular management group. The Projects management group now has two subscriptions (called Project DogOrMuffin and Project Lobster); Governance controls can now be targeted at the subscriptions within the management group:
Figure 3.36 – Reviewing the management group
In this exercise, we created a management group and moved two subscriptions into that management group. In the following exercise, we will look at Azure access assignment through RBAC.