- Article
If your organization has many subscriptions, you may need a way to efficiently manage access,policies, and compliance for those subscriptions. Azure management groups provide a level of scopeabove subscriptions. You organize subscriptions into containers called "management groups" and applyyour governance conditions to the management groups. All subscriptions within a management groupautomatically inherit the conditions applied to the management group.
Management groups give you enterprise-grade management at a large scale no matter what type ofsubscriptions you might have. To learn more about management groups, seeOrganize your resources with Azure management groups.
Note
This article provides steps about how to delete personal data from the device or service and can be used to support your obligations under the GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center and the GDPR section of the Service Trust portal.
Important
Azure Resource Manager user tokens and management group cache lasts for 30 minutes before they areforced to refresh. After doing any action like moving a management group or subscription, it mighttake up to 30 minutes to show. To see the updates sooner you need to update your token byrefreshing the browser, signing in and out, or requesting a new token.
Important
AzManagementGroup related Az PowerShell cmdlets mention that the -GroupId is alias of -GroupName parameterso we can use either of it to provide Management Group Id as a string value.
Change the name of a management group
You can change the name of the management group by using the portal, PowerShell, or Azure CLI.
Change the name in the portal
Log into the Azure portal.
Select All services > Management groups.
Select the management group you would like to rename.
Select details.
Select the Rename group option at the top of the page.
When the menu opens, enter the new name you would like to have displayed.
Select Save.
Change the name in PowerShell
To update the display name use Update-AzManagementGroup. For example, to change a managementgroups display name from "Contoso IT" to "Contoso Group", you run the following command:
Update-AzManagementGroup -GroupId 'ContosoIt' -DisplayName 'Contoso Group'Change the name in Azure CLI
For Azure CLI, use the update command.
az account management-group update --name 'Contoso' --display-name 'Contoso Group'Delete a management group
To delete a management group, the following requirements must be met:
There are no child management groups or subscriptions under the management group. To move asubscription or management group to another management group, seeMoving management groups and subscriptions in the hierarchy.
You need write permissions on the management group ("Owner", "Contributor", or "Management GroupContributor"). To see what permissions you have, select the management group and then selectIAM. To learn more on Azure roles, seeAzure role-based access control (Azure RBAC).
Delete in the portal
Log into the Azure portal.
Select All services > Management groups.
Select the management group you would like to delete.
Select details.
Select Delete
Tip
If the icon is disabled, hovering your mouse selector over the icon shows you the reason.
There's a window that opens confirming you want to delete the management group.
Select Yes.
Delete in PowerShell
Use the Remove-AzManagementGroup command within PowerShell to delete management groups.
Remove-AzManagementGroup -GroupId 'Contoso'Delete in Azure CLI
With Azure CLI, use the command az account management-group delete.
az account management-group delete --name 'Contoso'View management groups
You can view any management group you have a direct or inherited Azure role on.
View in the portal
Log into the Azure portal.
Select All services > Management groups.
The management group hierarchy page will load. This page is where you can explore all themanagement groups and subscriptions you have access to. Selecting the group name takes you to alower level in the hierarchy. The navigation works the same as a file explorer does.
To see the details of the management group, select the (details) link next to the title ofthe management group. If this link isn't available, you don't have permissions to view thatmanagement group.
View in PowerShell
You use the Get-AzManagementGroup command to retrieve all groups. SeeAz.Resources modules for the full list ofmanagement group GET PowerShell commands.
Get-AzManagementGroupFor a single management group's information, use the -GroupId parameter
Get-AzManagementGroup -GroupId 'Contoso'To return a specific management group and all the levels of the hierarchy under it, use -Expandand -Recurse parameters.
PS C:\> $response = Get-AzManagementGroup -GroupId TestGroupParent -Expand -RecursePS C:\> $responseId : /providers/Microsoft.Management/managementGroups/TestGroupParentType : /providers/Microsoft.Management/managementGroupsName : TestGroupParentTenantId : 00000000-0000-0000-0000-000000000000DisplayName : TestGroupParentUpdatedTime : 2/1/2018 11:15:46 AMUpdatedBy : 00000000-0000-0000-0000-000000000000ParentId : /providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000ParentName : 00000000-0000-0000-0000-000000000000ParentDisplayName : 00000000-0000-0000-0000-000000000000Children : {TestGroup1DisplayName, TestGroup2DisplayName}PS C:\> $response.Children[0]Type : /managementGroupId : /providers/Microsoft.Management/managementGroups/TestGroup1Name : TestGroup1DisplayName : TestGroup1DisplayNameChildren : {TestRecurseChild}PS C:\> $response.Children[0].Children[0]Type : /managementGroupId : /providers/Microsoft.Management/managementGroups/TestRecurseChildName : TestRecurseChildDisplayName : TestRecurseChildChildren :View in Azure CLI
You use the list command to retrieve all groups.
az account management-group listFor a single management group's information, use the show command
az account management-group show --name 'Contoso'To return a specific management group and all the levels of the hierarchy under it, use -Expandand -Recurse parameters.
az account management-group show --name 'Contoso' -e -rMoving management groups and subscriptions
One reason to create a management group is to bundle subscriptions together. Only management groupsand subscriptions can be made children of another management group. A subscription that moves to amanagement group inherits all user access and policies from the parent management group
When moving a management group or subscription to be a child of another management group, threerules need to be evaluated as true.
If you're doing the move action, you need permission at each of the following layers:
- Child subscription / management group
Microsoft.management/managementgroups/writeMicrosoft.management/managementgroups/subscriptions/write(only for Subscriptions)Microsoft.Authorization/roleAssignments/writeMicrosoft.Authorization/roleAssignments/deleteMicrosoft.Management/register/action
- Target parent management group
Microsoft.management/managementgroups/write
- Current parent management group
Microsoft.management/managementgroups/write
Exception: If the target or the existing parent management group is the Root management group,the permissions requirements don't apply. Since the Root management group is the default landingspot for all new management groups and subscriptions, you don't need permissions on it to move anitem.
If the Owner role on the subscription is inherited from the current management group, your movetargets are limited. You can only move the subscription to another management group where you havethe Owner role. You can't move the subscription to a management group where you're only acontributor because you would lose ownership of the subscription. If you're directly assigned to theOwner role for the subscription, you can move it to any management group where you're a contributor.
To see what permissions you have in the Azure portal, select the management group and then selectIAM. To learn more on Azure roles, seeAzure role-based access control (Azure RBAC).
Move subscriptions
Add an existing Subscription to a management group in the portal
Log into the Azure portal.
Select All services > Management groups.
Select the management group you're planning to be the parent.
At the top of the page, select Add subscription.
Select the subscription in the list with the correct ID.
Select "Save".
Remove a subscription from a management group in the portal
Log into the Azure portal.
Select All services > Management groups.
Select the management group you're planning that is the current parent.
Select the ellipse at the end of the row for the subscription in the list you want to move.
Select Move.
On the menu that opens, select the Parent management group.
Select Save.
Move subscriptions in PowerShell
To move a subscription in PowerShell, you use the New-AzManagementGroupSubscription command.
New-AzManagementGroupSubscription -GroupId 'Contoso' -SubscriptionId '12345678-1234-1234-1234-123456789012'To remove the link between the subscription and the management group use theRemove-AzManagementGroupSubscription command.
Remove-AzManagementGroupSubscription -GroupId 'Contoso' -SubscriptionId '12345678-1234-1234-1234-123456789012'Move subscriptions in Azure CLI
To move a subscription in CLI, you use the add command.
az account management-group subscription add --name 'Contoso' --subscription '12345678-1234-1234-1234-123456789012'To remove the subscription from the management group, use the subscription remove command.
az account management-group subscription remove --name 'Contoso' --subscription '12345678-1234-1234-1234-123456789012'Move subscriptions in ARM template
To move a subscription in an Azure Resource Manager template (ARM template), use the followingtemplate and deploy it at tenant level.
{ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "targetMgId": { "type": "string", "metadata": { "description": "Provide the ID of the management group that you want to move the subscription to." } }, "subscriptionId": { "type": "string", "metadata": { "description": "Provide the ID of the existing subscription to move." } } }, "resources": [ { "scope": "/", "type": "Microsoft.Management/managementGroups/subscriptions", "apiVersion": "2020-05-01", "name": "[concat(parameters('targetMgId'), '/', parameters('subscriptionId'))]", "properties": { } } ], "outputs": {}}Or, the following Bicep file.
targetScope = 'managementGroup'@description('Provide the ID of the management group that you want to move the subscription to.')param targetMgId string@description('Provide the ID of the existing subscription to move.')param subscriptionId stringresource subToMG 'Microsoft.Management/managementGroups/subscriptions@2020-05-01' = { scope: tenant() name: '${targetMgId}/${subscriptionId}'}Move management groups
Move management groups in the portal
Log into the Azure portal.
Select All services > Management groups.
Select the management group you're planning to be the parent.
At the top of the page, select Add management group.
In the menu that opens, select if you want a new or use an existing management group.
- Selecting new will create a new management group.
- Selecting an existing will present you with a dropdown list of all the management groups youcan move to this management group.
Select Save.
Move management groups in PowerShell
Use the Update-AzManagementGroup command in PowerShell to move a management group under a differentgroup.
$parentGroup = Get-AzManagementGroup -GroupId ContosoITUpdate-AzManagementGroup -GroupId 'Contoso' -ParentId $parentGroup.idMove management groups in Azure CLI
Use the update command to move a management group with Azure CLI.
az account management-group update --name 'Contoso' --parent ContosoITAudit management groups using activity logs
Management groups are supported withinAzure Activity Log. You can query allevents that happen to a management group in the same central location as other Azure resources. Forexample, you can see all Role Assignments or Policy Assignment changes made to a particularmanagement group.
When looking to query on Management Groups outside of the Azure portal, the target scope formanagement groups looks like "/providers/Microsoft.Management/managementGroups/{yourMgID}".
Referencing management groups from other Resource Providers
When referencing management groups from other Resource Provider's actions, use the following path asthe scope. This path is used when using PowerShell, Azure CLI, and REST APIs.
/providers/Microsoft.Management/managementGroups/{yourMgID}
An example of using this path is when assigning a new role assignment to a management group inPowerShell:
New-AzRoleAssignment -Scope "/providers/Microsoft.Management/managementGroups/Contoso"The same scope path is used when retrieving a policy definition at a management group.
GET https://management.azure.com/providers/Microsoft.Management/managementgroups/MyManagementGroup/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming?api-version=2019-09-01Next steps
To learn more about management groups, see:
- Create management groups to organize Azure resources
- How to change, delete, or manage your management groups
- Review management groups in Azure PowerShell Resources Module
- Review management groups in REST API
- Review management groups in Azure CLI
