📖 What is Management Groups?
Management Groups provide a hierarchical structure for organizing multiple Azure Subscriptions. They enable centralized policy and access management across an organization, simplifying governance and compliance. This allows for consistent application of policies at scale, reducing administrative overhead.
"Management Groups are essential for large organizations with numerous subscriptions. The hierarchy is crucial: Management Group > Subscription > Resource Group > Resource. Exam questions will likely focus on policy inheritance and centralized control. Understand the limits on the number of Management Groups."
📚 Certification: Microsoft Azure Fundamentals (AZ-900)
🔑 What are the Key Concepts of Management Groups?
- ▸ Management Groups sit above subscriptions, enabling inheritance of Azure Policies and Role-Based Access Control (RBAC) down the hierarchy.
- ▸ They are crucial for organizations managing multiple subscriptions, providing a centralized governance point for compliance and security.
- ▸ A single Management Group can contain multiple subscriptions, and subscriptions can only be directly associated with one Management Group.
- ▸ Policies applied at the Management Group level are inherited by all subscriptions within it, ensuring consistent configuration.
- ▸ There are limits to the number of Management Groups and subscriptions within a directory; understanding these limits is testable.
🎯 How does Management Groups appear on the AZ-900 Exam?
You may be asked to identify the best way to enforce a specific security policy across all subscriptions in a large enterprise – Management Groups will be the correct answer.
A scenario might describe a company needing to grant a specific user access to all resources within a department’s subscriptions; expect questions about RBAC inheritance through Management Groups.
Expect questions about troubleshooting policy application failures, focusing on understanding how policies are inherited and potentially overridden at lower levels.
❓ Frequently Asked Questions
Can a subscription be part of multiple Management Groups?
No, a subscription can only be directly associated with one Management Group. However, Management Groups can be nested, creating a hierarchical structure to represent complex organizational structures.
What happens if a policy is applied at both the Management Group and Subscription level?
The more restrictive policy takes precedence. Policies applied at the Subscription level override those inherited from the Management Group, allowing for granular control where needed.
How do Management Groups relate to Azure Policy?
Management Groups are the primary mechanism for *applying* Azure Policies at scale. You define the policy, then assign it to a Management Group, and it automatically applies to all contained subscriptions.