Also read this post on the core elements of Governance on any public cloud

Why do we need Azure Management Groups?

Most people think of management groups as a convenient way to organize multiple subscriptions (e.g. based on departments in an organization).

However, management groups are tied to governance in that policies and RBAC can both be applied at a higher level – and propagate to all child subscriptions underneath.

Per Department Management Groups

You can have a high level Management group per department.

What lives below a Management Group? (subscriptions and resource groups)

Firstly, you get a root management group whether you ask for it or not (with each new subscription). So – it is best to group new subscriptions under existing roots so you have a clean hierarchy.

Example Policy at Management Group Level – Tags of resources and Resource Groups

Every resource in Azure including the resource groups will mandatorily have tags assigned to it. The tags will include details about the department, environment, creation data, and project name at minimum.

Another Example Policy at the management group level  – Diagnostic logs and Application Insights for all resources

Every resource deployed on Azure should have diagnostic logs and application logs enabled wherever possible.

How many Subscriptions should you have?

At the very least, 2 (one for production and one for non production workloads). Beyond PROD and NON PROD, you can consider departmental based subscriptions (if Billing is to be separated).. Read Azure’s Article on Subscription Groups

Summary

Azure Management Groups are more than a convenience for organizing subscriptions. Used correctly, they allow policies to be applied in a reusable manner. For example, they can be used to enforce tagging of resources, a key part of cost governance.

Also see Auditing AWS Account Security.

Set up a 1 on 1 appointment with Anuj to assist with your cloud journey

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.