Azure Management Groups are tied to Governance
Also read this post on the core elements of Governance on any public cloud
Why do we need Azure Management Groups?
Most people think of management groups as a convenient way to organize multiple subscriptions (e.g. based on departments in an organization).
However, management groups are tied to governance in that policies and RBAC can both be applied at a higher level – and propagate to all child subscriptions underneath.
Per Department Management Groups
You can have a high level Management group per department.
What lives below a Management Group? (subscriptions and resource groups)
Firstly, you get a root management group whether you ask for it or not (with each new subscription). So – it is best to group new subscriptions under existing roots so you have a clean hierarchy.
Example Policy at Management Group Level – Tags of resources and Resource Groups
Every resource in Azure including the resource groups will mandatorily have tags assigned to it. The tags will include details about the department, environment, creation data, and project name at minimum.
Another Example Policy at the management group level – Diagnostic logs and Application Insights for all resources
Every resource deployed on Azure should have diagnostic logs and application logs enabled wherever possible.
How many Subscriptions should you have?
At the very least, 2 (one for production and one for non production workloads). Beyond PROD and NON PROD, you can consider departmental based subscriptions (if Billing is to be separated).. Read Azure’s Article on Subscription Groups
Summary
Azure Management Groups are more than a convenience for organizing subscriptions. Used correctly, they allow policies to be applied in a reusable manner. For example, they can be used to enforce tagging of resources, a key part of cost governance.
Also see Auditing AWS Account Security.
Set up a 1 on 1 appointment with Anuj to assist with your cloud journey
Leave a Reply