This chapter covers Azure Management Groups and Azure Blueprints, two essential governance tools that help you manage multiple subscriptions and enforce compliance at scale. For the AZ-900 exam, these topics fall under Domain 3 (Azure Management and Governance), which carries approximately 30% of the total exam weight. Understanding how to organize subscriptions into a hierarchy and deploy consistent environments using Blueprints is critical for both the exam and real-world cloud administration.
Jump to a section
Imagine a large corporation with a headquarters (HQ) and many departments. HQ sets the overall company policies—like expense limits, hiring rules, and data security standards—that apply to everyone. Each department (like Sales, Engineering, HR) then has its own manager who can add more specific rules, but cannot override HQ's policies. Within a department, there are teams (like Product A, Product B) that need to follow both HQ and department policies, but can also have team-specific rules as long as they don't conflict. Now, each team works on projects; a project might require a specific set of resources (like office space, software licenses, and servers). The team can use a blueprint—a pre-approved template that lists exactly what resources are needed and how they should be configured. This blueprint ensures every project is set up consistently and complies with all policies from HQ down to the team. If a project deviates from the blueprint, it gets flagged. Azure Management Groups are like the corporate hierarchy (HQ, departments, teams) and Azure Blueprints are like the project templates. Management Groups enforce policy inheritance (like HQ policies flowing down), while Blueprints package resource templates, policies, and role assignments into a single deployable unit. Together, they ensure governance at scale—every subscription and resource follows the rules, even as the organization grows.
What Are Azure Management Groups and Why Do They Matter?
Azure Management Groups are containers that help you manage access, policies, and compliance across multiple Azure subscriptions. Think of them as folders that can hold subscriptions and other management groups, forming a hierarchy. The root management group is automatically created for every Azure AD tenant and sits at the top of the hierarchy. You can create up to 10,000 management groups in a single directory, and a management group can have up to 2,000 child management groups or subscriptions. The depth of the hierarchy is limited to six levels (excluding the root level).
Why do you need management groups? In a large organization with hundreds or thousands of subscriptions, managing each one individually is impractical. Management groups allow you to apply Azure Policy and Role-Based Access Control (RBAC) at a higher level, and those settings are inherited by all subscriptions and management groups underneath. For example, you can apply a policy that restricts VM SKUs to only approved sizes at the root management group, and every subscription in the tenant will automatically enforce that rule. This eliminates the need to configure policies per subscription.
How Management Groups Work – The Hierarchy and Inheritance
Management groups create a parent-child relationship. When you assign a policy or RBAC role to a management group, all child management groups and subscriptions inherit that assignment. However, inheritance is not transitive in the sense that a child can override a parent's policy (if the policy effect allows it), but by default, policies are inherited.
To create a management group, you need the "Management Group Contributor" role at the root level. The root management group itself has special permissions: only Azure AD Global Administrators can elevate their access to become a User Access Administrator at the root. This is a security best practice—limit who can manage the root.
Here's a step-by-step of how inheritance works:
You create a management group called "Contoso" under the root.
You assign an Azure Policy that denies creation of VMs in certain regions to "Contoso".
Under "Contoso", you create child management groups for "Sales" and "Engineering".
You then move existing subscriptions (e.g., "Sales-Sub1", "Engineering-Sub1") into these groups.
The policy assigned to "Contoso" is automatically inherited by "Sales", "Engineering", and all their subscriptions. Any attempt to create a VM in a restricted region will be denied.
If you need to exempt a specific subscription, you can assign an exemption at that subscription level. Exemptions can be for a limited time or permanent, but they must be explicitly created.
Azure Blueprints – What They Are and the Business Problem They Solve
Azure Blueprints are a declarative way to orchestrate the deployment of resource groups, policies, role assignments, and ARM templates. They are not the same as ARM templates—Blueprints are a higher-level abstraction that packages multiple artifacts into a single deployable unit. The key difference is that Blueprints maintain a relationship with the deployed resources, allowing you to track and update the deployment as the blueprint version changes.
The business problem: When you need to create a new subscription that complies with company standards (e.g., must have a specific network topology, must use only certain VM sizes, must have auditing enabled), you could manually configure everything, but that's error-prone and inconsistent. Blueprints allow you to define a repeatable set of configurations that can be assigned to a subscription or management group. Once assigned, the blueprint creates a versioned artifact that Azure monitors for drift.
How Blueprints Work – Mechanism and Components
A blueprint is composed of artifacts. Artifacts can be:
Role assignments: Assign RBAC roles (e.g., Contributor, Owner) to a managed identity or user at the subscription or resource group scope.
Policy assignments: Assign built-in or custom Azure Policy definitions to enforce compliance.
Azure Resource Manager templates (ARM templates): Deploy resources like VMs, storage accounts, or virtual networks.
Resource groups: Define a resource group as part of the blueprint (not all blueprints create resource groups).
When you publish a blueprint, it creates a version number (e.g., 1.0). You can then assign that blueprint version to a subscription or management group. During assignment, you can specify parameters (e.g., location, admin password) and grant the blueprint system-assigned managed identity permissions to deploy the artifacts.
After assignment, Azure Blueprints tracks the deployment. If you later publish a new version (e.g., 2.0), you can update the assignment to the new version. Azure will then apply the changes—adding new artifacts, updating policies, etc. However, it does not automatically delete resources that were removed from the blueprint; you must manually delete those.
Blueprints are stored in a globally distributed, read-only store within Azure. They are scoped to a subscription or management group, and you can export/import them as JSON files.
Key Components and Limits
Management Groups: Up to 10,000 per directory, up to 2,000 children per group, max depth 6 levels (excluding root).
Blueprints: You can have up to 10,000 blueprints per Azure subscription (not per tenant). Each blueprint can have up to 200 artifacts. The maximum size of a single blueprint (including all artifacts) is 2 MB.
Blueprint versions: You can publish up to 200 versions per blueprint.
Comparison to On-Premises Equivalent
In an on-premises environment, managing governance across multiple departments or business units is often done manually or with scripts. For example, you might have a configuration management database (CMDB) that tracks server configurations, but enforcing policies like "no VMs in certain subnets" requires manual audits. Management Groups and Blueprints automate this: policies are enforced at scale, and blueprints ensure every new environment is built exactly to specification, reducing configuration drift.
Azure Portal and CLI Touchpoints
Management Groups in Portal:
Navigate to "Management Groups" in the Azure portal.
You can view the hierarchy, create new groups, move subscriptions, and assign policies/RBAC.
The root management group is shown as "Tenant Root Group".
Management Groups via CLI:
# Create a management group
az account management-group create --name Contoso --display-name "Contoso"
# Add a subscription to a management group
az account management-group subscription add --name Contoso --subscription "Subscription-ID"
# List management groups
az account management-group listBlueprints in Portal:
Navigate to "Blueprints" under "Azure Policy".
You can create a blueprint from scratch or from existing artifacts, publish it, and assign it to a subscription/management group.
The portal shows assigned blueprints and their version history.
Blueprints via CLI:
# Create a blueprint definition
az blueprint create --name MyBlueprint --scope /subscriptions/YourSubID --blueprint-file blueprint.json
# Publish a blueprint version
az blueprint publish --name MyBlueprint --version 1.0 --scope /subscriptions/YourSubID
# Assign a blueprint
az blueprint assignment create --name MyAssignment --scope /subscriptions/YourSubID --blueprint-version-id /subscriptions/YourSubID/providers/Microsoft.Blueprint/blueprints/MyBlueprint/versions/1.0Note: Blueprints are being deprecated in favor of deployment stacks (announced in 2024). However, AZ-900 still covers Blueprints as they are widely used. Deployment stacks offer similar functionality but with better drift detection and management. For the exam, know the basics of Blueprints and that deployment stacks are the newer alternative.
Create a Management Group Hierarchy
Start by creating management groups under the root. You need the 'Management Group Contributor' role at the root level. In the Azure portal, go to 'Management Groups' and click 'Create'. Give it a name and display name. You can create a hierarchy like 'Corporate' > 'Business Units' > 'Departments'. Each level can have its own policies. Behind the scenes, Azure creates a new management group object in the tenant. Limits: up to 10,000 groups per directory, depth max 6 levels. Once created, you can move subscriptions into the group. Moving a subscription requires the 'Contributor' role on both source and target management groups.
Assign Policy and RBAC at Management Group
Select a management group and assign an Azure Policy (e.g., 'Allowed locations'). The policy will be inherited by all child management groups and subscriptions. For RBAC, assign a role like 'Reader' to a user at the management group scope. That user can read all subscriptions under it. Azure Policy inheritance is explicit: if you assign a policy with 'Deny' effect, it cannot be overridden by a child. However, you can create an exemption at a lower scope. RBAC inheritance is additive: permissions from parent and child scopes combine. Note: The root management group has special elevation for Global Admins.
Create an Azure Blueprint Definition
Navigate to 'Blueprints' in the Azure portal. Click 'Create Blueprint' and start from a blank blueprint or use a sample. Add artifacts: role assignments, policy assignments, ARM templates, and resource groups. Define parameters (e.g., location, admin username) that will be filled in during assignment. Each artifact can have its own parameters. Save the blueprint as a draft. The blueprint is stored as a JSON definition in the subscription's blueprint store (global). You can have up to 10,000 blueprints per subscription, each with up to 200 artifacts.
Publish and Assign the Blueprint
Publish the draft blueprint to create a version (e.g., 1.0). Then assign it to a subscription or management group. During assignment, you specify parameter values and grant the blueprint's managed identity permissions (e.g., Contributor) to deploy resources. Azure then deploys all artifacts in the specified order. The assignment creates a lock on the managed resources (unless you disable it). You can monitor the assignment status in the portal. Blueprint assignment is asynchronous; you can view deployment logs. After assignment, the blueprint version is locked to that deployment.
Update and Version Blueprints
To update an assigned blueprint, edit the draft blueprint (e.g., add a new policy), publish a new version (2.0), then update the assignment to use the new version. Azure will apply the changes: it will add new artifacts, update existing ones, but not delete artifacts that were removed (you must manually delete them). You can also unassign a blueprint, which does not delete deployed resources. Versioning is crucial for audit trails. Each published version is immutable. You can export the blueprint as JSON for version control.
Scenario 1: Multinational Corporation with Compliance Requirements
A global company, Contoso Ltd., operates in multiple regions with strict data residency laws. They have hundreds of subscriptions across business units. Without management groups, each subscription would need individual policies to restrict resource creation to approved regions. The cloud governance team creates a management group hierarchy: Root > Geo-Regions (e.g., 'NA', 'EU', 'APAC') > Business Units (e.g., 'Finance', 'HR'). At the 'EU' management group, they assign a policy that denies creation of resources outside EU data centers. This policy automatically applies to all subscriptions under 'EU'. They also assign a custom RBAC role 'Compliance Reader' to the global compliance team at the root, giving them read access to all subscriptions. This setup ensures compliance without per-subscription configuration. A common mistake: assigning policies at the root that are too restrictive, causing global issues. Best practice: use exemptions sparingly and document them.
Scenario 2: Standardized Development Environments with Blueprints
A software company, Fabrikam, needs to spin up new development subscriptions quickly. Each subscription must contain a specific network topology (VNet with subnets), a set of Azure Policies (e.g., no public IPs on VMs), and a role assignment for the DevOps team. They create a blueprint called 'Dev-Environment' that includes an ARM template for the VNet, three policy assignments, and a role assignment. They publish version 1.0 and assign it to each new subscription. When security requirements change (e.g., a new policy requiring encryption), they update the blueprint, publish 2.0, and update all assignments. Azure automatically applies the new policy to existing resources. However, they must manually delete resources that are no longer needed (e.g., an old storage account type). The cost consideration: Blueprints themselves have no cost, but the resources they deploy do. A pitfall: if the managed identity does not have sufficient permissions, the assignment fails. Always grant the blueprint identity 'Contributor' on the target subscription.
Scenario 3: Mergers and Acquisitions – Governance Integration
When a company acquires another, they often inherit existing Azure subscriptions with no consistent governance. Using management groups, the parent company can create a new management group for the acquired company, then move their subscriptions into it. They can then assign corporate policies at the parent management group level, which will be inherited by the acquired subscriptions. However, existing resources may violate the new policies (e.g., resources in disallowed regions). Azure Policy can be set to 'Audit' initially to identify non-compliant resources, then later changed to 'Deny' after remediation. Blueprints can be used to deploy a standardized landing zone for new subscriptions created post-acquisition. This approach minimizes business disruption while enforcing governance.
AZ-900 Objective Code: Describe the core architectural components of Azure
This topic falls under Objective 3.2: 'Describe Azure management and governance'. Specifically, you need to know:
The purpose of management groups (organize subscriptions, apply policy inheritance, manage access at scale).
The purpose of Azure Blueprints (create repeatable, compliant environments using templates, policies, and RBAC).
How inheritance works in management groups (policies and RBAC assignments flow from parent to child).
The difference between Blueprints and ARM templates (Blueprints package multiple artifacts including policies and RBAC, and maintain a versioned relationship).
Common Wrong Answers and Why Candidates Choose Them
"Management groups can contain Azure resources like VMs." – Wrong. Management groups only contain subscriptions and other management groups, not resources. Candidates confuse management groups with resource groups.
"Blueprints are the same as ARM templates." – Partially true but misleading. Blueprints can include ARM templates, but they also include policies and RBAC. The exam tests that Blueprints are a higher-level orchestration tool.
"You can assign a blueprint to a resource group." – Wrong. Blueprints can only be assigned to a subscription or management group. Resource groups are created inside the blueprint as artifacts.
"Management groups are optional; you can manage subscriptions individually." – True but not the best answer when the question asks about governance at scale. The exam expects you to recognize that management groups are the recommended way to manage multiple subscriptions.
Specific Terms and Values That Appear Verbatim
Root management group (also called Tenant Root Group).
Inheritance – policies and RBAC are inherited.
6 levels – maximum depth of management group hierarchy (excluding root).
Up to 10,000 management groups per directory.
Blueprints are versioned and maintain a relationship with deployed resources.
Artifacts – the components of a blueprint (policy assignments, role assignments, ARM templates, resource groups).
Edge Cases and Tricky Distinctions
Management group vs. Azure AD group: Management groups are for organizing subscriptions; Azure AD groups are for user/device management. They are separate.
Blueprint vs. Azure Policy: Azure Policy enforces rules; Blueprints orchestrate the deployment of resources and policies together. A blueprint can include policy assignments, but not vice versa.
Exemptions: You can exempt a subscription from a policy assigned at a management group, but the exemption must be explicit. The exam may test that exemptions are scoped to a specific resource or subscription.
Moving subscriptions: Moving a subscription between management groups can affect policy compliance. If the new parent has different policies, existing resources may become non-compliant.
Memory Trick / Decision Tree
For exam questions asking about governance at scale, use this mental flow: 1. Do you need to organize multiple subscriptions? → Management Groups. 2. Do you need to enforce rules (policies) across many subscriptions? → Management Groups + Azure Policy. 3. Do you need to deploy a consistent environment (resources + policies + roles)? → Blueprints. 4. Do you need to track version changes to that environment? → Blueprints (versioning).
Remember: Management Groups = Hierarchy & Inheritance. Blueprints = Package & Deploy.
Management groups allow you to organize subscriptions into a hierarchy for centralized governance.
Policies and RBAC assignments applied to a management group are inherited by all child subscriptions and groups.
The maximum depth of a management group hierarchy is 6 levels (excluding the root).
Azure Blueprints orchestrate the deployment of ARM templates, policies, and role assignments as a single versioned unit.
Blueprints can only be assigned to a subscription or management group, not directly to a resource group.
Blueprints maintain a relationship with deployed resources, enabling version updates and drift tracking.
The root management group is automatically created for each Azure AD tenant and requires elevated access to manage.
Management Groups and Blueprints are free Azure services (you only pay for resources deployed).
These come up on the exam all the time. Here's how to tell them apart.
Management Groups
Purpose: Organize subscriptions into a hierarchy for policy and RBAC inheritance.
Scope: Can contain subscriptions and other management groups.
Inheritance: Policies and RBAC assigned at a management group flow to all children.
Limits: Up to 10,000 groups, depth up to 6 levels.
Use case: Apply a company-wide policy (e.g., allowed regions) to all subscriptions.
Azure Blueprints
Purpose: Package artifacts (ARM templates, policies, RBAC) into a repeatable deployment unit.
Scope: Assigned to a subscription or management group (not resource group).
Versioning: Blueprints are versioned; assignments can be updated to newer versions.
Limits: Up to 10,000 blueprints per subscription, 200 artifacts per blueprint.
Use case: Deploy a standardized development environment with specific resources and policies.
Mistake
Management groups can contain Azure resources directly.
Correct
Management groups only contain subscriptions and other management groups. Resources are contained in resource groups within subscriptions.
Mistake
Azure Blueprints and ARM templates are the same thing.
Correct
Blueprints are a higher-level abstraction that packages ARM templates, policies, and RBAC assignments. ARM templates only deploy resources. Blueprints maintain a versioned relationship with deployed resources.
Mistake
You can assign a blueprint to a resource group.
Correct
Blueprints can only be assigned to a subscription or a management group. Resource groups are defined as artifacts within the blueprint.
Mistake
Inheritance in management groups works only for policies, not RBAC.
Correct
Both Azure Policy assignments and RBAC role assignments are inherited from parent management groups to child groups and subscriptions.
Mistake
The root management group cannot be modified.
Correct
The root management group exists by default but can be renamed and used to assign policies/RBAC. However, only Azure AD Global Administrators can elevate access to manage it.
A management group is a container for subscriptions that helps you manage access, policies, and compliance across multiple subscriptions. A resource group is a container for resources (like VMs, databases) within a single subscription. Management groups sit above subscriptions; resource groups sit within subscriptions. For AZ-900, remember that management groups organize subscriptions, while resource groups organize resources.
No. Blueprints can only be assigned to a subscription or a management group. However, a blueprint can create resource groups as part of its artifacts. So you can define a resource group inside the blueprint, and when assigned, Azure will create that resource group within the target subscription. This is a common exam trick.
You can create up to 10,000 management groups per Azure AD directory. Each management group can have up to 2,000 child management groups or subscriptions. The hierarchy depth is limited to 6 levels (excluding the root level). These limits are important for the exam.
Azure Policy evaluates existing resources for compliance, but it does not automatically modify them unless the policy effect is 'DeployIfNotExists' or 'Modify'. For 'Deny' policies, they only affect new resource creation or updates. You can use remediation tasks to bring existing resources into compliance. This is a common exam topic.
Yes, both Management Groups and Azure Blueprints are free Azure services. You only pay for the Azure resources you deploy (e.g., VMs, storage). There are no additional charges for using these governance tools. This is often tested as a cost-saving benefit.
Yes, you can move a subscription between management groups. You need 'Contributor' or 'Owner' permissions on both the source and destination management groups. Moving a subscription triggers a re-evaluation of policies; existing resources may become non-compliant if the new parent has stricter policies. The exam may test this scenario.
A draft is an editable blueprint that hasn't been published yet. Once you publish a draft, it becomes a version (e.g., 1.0). Versions are immutable—you cannot change them. You can only edit the draft and publish new versions. Assignments are tied to a specific version. This versioning allows you to track changes over time.
You've just covered Azure Blueprints and Management Groups — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?