This chapter covers management groups and subscription governance in Microsoft Azure, a core topic for the SC-900 exam. Management groups provide a hierarchical structure to efficiently manage access, policies, and compliance across multiple subscriptions. Expect approximately 10-15% of exam questions to touch on governance, with management groups being a key component. Understanding how management groups, subscriptions, and Azure Policy interact is essential for designing a compliant cloud environment.
Jump to a section
Imagine a multinational corporation with headquarters (HQ), regional offices, and departments. The HQ sets global policies (e.g., all employees must use multi-factor authentication). Regional offices (like North America, Europe) can add region-specific policies (e.g., Europe must follow GDPR), but cannot override HQ policies. Departments (like Sales, R&D) are created within regions and inherit the combined policies of HQ and their region. Each department has its own budget (subscription) that is governed by these inherited policies. The hierarchy is: HQ (Tenant Root Management Group) → Regions (Child Management Groups) → Departments (Subscriptions). If HQ mandates MFA, all regions and departments inherit it. If Europe adds a data residency policy, only European departments get it. This mirrors Azure's management group hierarchy: policies and RBAC assignments are inherited from parent to child, and subscriptions sit under the lowest management group. The tenant root group is invisible by default but is the top-level container. Just as a regional VP cannot overrule HQ's security policy, a child management group cannot block an inherited Azure Policy. This structure enables centralized governance with decentralized management, crucial for large enterprises.
What Are Management Groups and Why Do They Exist?
Management groups are containers that help you manage access, policy, and compliance for multiple subscriptions. They form a hierarchy that allows you to apply governance at scale. Without management groups, you would have to assign policies and RBAC roles to each subscription individually, which becomes unmanageable in large enterprises with hundreds of subscriptions. Management groups enable you to define a structure that mirrors your organization's operational or business needs, such as by department, geography, or environment (dev/test/prod).
How Management Groups Work
Azure has a single top-level management group called the Tenant Root Group. This group is automatically created when you start using Azure and is the root of the hierarchy. All management groups and subscriptions are children of this root group. You can create up to 10,000 management groups in a single directory. Each management group can have up to 3,000 child management groups (a flat limit, not depth). The maximum depth of the hierarchy is 6 levels (not including the root level). This means you can have up to 6 nested management groups below the root.
When you assign an Azure Policy or RBAC role to a management group, all child management groups, subscriptions, and resources under that group inherit that assignment. Inheritance is blocked if a more specific assignment (e.g., at the subscription or resource group level) denies the policy, but in general, policies and RBAC flow downward. This is similar to Group Policy in Active Directory.
Key Components and Defaults
Management Group ID: A unique identifier within the directory. It is immutable after creation.
Display Name: A friendly name that can be changed.
Parent Management Group: Defines the hierarchy. Changing the parent moves the entire subtree.
Subscription: Can be moved between management groups as long as the target group is not a descendant of the subscription's current group (to prevent circular references).
RBAC assignments: Applied at management group level are inherited by all children. However, RBAC does not flow up.
Azure Policy: Policy assignments at management group level are inherited. Exemptions can be applied at child scopes.
Configuration and Verification
Management groups are managed via the Azure portal, Azure CLI, PowerShell, or REST API. To create a management group using Azure CLI:
az account management-group create \
--name "MyManagementGroup" \
--display-name "My Management Group" \
--parent-id "/"To move a subscription to a management group:
az account management-group subscription add \
--name "MyManagementGroup" \
--subscription "MySubscription"To view the hierarchy:
az account management-group list --expandIn PowerShell:
New-AzManagementGroup -GroupId "MyGroup" -DisplayName "My Group" -ParentId "/"Interaction with Azure Policy and RBAC
Management groups are tightly integrated with Azure Policy and RBAC. When you assign a policy at the management group level, it applies to all subscriptions and resources within that group. For example, if you assign a policy that enforces a specific SKU for virtual machines at the "Production" management group, all VMs in subscriptions under "Production" must comply. This is a powerful way to enforce compliance across an entire department or geography.
RBAC assignments at the management group level grant permissions to manage resources in all child subscriptions. For instance, assigning the "Contributor" role to a security team at the "Corporate IT" management group gives them contributor access to all subscriptions under that group. This eliminates the need to assign roles per subscription.
Common Use Cases
Organizational Alignment: Create management groups for departments like Sales, Marketing, R&D, each containing their subscriptions.
Environment Segmentation: Separate management groups for Production, Development, and Test, with different policies (e.g., no public IP in production).
Geographic Compliance: Create management groups for regions (e.g., EU, US, Asia) and apply region-specific policies like data residency.
Cost Management: Use management groups to aggregate costs and apply budgets at a higher level.
Important Limitations
Management groups can only contain subscriptions; they cannot contain other Azure resources directly.
All management groups and subscriptions must belong to the same Azure AD tenant.
You cannot rename the Tenant Root Group, but you can change its display name.
Deleting a management group requires that it has no children (subscriptions or child management groups).
Moving a subscription to a different management group may take up to 30 minutes for policy inheritance to update.
Subscription Governance
A subscription is a logical container for Azure resources that is associated with an Azure AD tenant. Each subscription has its own limits and quotas, such as 980 resource groups per subscription (default). Subscriptions are billed separately and have their own set of administrators. Governance at the subscription level involves applying policies, RBAC, and resource locks to ensure compliance and security.
Resource Locks prevent accidental deletion or modification of resources. There are two types: CanNotDelete (users can read and modify but not delete) and ReadOnly (users can only read). Locks are inherited from the subscription to all resource groups and resources within. However, locks do not prevent changes made by Azure services or by users with Owner permissions (though Owner is still bound by locks).
Azure Policy can be assigned at the subscription level to enforce rules like allowed locations or required tags. Policies are evaluated during resource creation and update, and can also be audited on existing resources.
Best Practices
Plan your management group hierarchy carefully before creation. Depth is limited to 6 levels, so keep it flat enough for manageability.
Use the Tenant Root Group for global policies that must apply to every subscription.
Avoid assigning RBAC roles at the root group unless absolutely necessary, as it grants permissions across the entire tenant.
Use Azure Policy initiatives (groups of policies) to combine related policies.
Regularly audit policy compliance using Azure Policy's compliance dashboard.
How Management Groups Interact with Azure Blueprints
Azure Blueprints (now deprecated in favor of deployment stacks) allowed you to define a repeatable set of Azure resources and policies. Blueprints could be assigned to management groups or subscriptions. While Blueprints are being phased out, understanding the concept helps: management groups provide the structure, and policies enforce the rules. For the SC-900 exam, focus on management groups and Azure Policy as the primary governance tools.
Plan the hierarchy
Determine the structure of management groups based on your organization's needs. Consider using departments, geographies, or environments. The root group is the top-level container. You can create up to 6 levels of depth. For example: Root -> Geography -> Department -> Environment. Each management group can have up to 3,000 child management groups. Document the naming convention and ensure it aligns with your governance requirements.
Create management groups
Using the Azure portal, CLI, or PowerShell, create the management groups. Specify a unique ID (immutable) and a display name (mutable). Assign a parent management group (default is the root). For example, to create a 'Sales' group under 'Corporate': `az account management-group create --name Sales --display-name "Sales Department" --parent-id /providers/Microsoft.Management/managementGroups/Corporate`. Verify creation with `az account management-group show --name Sales`.
Move subscriptions into groups
Move existing subscriptions into the appropriate management groups. Use the Azure portal or CLI: `az account management-group subscription add --name Sales --subscription MySubscription`. Subscriptions can only have one parent management group. Moving a subscription may take up to 30 minutes for policy inheritance to apply. Ensure the target management group is not a descendant of the subscription (no circular move).
Apply Azure Policies
Assign Azure Policy definitions or initiatives at the management group level. Policies are inherited by all child subscriptions and resource groups. For example, assign a policy that requires all resources to have a 'CostCenter' tag. Use the Azure portal: Policy -> Assignments -> Assign Policy. Select the management group as the scope. Policies are evaluated during resource creation and update. Use the compliance dashboard to monitor adherence.
Assign RBAC roles
Grant permissions to users or groups at the management group level. For example, assign the 'Contributor' role to the 'Sales Admins' group at the 'Sales' management group. This gives them contributor access to all subscriptions under Sales. Use Azure CLI: `az role assignment create --assignee user@contoso.com --role Contributor --scope /providers/Microsoft.Management/managementGroups/Sales`. Roles are inherited downward.
Monitor and audit compliance
Regularly review policy compliance using Azure Policy's compliance dashboard. Check for non-compliant resources and take remediation actions. Use Azure Resource Graph to query resources across management groups. Also, review RBAC assignments to ensure least privilege. Azure Activity Log can track changes to management groups and subscriptions.
Enterprise Scenario 1: Multinational Corporation with Regional Compliance
A global company with operations in North America, Europe, and Asia needs to enforce region-specific data residency laws (e.g., GDPR in Europe). They create a management group hierarchy: Root -> Geography (NA, EU, Asia) -> Department (Sales, R&D, HR). Under each geography, they assign Azure Policies that restrict allowed regions for resource creation. For example, the EU management group has a policy that only allows resources in West Europe and North Europe. Additionally, they assign RBAC roles at the geography level for regional IT teams. This ensures that a developer in Europe cannot accidentally deploy resources in the US. The hierarchy also allows cost aggregation per geography. A common misconfiguration is assigning policies at the root group that conflict with regional policies. The solution is to use policy exemptions at child scopes if needed.
Enterprise Scenario 2: Environment Segmentation for a SaaS Provider
A SaaS provider uses separate subscriptions for development, testing, and production. They create management groups: Root -> Environment (Dev, Test, Prod). The Production management group has strict policies: no public IP addresses, mandatory encryption, and specific VM SKUs. The Dev group has more relaxed policies. The security team is assigned the 'Security Reader' role at the root group to audit all environments. The DevOps team is assigned 'Contributor' at the Dev and Test groups but only 'Reader' at Prod. This setup prevents accidental changes to production. Performance is not an issue because management groups are logical containers with no resource overhead. However, moving a subscription from Dev to Prod requires careful planning because policies change. A common mistake is moving a subscription without updating policies, leading to non-compliant resources.
Scenario 3: Mergers and Acquisitions
After acquiring another company, an organization needs to integrate the new company's subscriptions into their existing management group hierarchy. They create a new management group called 'Acquired' under the root and move the acquired subscriptions into it. They then apply their standard policies (e.g., require MFA, enable Defender for Cloud) at the 'Acquired' group. Over time, they restructure the hierarchy to align with their department structure. This approach minimizes disruption during integration. A pitfall is that the acquired subscriptions may have existing policies that conflict with the parent policies. The solution is to audit and remediate before moving. Also, RBAC assignments need to be cleaned up to avoid excessive permissions.
What SC-900 Tests on Management Groups and Subscription Governance
The SC-900 exam objective 4.1 focuses on 'Describe the capabilities of Microsoft Azure governance tools.' Specifically, you need to understand management groups, subscriptions, resource groups, Azure Policy, and resource locks. Expect questions that ask:
What is the purpose of management groups? (Answer: To manage access, policy, and compliance across multiple subscriptions hierarchically.)
How many levels deep can management groups be? (Answer: 6 levels, not including the root.)
Can you assign RBAC roles at the management group level? (Yes, and they are inherited.)
What is the difference between a management group and a subscription? (Management group is a container for subscriptions; a subscription is a container for resources.)
Common Wrong Answers and Why Candidates Choose Them
'Management groups can contain other management groups and resources directly.' Wrong: They can only contain subscriptions or other management groups. Resources are in subscriptions, not management groups.
'There is no limit to the depth of management groups.' Wrong: The maximum depth is 6 levels. Candidates confuse this with the number of management groups (10,000).
'Resource locks at the subscription level prevent RBAC changes.' Wrong: Resource locks only prevent deletion or modification of resources, not RBAC assignments. Candidates think locks are like a 'super deny'.
'Azure Policy assignments at the management group level cannot be overridden.' Wrong: Exemptions or more specific assignments at lower scopes can override. Candidates think inheritance is absolute.
Specific Numbers and Terms That Appear on the Exam
Maximum management groups per directory: 10,000
Maximum child management groups per parent: 3,000
Maximum hierarchy depth: 6 levels (plus root)
Resource lock types: CanNotDelete, ReadOnly
Default number of resource groups per subscription: 980
Azure Policy can be assigned at management group, subscription, resource group, or resource scope.
Edge Cases and Exceptions
The Tenant Root Group cannot be deleted or moved.
Moving a subscription to a new management group may take up to 30 minutes for policy inheritance to reflect.
If a policy at the management group level is non-compliant, you cannot fix it by assigning a different policy at the subscription level; you must use an exemption.
RBAC assignments at the root group grant permissions across all subscriptions, which is powerful and risky.
How to Eliminate Wrong Answers
If an answer says management groups contain resources, eliminate it.
If an answer says there is no limit on depth or number, eliminate it.
If an answer confuses resource locks with RBAC, remember locks affect the resource plane, not the management plane.
If an answer says policies cannot be overridden, remember exemptions exist.
Management groups enable hierarchical governance for multiple subscriptions, with a maximum depth of 6 levels.
Azure Policy and RBAC assignments at the management group level are inherited by all child subscriptions.
Resource locks (CanNotDelete, ReadOnly) are applied at subscription, resource group, or resource scope to prevent accidental changes.
The Tenant Root Group is the top-level management group and cannot be deleted or moved.
Maximum of 10,000 management groups per directory, each parent can have up to 3,000 children.
Moving a subscription between management groups can take up to 30 minutes for policy updates to propagate.
Azure Policy can be assigned at management group, subscription, resource group, or resource scope.
These come up on the exam all the time. Here's how to tell them apart.
Management Groups
Hierarchical container for subscriptions
Used to apply policies and RBAC at scale
Can have up to 6 levels of nesting
Cannot contain resources directly
Billing is not directly tied to management groups
Subscriptions
Logical container for resource groups and resources
Each subscription has its own billing and limits
Cannot be nested; flat structure
Directly contains resources
Has its own set of administrators
Mistake
Management groups can contain Azure resources like VMs directly.
Correct
Management groups can only contain subscriptions or other management groups. Resources are always placed in resource groups within subscriptions.
Mistake
There is no limit to the number of management groups or depth.
Correct
Maximum of 10,000 management groups per directory, 3,000 children per parent, and 6 levels of depth (excluding root).
Mistake
Resource locks prevent RBAC role assignments.
Correct
Resource locks only prevent delete or modify operations on resources. They do not affect RBAC assignments or permissions.
Mistake
Azure Policy assignments at the management group level cannot be overridden.
Correct
Policies can be overridden by exemptions (audit, disable) or by more specific assignments at lower scopes (e.g., subscription level) that have a different effect.
Mistake
Moving a subscription between management groups is instantaneous.
Correct
It can take up to 30 minutes for policy and RBAC inheritance to update after moving a subscription.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A management group is a container that organizes subscriptions for governance. It does not contain resources directly. A subscription is a logical container that holds resource groups and resources, and is associated with billing. Management groups sit above subscriptions in the hierarchy. Policies and RBAC assigned to a management group are inherited by its subscriptions.
You can create up to 10,000 management groups per Azure AD directory. Each management group can have up to 3,000 child management groups, and the hierarchy can be up to 6 levels deep (excluding the root group).
Yes, you can assign Azure Policy definitions or initiatives at the management group level. The policy is then inherited by all subscriptions and resource groups under that management group. This allows you to enforce compliance across multiple subscriptions with a single assignment.
Resource locks are applied at the resource or resource group level, not at the subscription level (though you can lock the subscription itself). When you move a subscription to a different management group, the locks on resources and resource groups within the subscription remain unchanged. Only policy and RBAC inheritance from the management group may change.
No, the Tenant Root Group is automatically created and cannot be deleted. However, you can change its display name. It serves as the top-level container for all management groups and subscriptions in the directory.
You can move a subscription using the Azure portal, Azure CLI, or PowerShell. For example, with CLI: `az account management-group subscription add --name "TargetGroup" --subscription "SubscriptionId"`. The move may take up to 30 minutes to fully propagate policy and RBAC changes.
Azure Policy enforces rules on resource properties (e.g., allowed locations, required tags) and can prevent non-compliant resource creation or modification. Resource locks prevent accidental deletion or modification of resources at the resource, resource group, or subscription level, regardless of compliance. Both are governance tools but work differently.
You've just covered Management Groups and Subscription Governance — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?