{"id":14444,"date":"2020-07-31T05:29:28","date_gmt":"2020-07-31T05:29:28","guid":{"rendered":"https:\/\/www.testpreptraining.com\/tutorial\/?page_id=14444"},"modified":"2022-04-08T11:00:10","modified_gmt":"2022-04-08T11:00:10","slug":"explaining-the-hierarchy-of-azure-management-groups-and-subscriptions","status":"publish","type":"page","link":"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/","title":{"rendered":"Explaining the hierarchy of Azure management groups and subscriptions"},"content":{"rendered":"\n<p><a href=\"https:\/\/www.testpreptraining.ai\/tutorial\/exam-az-304-microsoft-azure-architect-design\/\" target=\"_blank\" rel=\"noreferrer noopener\">Go back to AZ-304 Tutorials<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"> <strong>AZ-304 exam is retired. <a href=\"https:\/\/www.testpreptraining.ai\/designing-microsoft-azure-infrastructure-solutions-az-305\" target=\"_blank\" rel=\"noreferrer noopener\">AZ-305<\/a>\u00a0replacement is available.<\/strong> <\/h2>\n\n\n\n<p>In this article, we will learn about ways to efficiently manage access, policies, and compliance for those subscriptions. Moreover, we will understand the Azure management groups and organizing subscriptions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Hierarchy of management groups and subscriptions<\/strong><\/h3>\n\n\n\n<p>For organizing resources into a hierarchy for unified policy and access management you can build a flexible structure of management groups and subscriptions. The diagram below shows an example of creating a hierarchy for governance using management groups. However, you can create a hierarchy that applies a policy. And, this policy will inherit onto all the Enterprise Agreement (EA) subscriptions that are descendants of that management group. And, this will also apply to all VMs under those subscriptions.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/az304-hierarchy-1.png\" alt=\"Azure management group and subcriptions\" class=\"wp-image-14457\" width=\"744\" height=\"450\" srcset=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/az304-hierarchy-1.png 974w, https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/az304-hierarchy-1-661x400.png 661w\" sizes=\"auto, (max-width: 744px) 100vw, 744px\" \/><figcaption>Image Source: Microsoft<\/figcaption><\/figure><\/div>\n\n\n\n<h6 class=\"wp-block-heading\"><strong>Facts about management groups<\/strong><\/h6>\n\n\n\n<ul class=\"wp-block-list\"><li>Firstly, there can be 10,000 management groups in a single directory.<\/li><li>Secondly, a management group tree can support up to six levels of depth.<\/li><li>Thirdly, each management group and subscription can only support one parent. And, each management group can have many children.<\/li><li>Lastly, All subscriptions and management groups are within a single hierarchy in each directory.&nbsp;<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Root management group for each directory<\/strong><\/h4>\n\n\n\n<p>Every directory has a single top-level management group called the &#8220;Root&#8221; management group. The root management groups are built into the hierarchy by having all management groups and subscriptions. Moreover, these groups give access to global policies and Azure role assignments to apply at the directory level. However, the Azure AD Global Administrator needs to elevate themselves to the User Access Administrator role of this root group initially.&nbsp;<\/p>\n\n\n\n<h6 class=\"wp-block-heading\"><strong>Facts about the Root management group<\/strong><\/h6>\n\n\n\n<ul class=\"wp-block-list\"><li>Firstly, by default, the root management group&#8217;s display name is the Tenant root group. The ID is the Azure Active Directory ID.<\/li><li>Secondly, to change the display name, your account should be assigned the Owner or Contributor role on the root management group.<\/li><li>Thirdly, the root management group cannot move or delete, unlike other management groups.<\/li><li>Fourthly, all subscriptions and management groups are folding up to the one root management group within the directory. And, all resources in the directory fold up to the root management group for global management.<\/li><li>Lastly, all Azure customers can see the root management group, but not all customers have access to manage that root management group.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><a href=\"https:\/\/www.testpreptraining.ai\/microsoft-azure-architect-design-az-304-free-practice-test\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" width=\"961\" height=\"150\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/08\/AZ-304-practice-tests-3.png\" alt=\"AZ-304 Practice tests\" class=\"wp-image-18182\" srcset=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/08\/AZ-304-practice-tests-3.png 961w, https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/08\/AZ-304-practice-tests-3-750x117.png 750w\" sizes=\"auto, (max-width: 961px) 100vw, 961px\" \/><\/a><\/figure><\/div>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Trouble seeing all subscriptions<\/strong><\/h4>\n\n\n\n<p>You should know that a few directories that started using management groups could see an issue where not all the subscriptions were within the hierarchy. However, the process of having all subscriptions in the hierarchy was in place after a role or policy assignment was on the root management group in the directory.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\"><strong>Resolving the issue<\/strong><\/h5>\n\n\n\n<p>There are two options you can do to resolve this issue.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\"><strong>Removing all Role and Policy assignments from the root management group<\/strong><\/h6>\n\n\n\n<p>Firstly, by removing any policy and role assignments from the root management group, the service will backfill all subscriptions into the hierarchy the next overnight cycle. And, with this process there&#8217;s no accidental access given or policy assignment to all of the tenants subscriptions.However, the best way to do this process is without impacting services is to apply the role or policy assignments one level below the Root management group. As this will allow you to eliminate all assignments from the root scope.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\"><strong>Calling the API directly to start the backfill process<\/strong><\/h6>\n\n\n\n<p>Customers in the directory can call the TenantBackfillStatusRequest or StartTenantBackfillRequest APIs. And, when the StartTenantBackfillRequest API is called, it kicks off the initial setup process of moving all the subscriptions into the hierarchy. However, this process also starts the enforcement of all new subscriptions to be a child of the root management group. The process can even work without changing any assignments on the root level. By calling the API, you&#8217;re saying it&#8217;s okay that any policy or access assignment on the root can be applied to all subscriptions.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Issues with the role definition and assignment hierarchy path<\/strong><\/h4>\n\n\n\n<p>Role definition can be defined on a parent management group while the actual role assignment exists on the child subscription. Since there&#8217;s a relationship between the two items, you&#8217;ll receive an error when trying to separate the assignment from its definition.<\/p>\n\n\n\n<p>Take a look at a small section of a hierarchy for a visual in the picture below.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/root-management-group-1.png\" alt=\"Azure management group hierarchy path\" class=\"wp-image-14454\" width=\"455\" height=\"401\" srcset=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/root-management-group-1.png 718w, https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/root-management-group-1-454x400.png 454w\" sizes=\"auto, (max-width: 455px) 100vw, 455px\" \/><figcaption>Image Source: Microsoft<\/figcaption><\/figure><\/div>\n\n\n\n<p>Let&#8217;s assume that there&#8217;s a custom role defined in the Marketing management group. And, that custom role is then assigned on the two free trial subscriptions. However, if we try to move one of those subscriptions to be a child of the Production management group. Then, this move would break the path from subscription role assignment to the Marketing management group role definition. In this situation, you&#8217;ll receive an error saying the move does not have access as it will break this relationship. There are various options for fixing this scenario that includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Firstly, removing the role assignment from the subscription before moving the subscription to a new parent MG.<\/li><li>Secondly, adding the subscription to the Role Definition&#8217;s assignable scope.<\/li><li>Thirdly, changing the assignable scope within the role definition.&nbsp;<\/li><li>Lastly, creating an additional Custom Role that will be defined in the other branch.&nbsp;<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Moving management groups and subscriptions<\/strong><\/h4>\n\n\n\n<p>For moving a management group or subscription to be a child of another management group, three rules need to be evaluated as true.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Firstly, management group write and Role Assignment write permissions on the child subscription or management group.<\/li><li>Secondly, the management group writes access to the target parent management group.<\/li><li>Thirdly, mManagement groups write access to the existing parent management group.<\/li><\/ul>\n\n\n\n<p>However, if there is inheriting of the owner role on the subscription from the current management group, with limited move targets. Then, you can only move the subscription to another management group where you have the Owner role. But, you can&#8217;t move it to a management group where you&#8217;re a contributor because you would lose ownership of the subscription. If there direct is assigning to the Owner role for the subscription, then you can move it to any management group where you&#8217;re a contributor.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><a href=\"https:\/\/www.testpreptraining.ai\/microsoft-azure-architect-design-az-304-practice-exam\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" width=\"961\" height=\"150\" src=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/Az-304-online-course-19.png\" alt=\"Azure Management group in AZ-304 Online Course\" class=\"wp-image-14452\" srcset=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/Az-304-online-course-19.png 961w, https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/Az-304-online-course-19-750x117.png 750w\" sizes=\"auto, (max-width: 961px) 100vw, 961px\" \/><\/a><\/figure><\/div>\n\n\n\n<p class=\"has-text-align-right\"><strong>Reference:<\/strong> <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/governance\/management-groups\/overview\" target=\"_blank\">Microsoft Documentation<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.testpreptraining.ai\/tutorial\/exam-az-304-microsoft-azure-architect-design\/\" target=\"_blank\" rel=\"noreferrer noopener\"><a href=\"https:\/\/www.testpreptraining.ai\/tutorial\/exam-az-304-microsoft-azure-architect-design\/\" target=\"_blank\" rel=\"noreferrer noopener\">Go back to AZ-304 Tutorials<\/a><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Go back to AZ-304 Tutorials AZ-304 exam is retired. AZ-305\u00a0replacement is available. In this article, we will learn about ways to efficiently manage access, policies, and compliance for those subscriptions. Moreover, we will understand the Azure management groups and organizing subscriptions. Hierarchy of management groups and subscriptions For organizing resources into a hierarchy for unified&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"categories":[],"tags":[],"class_list":["post-14444","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Explaining the hierarchy of Azure management groups and subscriptions<\/title>\n<meta name=\"description\" content=\"Enhance your knowledge by understanding about Azure management groups hierarchy using Microsoft Azure AZ-304 online course and practice exam Now!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Explaining the hierarchy of Azure management groups and subscriptions\" \/>\n<meta property=\"og:description\" content=\"Enhance your knowledge by understanding about Azure management groups hierarchy using Microsoft Azure AZ-304 online course and practice exam Now!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/\" \/>\n<meta property=\"og:site_name\" content=\"Testprep Training Tutorials\" \/>\n<meta property=\"article:modified_time\" content=\"2022-04-08T11:00:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/az304-hierarchy-1.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/\",\"name\":\"Explaining the hierarchy of Azure management groups and subscriptions\",\"isPartOf\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\"},\"datePublished\":\"2020-07-31T05:29:28+00:00\",\"dateModified\":\"2022-04-08T11:00:10+00:00\",\"description\":\"Enhance your knowledge by understanding about Azure management groups hierarchy using Microsoft Azure AZ-304 online course and practice exam Now!\",\"breadcrumb\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Explaining the hierarchy of Azure management groups and subscriptions\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"name\":\"Testprep Training Tutorials\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\",\"name\":\"Testprep Training\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"contentUrl\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"width\":583,\"height\":153,\"caption\":\"Testprep Training\"},\"image\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Explaining the hierarchy of Azure management groups and subscriptions","description":"Enhance your knowledge by understanding about Azure management groups hierarchy using Microsoft Azure AZ-304 online course and practice exam Now!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/","og_locale":"en_US","og_type":"article","og_title":"Explaining the hierarchy of Azure management groups and subscriptions","og_description":"Enhance your knowledge by understanding about Azure management groups hierarchy using Microsoft Azure AZ-304 online course and practice exam Now!","og_url":"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/","og_site_name":"Testprep Training Tutorials","article_modified_time":"2022-04-08T11:00:10+00:00","og_image":[{"url":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2020\/07\/az304-hierarchy-1.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/","url":"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/","name":"Explaining the hierarchy of Azure management groups and subscriptions","isPartOf":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website"},"datePublished":"2020-07-31T05:29:28+00:00","dateModified":"2022-04-08T11:00:10+00:00","description":"Enhance your knowledge by understanding about Azure management groups hierarchy using Microsoft Azure AZ-304 online course and practice exam Now!","breadcrumb":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/explaining-the-hierarchy-of-azure-management-groups-and-subscriptions\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.testpreptraining.ai\/tutorial\/"},{"@type":"ListItem","position":2,"name":"Explaining the hierarchy of Azure management groups and subscriptions"}]},{"@type":"WebSite","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","name":"Testprep Training Tutorials","description":"","publisher":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization","name":"Testprep Training","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","contentUrl":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","width":583,"height":153,"caption":"Testprep Training"},"image":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/14444","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/comments?post=14444"}],"version-history":[{"count":4,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/14444\/revisions"}],"predecessor-version":[{"id":54371,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/14444\/revisions\/54371"}],"wp:attachment":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/media?parent=14444"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/categories?post=14444"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/tags?post=14444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}