search

Management Groups

We use Management Groups in Azure to segregate permissions based on environments. In our basic setup, we have the following management groups;

hashtag
Structure

spinner

The Tenant Root Group is the existing root group of the tenant. We do not want to interfere with any potential other resources or future ambitions for our customers, therefore we create a PGT Root management group and create our structures underneath. We have 2 groups Workloads (for any Production, Staging or Development resources) and Shared Services (for Connectivity and Management resources).

Subscriptions are then placed under management groups defined for their resources based on the above diagram. Subscriptions are also always placed at the bottom of the tree of management groups to ensure that their resources have the correct policies and access segregation from other management groups and subscriptions. It is possible for a management group to accommodate more than 1 subscription also.

hashtag
Access Management

We prefer to assign permissions to Azure Entra ID Groups with access on a management group level. This is to simplify the approach of giving permissions and ensure that each group has the relevant permissions depending on the management group their Azure Entra ID Group was assigned to. Each package can be tailored for the group that the package is meant for. This is instead of giving very granular access to individual resources at an individual or group level.

hashtag
Policies

Policies are attached onto management groups to enforce a set of constraints on all resources under the management group they are attached to. This can either be to limit actions taken or to report on the adherence of the configuration to best practices.

hashtag
Default Policies

We enable the following 3 Policies on the PGT Root management group that we create by default.

  1. Allowed Locations This limits the locations where resources can be created in. This is set after consultation with the customer on which Azure Regions they would like to be present in.

chevron-rightShell command to list all regionshashtag
az account list-locations --query "sort_by([?metadata.regionType == 'Physical'], &regionalDisplayName)" -o table

  1. CIS Microsoft Azure Foundations Benchmark This shows the compliant resources according to this benchmark.

  2. Microsoft Cloud Security Benchmark This shows the compliant resources according to this benchmark.

PreviousKey VaultsNextNetworks

Last updated

Was this helpful?