Home Azure Fundamentals Azure Management Groups
Last updated: May 2026
Azure Fundamentals Beginner AZ-900 ⏱ 10 min read

Azure Management Groups

When a company grows to 5, 10, or 50 Azure subscriptions, managing policies and access controls across each one individually becomes unmanageable. Azure Management Groups solve this — they sit above subscriptions and let you apply governance, policies, and access controls across multiple subscriptions in one action. If subscriptions are departments, Management Groups are the company hierarchy above them.

What you'll learn What Management Groups are and why they exist · The Root Management Group · How to build a Management Group hierarchy · How policies and RBAC inherit through the hierarchy · Management Group limits · Real-world hierarchy examples · Best practices
Table of Contents
  1. What Are Management Groups?
  2. The Root Management Group
  3. Building a Hierarchy
  4. Policy and RBAC Inheritance
  5. Management Group Limits
  6. Real-World Hierarchy Example
  7. Creating Management Groups
  8. Best Practices
  9. Practice Questions

What Are Management Groups?

Azure Management Groups are containers that sit above subscriptions in the Azure hierarchy. They allow you to organise multiple subscriptions and apply governance at scale — a policy or role assigned to a Management Group automatically applies to all subscriptions beneath it.

ℹ️
The Problem They Solve Imagine a company with 20 subscriptions — one per team. They need to enforce a policy: "No resources can be deployed outside India." Without Management Groups, you'd have to apply that policy 20 times — once per subscription. With a Management Group, you apply it once at the top and all 20 subscriptions inherit it automatically.

The Root Management Group

Every Azure Active Directory (Entra ID) tenant has exactly one Root Management Group — automatically created by Azure. All subscriptions and management groups ultimately sit under this root.

⚠️
Root Group = Maximum Scope Any policy or role assigned to the Root Management Group applies to every subscription and every resource in your entire Azure environment. Be extremely careful about what you apply at the root level. Most governance should be applied at a child Management Group, not the root.

Building a Hierarchy

You can create up to 6 levels of Management Groups beneath the Root (not counting the Root itself). This gives you enormous flexibility to model your organisation's structure.

A typical enterprise hierarchy might look like this:

Structure Example Management Group hierarchy 
Root Management Group
├── Production MG
│   ├── Production-India Subscription
│   └── Production-US Subscription
├── Non-Production MG
│   ├── Dev Subscription
│   └── Test Subscription
└── Shared Services MG
    └── Shared Infrastructure Subscription

Policy and RBAC Inheritance

This is the most important concept in Management Groups — inheritance. Anything you apply at a Management Group level automatically cascades down to all children.

Applied AtAffects
Root Management GroupAll Management Groups, all Subscriptions, all Resource Groups, all Resources
Production MGAll subscriptions and resources under Production MG only
SubscriptionAll Resource Groups and Resources within that subscription
Resource GroupAll Resources within that Resource Group
💡
Real Example — Policy Inheritance Apply an Azure Policy to the "Production MG" that says "Virtual Machines must use Managed Disks." This policy automatically enforces on all VMs created in Production-India and Production-US subscriptions, without you touching either subscription.

RBAC Inheritance

Role assignments also inherit. If you assign the "Reader" role to a security team at the "Production MG" level, they can read all resources in both Production subscriptions — without needing separate role assignments in each subscription.

Management Group Limits

LimitValue
Management Groups per tenant10,000
Levels of depth (excluding Root)6
Subscriptions or MGs per Management GroupUnlimited
Root Management Groups per tenant1 (always)

Real-World Hierarchy Example

Here's how a mid-sized Indian technology company might structure their Azure environment:

Structure TechCorp India — Azure Hierarchy 
TechCorp Root MG
│   Policy: "All resources must be in India regions"
│   Policy: "MFA required for all users"
│
├── Production MG
│   Policy: "No public IP addresses on VMs"
│   Policy: "Azure Defender must be enabled"
│   │
│   ├── TechCorp-Production Subscription
│   │   ├── rg-ecommerce-prod
│   │   └── rg-api-prod
│   │
│   └── TechCorp-DataPlatform Subscription
│       └── rg-datawarehouse-prod
│
├── Non-Production MG
│   Policy: "Auto-shutdown VMs at 8 PM"
│   Policy: "Dev/Test VM sizes only"
│   │
│   ├── TechCorp-Dev Subscription
│   └── TechCorp-Test Subscription
│
└── Shared Services MG
    └── TechCorp-Shared Subscription
        ├── rg-networking-shared
        └── rg-monitoring-shared

Notice how policies cascade. The "All resources must be in India regions" policy at the Root applies to every subscription — production, dev, test, and shared. The "No public IP" policy only applies to Production. Dev gets a cost-saving "auto-shutdown" policy that production doesn't have.

Creating Management Groups

Azure CLI Create a Management Group 
# Create a top-level management group
az account management-group create \
  --name "Production-MG" \
  --display-name "Production"

# Create a child management group under an existing one
az account management-group create \
  --name "Production-India-MG" \
  --display-name "Production India" \
  --parent "Production-MG"

# Move a subscription into a management group
az account management-group subscription add \
  --name "Production-MG" \
  --subscription "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

Best Practices

  • Model your org structure — Mirror your company's business units or environment structure in Management Groups
  • Apply root-level policies sparingly — Only truly universal policies belong at the root (e.g., MFA requirement, allowed regions)
  • Separate production from non-production — Always have distinct Production and Non-Production Management Groups
  • Use a Shared Services MG — Networking, monitoring, and shared infrastructure subscriptions should have their own group
  • Don't go too deep — 3–4 levels is usually sufficient. Deeper hierarchies become hard to understand and audit.
  • Document your hierarchy — Keep an up-to-date diagram of your Management Group structure for new team members
💡
AZ-900 Exam Tip Know that Management Groups sit above Subscriptions in the hierarchy, that the Root Management Group exists by default for every tenant, that up to 6 levels of depth are supported, and that policies and RBAC roles assigned to a Management Group cascade to all child subscriptions.
📝 Practice Questions
Click an option to check your answer. AZ-900 style questions.
Q1. What is the primary purpose of Azure Management Groups?
A To organise individual resources like VMs and storage accounts
B To apply governance and policies across multiple subscriptions at scale
C To consolidate billing for multiple subscriptions into one invoice
D To group Azure data centres by geography
Q2. How many Root Management Groups can a single Azure tenant have?
A 1
B One per subscription
C Up to 10
D Unlimited
Q3. A company applies an Azure Policy at the Root Management Group level. Which resources does this policy affect?
A Only resources in the subscription directly under the Root
B Only Management Groups that don\'t have their own policies
C All subscriptions, resource groups, and resources in the entire tenant
D Only subscriptions where the policy is manually assigned
Q4. What is the maximum number of levels of Management Group depth (excluding the Root) supported in Azure?
A 3
B 6
C 10
D Unlimited
Q5. A security team needs read-only access to all resources across 15 production subscriptions. What is the most efficient way to grant this?
A Assign the Reader role on each of the 15 subscriptions individually
B Assign the Reader role at the Production Management Group level
C Assign the Reader role at the Root Management Group
D Assign the Reader role on each Resource Group in each subscription
Related Topics
Azure Fundamentals Azure Subscriptions Azure Fundamentals Azure Resource Groups Azure Fundamentals Azure Arc
← Previous Azure Subscriptions
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with, endorsed by, or officially connected to Microsoft Corporation. All product names, logos, and trademarks are property of their respective owners. Content is written independently for educational purposes only.