Azure Management Groups¶

Azure Management Groups provide a governance scope above subscriptions, allowing you to efficiently manage access, policies, and compliance for multiple Azure subscriptions. They help you organize your resources into a hierarchy for unified policy and access management, making it easier to apply governance controls at scale.

Core Functionality¶

Management Groups (MGs) are hierarchical containers in Azure used to organize subscriptions and apply governance at scale. They allow enterprises to assign policies, RBAC, and budgets across multiple subscriptions in a structured, repeatable way.

In this architecture, MGs reflect both functional roles (e.g., Platform, Corp Workloads, Internet-Facing) and organizational boundaries (e.g., Business Units, SDLC environments).

Governance via MGs¶

Policies assigned at the MG level cascade to all child subscriptions, ensuring consistent enforcement.
RBAC Delegation Role assignments can be scoped to MGs, enabling BU leads to manage their environments independently.
Budget & Cost Management Budgets and cost alerts can be scoped to MGs, supporting chargeback and FinOps practices.
Security Posture Defender for Cloud and Sentinel can be scoped to MGs for targeted threat detection and compliance tracking.

Management Group Benefits¶

Modularity: Logical separation of platform and workload domains
Clarity: Easier to visualize and manage governance boundaries
Flexibility: Supports SDLC layering, BU autonomy, and hybrid scenarios
Control: Centralized policy enforcement with scoped exceptions
Scalability: Ready for multi-region, multi-team, multi-environment growth

Azure Management Group Policy Matrix for App Landing Zones¶

This table explains some example policies that could be applied at the MG level for the differing application landing zones. They differ based on the security posture, so corporate workloads have different requirements to internet facing workloads.

Policy Area	Corp Workloads MG	Internet-Facing MG	Sandbox MG
Public IP Control	❌ Deny public IPs on all resources	✅ Allow scoped public IPs (App Gateway, Front Door) with justification	⚠️ Allow public IPs with alerting only
Private Endpoints	✅ Require private endpoints for PaaS (Storage, SQL, Web Apps)	⚠️ Optional, but recommended for backend services	❌ Not enforced
NSG Enforcement	✅ Require NSGs on all subnets	✅ Require NSGs on public-facing subnets	⚠️ Optional
Route Table Enforcement	✅ Require route tables with default route to vWAN hub	✅ Require route tables for inspection and egress control	❌ Not enforced
Firewall/WAF Enforcement	⚠️ Optional (traffic already routed through hub firewall)	✅ Require Azure Firewall or WAF for ingress	❌ Not enforced
Diagnostic Settings	✅ Mandatory: send logs to central Log Analytics workspace	✅ Mandatory: send logs to central Log Analytics workspace	⚠️ Optional, with reminders
Tagging Requirements	✅ Require tags: Owner, Environment, CostCenter, AppName	✅ Same as Corp	⚠️ Recommend tags, not enforced
Backup Policy	✅ Enforce backup on VMs, SQL, and critical resources	✅ Enforce backup on public-facing stateful resources	❌ Not enforced
Defender for Cloud	✅ Enable Defender plans for VMs, SQL, Storage, App Services	✅ Enable Defender plans with external threat detection	⚠️ Optional
RBAC & PIM	✅ Require PIM for Owner/Contributor roles	✅ Same as Corp	⚠️ Optional
Allowed Locations/SKUs	✅ Restrict to approved regions and VM SKUs	✅ Same as Corp	⚠️ Relaxed for experimentation
Resource Locks	✅ Require locks on critical resources	✅ Same as Corp	❌ Not enforced
Policy Exemptions	❌ No exemptions without central approval	⚠️ Scoped exemptions allowed with justification	✅ Exemptions allowed for experimentation

Azure Management Group Policy Matrix – Platform Landing Zones¶

Policy Area	Identity	Connectivity	Management	Security
Public IP Control	❌ Deny all	⚠️ Allow only for VPN/ER Gateways	❌ Deny	⚠️ Allow scoped (e.g., Bastion, App GW)
Private Endpoints	✅ Require for PaaS services	✅ Require for hub services	✅ Require for monitoring/storage	✅ Require for shared PaaS (Key Vault, SQL)
NSG Enforcement	✅ Mandatory on all subnets	✅ Mandatory on hub/spoke links	✅ Mandatory on monitoring subnets	✅ Mandatory for service subnets
Route Table Enforcement	❌ Not applicable	✅ Require default route to hub FW/vWAN	⚠️ Optional (mgmt plane only)	✅ Require for service isolation
Firewall/WAF	❌ Not applicable	✅ Require Azure Firewall in hub	❌ Not enforced	⚠️ Optional (depends on service exposure)
Diagnostic Settings	✅ Mandatory → central Log Analytics	✅ Mandatory → central Log Analytics	✅ Mandatory → central Log Analytics	✅ Mandatory → central Log Analytics
Tagging Requirements	✅ Require: Owner, Env, CostCenter	✅ Same as Identity	✅ Same as Identity	✅ Same as Identity
Backup Policy	❌ Not applicable	❌ Not applicable	✅ Enforce backup on monitoring infra	✅ Enforce backup on stateful services
Defender for Cloud	✅ Enable for identity services	✅ Enable for networking resources	✅ Enable for monitoring resources	✅ Enable for shared services
RBAC & PIM	✅ Require PIM for all privileged roles	✅ Require PIM for network admins	✅ Require PIM for ops admins	✅ Require PIM for service admins
Allowed Locations/SKUs	✅ Restrict to approved regions	✅ Restrict to approved regions	✅ Restrict to approved regions	✅ Restrict to approved regions
Resource Locks	✅ Critical identity resources	✅ Hub networking resources	✅ Monitoring infra	✅ Shared service infra
Policy Exemptions	❌ No exemptions	⚠️ Scoped exemptions with approval	⚠️ Scoped exemptions with approval	⚠️ Scoped exemptions with approval

Identity MG → Protects Entra ID–integrated services, identity security, and privileged access
Connectivity MG → Governs hub networking, hybrid connectivity, and traffic inspection
Management MG → Covers monitoring, logging, backup, and operational tooling
Security → Hosts central services like Azure Sentinel and MSFT Defender