Guide to Create a Basic Management Groups & Subscriptions Structure in Microsoft Azure Using Draw.io

This guide details a process for visually mapping a basic management groups and subscriptions structure within Microsoft Azure using Draw.io. It starts with the fundamentals of Azure’s hierarchical organization model, explaining the roles of management groups and subscriptions. The guide then demonstrates how to create diagrams that represent the ideal structure, including naming conventions and relationships between groups.

Organizing your Azure environment with management groups and subscriptions establishes governance guardrails from day one. In this walkthrough, you’ll learn how to diagram—and plan—your hierarchy using draw.io before implementing it in the Azure portal.

Prerequisites

• An Azure account with Owner or Management Groups Contributor on your Azure AD tenant.

• A browser and a draw.io (now diagrams.net) account or access to the web app at https://app.diagrams.net.

1. Set Up Your draw.io Canvas

1. Open draw.io and choose Blank Diagram.

2. Name your diagram (e.g., “Azure MG Structure”).

3. From the Shapes library, enable AWS / Azure icons (optional) or use basic rectangles and connectors.

2. Create the Tenant Root Group

1. Drag a rectangle onto the canvas.

2. Label it “Tenant Root Group”.

3. Style it with a bold border (to denote the top of the hierarchy).

3. Add the Root Management Group (mg-root)

1. Below the Tenant Root Group, drag a second rectangle.

2. Label it “mg-root”.

3. Connect Tenant Root Group → mg-root with a straight connector arrow.

This represents your landing zone for group-level policies and inheritance.

4. Define Top-Level Management Groups

Under mg-root, we’ll add three child groups:

1. mg-platform

2. mg-app-lz

3. mg-sbx

Steps in draw.io:

• Drag three rectangles beneath mg-root, spaced evenly.

• Label each as above.

• Connect these to mg-root with downward arrows.

Your canvas should look like:

5. Expand the mg-app-lz Hierarchy

Within mg-app-lz, create three more groups:

• mg-prod

• mg-non-prod

• mg-lab

In draw.io:

1. Drag three smaller rectangles under mg-app-lz.

2. Label accordingly.

3. Connect each to mg-app-lz.

Final hierarchy:

6. Apply Styling & Annotations

• Color-code environments (e.g., green for prod, yellow for non-prod, blue for lab).

• Add notes: right-click a group → Edit Link / Tooltip → type quick policy reminders.

• Group related shapes using a transparent container to keep the diagram organized.

7. Export & Share

1. File → Export As → PDF/PNG to embed in design docs or presentations.

2. Save to your preferred cloud storage and share the link with your team.

8. Implement in Azure

Once your diagram is approved:

1. Sign in to the Azure portal.

2. Navigate to All services → Management Groups.

3. Verify you have a Tenant Root Group (created by default).

4. Click + Add management group and replicate the names: mg-root, mg-platform, mg-app-lz, mg-sbx, and sub-groups (mg-prod, mg-non-prod, mg-lab).

5. Reorganize by dragging each group under its parent.

6. Assign subscriptions to the appropriate MGs for policy inheritance.

Conclusion

Using draw.io to plan your Azure management hierarchy ensures clear visibility and team alignment before you click through in the portal. This basic structure—Tenant Root → mg-root → {mg-platform, mg-app-lz, mg-sbx} → {mg-prod, mg-non-prod, mg-lab}—is a solid foundation for policy scoping, role assignment, and subscription organization.

Happy diagramming—and secure, well-governed Azure!