Step by Step Guide to Create and Move Around Management Groups in Microsoft Azure

A well-organized management group hierarchy provides consistent governance and policy enforcement across your Azure subscriptions. This guide walks you through creating new management groups and reorganizing them by moving groups or subscriptions under different parents.

Prerequisites

• Permissions: You must be a Global Administrator or Management Groups Contributor on the Azure AD tenant.

• Portal Access: Sign in to the Azure portal with an account that has the required role.

1. Access the Management Groups Blade

1. In the Azure portal, click All services (left nav).

2. Search for and select Management + governance → Management groups.

   The Tenant root group appears by default at the top of the hierarchy.

2. Create a New Management Group

1. In the Management groups blade, click + Add management group.

2. In the Create management group pane:

   • Management group ID: Enter a short, URL-safe identifier (e.g., mg-platform).

   • Display name: Provide a human-readable name (e.g., Platform Environments).

3. Click Create.

   The new group is automatically placed under the Tenant root group unless you specify otherwise.

3. Nest a Management Group Under an Existing Parent

To place a group under a specific parent (other than the root):

1. Find the child group in the list.

2. Select its row to open the Overview pane.

3. Click Change parent at the top.

4. In the Select parent management group blade, choose the desired parent (e.g., mg-root or mg-app-lz).

5. Click Save.

4. Create a Sub-Group Hierarchy

To build a multi-level structure (for example, under mg-app-lz):

1. Repeat Step 2 to create mg-prod, mg-non-prod, and mg-lab.

2. For each sub-group:

   • Open its Overview pane.

   • Click Change parent, and select mg-app-lz.

   • Click Save.

Your hierarchy will look like:

Tenant root group
│
├─ mg-root
│  ├─ mg-platform
│  └─ mg-app-lz
│     ├─ mg-prod
│     ├─ mg-non-prod
│     └─ mg-lab
└─ mg-sbx

5. Move an Existing Management Group

If you need to relocate an existing group:

1. Navigate to the management group you want to move (e.g., mg-sbx).

2. In its Overview, click Change parent.

3. Select the new parent (for instance, move from Tenant root group to mg-root).

4. Click Save.

   Moving a group automatically re-inherits policies and role assignments from its new parent.

6. Assign Subscriptions to Management Groups

1. Open the target management group (e.g., mg-platform).

2. On the left, select Subscriptions.

3. Click + Add.

4. In the Add subscriptions pane, check the boxes next to subscriptions you want to include.

5. Click Save.

   Policies assigned at the group level flow down to all nested subscriptions and child groups.

7. Validate Your Structure

• View Hierarchy: In the Management groups blade, choose View hierarchy to see the tree.

• Policy & Access Checks: Under each group, review Policies and Access control (IAM) to confirm inheritance.

8. Clean Up or Delete a Management Group

1. Open the management group you wish to delete.

2. Ensure it has no child groups or assigned subscriptions.

3. Click Delete at the top of the Overview pane.

4. Confirm by typing the management group ID.

5. Click Delete.

Best Practices

• Consistent Naming: Adopt a clear naming convention (e.g., mg-<function>-<env>).

• Minimal Depth: Limit nesting levels to reduce complexity—three to four levels is usually sufficient.

• Policy Scoping: Assign policies at the highest applicable level to maximize inheritance.

• RBAC Planning: Group subscriptions logically so teams receive only the permissions they need.

By following these steps, you’ll have a flexible, maintainable management group structure in Azure—enabling consistent governance and streamlined operations across your cloud estate.