Azure Administrators and IT Finance teams know the feeling of subscription sprawl all too well. Without a well thought and governed plan, customers with a Microsoft Enterprise Agreement (EA) endure subscription after subscription after subscription with minimal management and confused billing.
Management Groups is a new Azure based service that can be used to resolve those issues. A Management Group can be configured with permissions and policies that can be applied to govern a like set of subscriptions, similar to how Resource Groups are designed to govern Resources with a particular lifecycle.
Enterprise customers would normally deploy Azure subscriptions following one of three models – Functional, Business Division or Geographic. These three models generally describe splitting the Azure tenancy into multiple subscriptions for use at a Project, an Application or a Business division level. With this level of subscription deployment, assigning policies and permissions is a task that would have to be repeated continuously introducing potential for human error and creating unnecessary layers of management.
Azure Management Groups remove this requirement as you can setup one or more Management Groups which have the required RBAC permissions and Policies already configured. For each new existing or additional subscription, you simply associate that subscription to the correct Management Group. Management Groups can also be nested where the policies that apply to a higher level are also applied to child Management Groups. The subscription then inherits and applies all the permissions and policies set above it removing the need to perform each task manually. This is an example diagram of how a Management Group structure could look.
So what sort of RBAC permissions and policies are available for a Management Group? Numerous, and what’s more is the ability to create custom initiatives and policies that suit your business requirements.
The Policies that can be applied to a Management Group range from the control of an IaaS virtual machine and its extensions, to available geographic locations, the amount of owners assigned to a subscription, storage encryption levels on both disks and storage accounts and a multitude of others. If an existing policy doesn’t fit the specific business requirements, custom initiatives can also be created that are based off policy definitions.
An example of a custom initiative would be the enforcement of a set of tags that apply to the resources deployed in a subscription. For example, if you had a Marketing Management Group that had Azure resources deployed, you could assign a set of tags with default values and all resources in the subscriptions in the Marketing Management Group had that tag with the default value automatically applied. Another common requirement for a business utilising Azure public cloud is data sovereignty and which geographic locations are used by Azure services. A policy applied to the Tenant Root Group (the default top level Management Group) that the only locations to be used were regions Australia East and Australia Southeast would filter down to all subscriptions associated with that Azure tenancy thereby governing the entire Azure environment.
Azure Management Groups are a useful and efficient new service that is now in General Availability for Azure that can assist with governing your environment. If you would like assistance in configuring Management Groups to suit your business requirements or even if you would like to revisit your initial Azure deployment model to ensure it meets best business practices, Diaxion is able to assist.