In this post, we will be looking at managing and maintaining management groups and controlling them along with their subscriptions on Azure using PowerShell.

Azure Resource Manager, or ARM, is a powerful service on Azure that provides granular resource management capability. With its management layers, also known as scopes, it's easier to manage resources and apply policies across the organization. There are four scopes available on Azure: resources, resource groups, subscriptions, and management groups.

On the other hand, when it comes to template deployments, our options are resource groups, subscriptions, management groups, or tenants. It's always important to make sure that our architectural design supports flexible management on Azure. With this in mind, implementing proper management group architecture is crucial when designing Azure infrastructure at the very beginning.

Listing management groups ^

It's very simple to list management groups in Azure using the following command:

Get-AzManagementGroup -Recurse -GroupId 849e8524-4433-4b03-aea4-b2dd81e72401 -Expand -WarningAction SilentlyContinue | select -ExpandProperty Children
Listing top level management groups

Listing top level management groups

The only downside of this command is that it does not list all subscriptions in all management groups, but only the subscriptions and other nested management groups within the specified parent management group. Therefore, we will be using PowerShell with resource graph queries to obtain more accurate details in a much faster way.

List subscriptions along with their management groups ^

It is much more convenient to use the following resource graph query to list all subscriptions with their management group chains. A management group chain shows the entire management group hierarchy if the subscription is sitting in a nested management group that is also sitting in another management group.

 $q = "
 resourcecontainers
 | where type == 'microsoft.resources/subscriptions'
 "
$response = Search-AzGraph -Query $q
$response | select name,id,@{l="managementgroup";e={$_.properties.managementGroupAncestorsChain.displayname}}
Listing subscriptions with their management group hierarchy

Listing subscriptions with their management group hierarchy

With this command, we can list all subscriptions with their management group hierarchy, where we can see the subscription's first-level management group and other parent management groups.

We can simply tweak the last line in the above command to get only the first-level management group in which the subscription is sitting.

$response | select name,id,@{l="managementgroup";e={($_.properties.managementGroupAncestorsChain[0]).displayname}}

This will give us the following output:

Listing subscriptions with their parent management groups

Listing subscriptions with their parent management groups

Listing subscriptions in a specific management group ^

We may also want to list all subscriptions in a specific management group. For this, we can use the following command:

$managementGroupName = "EnterpriseIT"

 $q = "
 resourcecontainers
 | where type == 'microsoft.resources/subscriptions'
 | where properties.managementGroupAncestorsChain[0].displayName == '$managementGroupName'
 | project ParentManagementGroup = properties.managementGroupAncestorsChain[0].displayName, name, id
 "

 $response = Search-AzGraph -Query $q
 $response | select name, id, ParentManagementGroup
Listing a specific management group and the subscriptions that are sitting within the management group

Listing a specific management group and the subscriptions that are sitting within the management group

$response | select name,id,@{l="managementgroup";e={($_.properties.managementGroupAncestorsChain[0]).displayname}} | where{$_.managementgroup -eq "EnterpriseIT"} | select name, Idd

Adding a subscription to a management group ^

Adding or removing management groups

We can use the command below to create a new management group. It is always

New-AzManagementGroup -GroupName a1 -ParentId /providers/Microsoft.Management/managementGroups/Root

To remove a management group, we will use the "Remove-AzManagementGroup" command. But first, we need to make sure that there are no subscriptions or other management groups in it. Otherwise, the command will fail with the following error:

Remove-AzManagementGroup -Groupname IT
Non empty management groups cannot be removed

Non empty management groups cannot be removed

Moving subscriptions between management groups

To move a subscription from one management group to another, we simply specify the target management group within the command below:

$TargetManagementGroup = "IT"
$subscriptionID = "00000000-0000-1234-11223344556677889"
New-AzManagementGroupSubscription -GroupName "$TargetManagementGroup" -SubscriptionId "$subscriptionID"

Moving management groups

We can also change the management group structure by moving one management group into another in the hierarchy. We can also rename the management group as part of the move process, if necessary. The following command will move the management group called "IT" into the "Root" management group:

Subscribe to 4sysops newsletter!

Update-AzManagementGroup -GroupName IT -DisplayName ITManagementGroup -ParentId /providers/Microsoft.Management/managementGroups/Root
Moving and renaming management groups

Moving and renaming management groups

Conclusion ^

Management groups are useful when it comes to managing multiple subscriptions and applying organization-wide policies. It's also very handy to flexibly move subscriptions between management groups. This is very important when it's necessary to reconstruct the management group hierarchy.

avatar
1 Comment
  1. Sam Boutros 2 months ago

    try Get-AzSBSubscription of the AZSBTools PS module at https://www.powershellgallery.com/packages/AZSBTools

Leave a reply to Sam Boutros Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account