แก้ไข

แชร์ผ่าน


Quickstart: Create a management group

Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls. For more information on management groups, see Organize your resources with Azure management groups.

The first management group created in the directory could take up to 15 minutes to complete. There are processes that run the first time to set up the management groups service within Azure for your directory. You receive a notification when the process is complete. For more information, see initial setup of management groups.

Prerequisites

  • If you don't have an Azure subscription, create a free account before you begin.

  • Any Microsoft Entra ID user in the tenant can create a management group without the management group write permission assigned to that user if hierarchy protection isn't enabled. This new management group becomes a child of the Root Management Group or the default management group and the creator is given an Owner role assignment. Management group service allows this ability so that role assignments aren't needed at the root level. When the Root Management Group is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see Root management group for each directory.

Create in portal

  1. Log into the Azure portal.

  2. Select All services > Management + governance.

  3. Select Management Groups.

  4. Select + Add management group.

    Screenshot of the Management groups page showing child management groups and subscriptions.

  5. Leave Create new selected and fill in the management group ID field.

    • The Management Group ID is the directory unique identifier that is used to submit commands on this management group. This identifier isn't editable after creation as it's used throughout the Azure system to identify this group. The root management group is automatically created with an ID that is the Microsoft Entra ID. For all other management groups, assign a unique ID.
    • The display name field is the name that is displayed within the Azure portal. A separate display name is an optional field when creating the management group and can be changed at any time.

    Screenshot of the 'Add management group' options for creating a new management group.

  6. Select Save.

Clean up resources

To remove the management group created, follow these steps:

  1. Select All services > Management + governance.

  2. Select Management Groups.

  3. Find the management group created above, select it, then select Details next to the name. Then select Delete and confirm the prompt.

Next steps

In this quickstart, you created a management group to organize your resource hierarchy. The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy, continue to: