แก้ไข

แชร์ผ่าน


Quickstart: Create a management group with REST API

Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls. For more information on management groups, see Organize your resources with Azure management groups.

The first management group created in the directory could take up to 15 minutes to complete. There are processes that run the first time to set up the management groups service within Azure for your directory. You receive a notification when the process is complete. For more information, see initial setup of management groups.

Prerequisites

  • If you don't have an Azure subscription, create a free account before you begin.

  • If you haven't already, install ARMClient. It's a tool that sends HTTP requests to Azure Resource Manager-based REST APIs.

  • Any Microsoft Entra ID user in the tenant can create a management group without the management group write permission assigned to that user if hierarchy protection isn't enabled. This new management group becomes a child of the Root Management Group or the default management group and the creator is given an Owner role assignment. Management group service allows this ability so that role assignments aren't needed at the root level. When the Root Management Group is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see Root management group for each directory.

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell. Screenshot that shows an example of Try It for Azure Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Button to launch Azure Cloud Shell.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Screenshot that shows the Cloud Shell button in the Azure portal

To use Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block (or command block) to copy the code or command.

  3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code or command.

Create in REST API

For REST API, use the Management Groups - Create or Update endpoint to create a new management group. In this example, the management group groupId is Contoso.

  • REST API URI

    PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/Contoso?api-version=2020-05-01
    
  • No Request Body

The groupId is a unique identifier being created. This ID is used by other commands to reference this group and it can't be changed later.

If you want the management group to show a different name within the Azure portal, add the properties.displayName property in the request body. For example, to create a management group with the groupId of Contoso and the display name of Contoso Group, use the following endpoint and request body:

  • REST API URI

    PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/Contoso?api-version=2020-05-01
    
  • Request Body

    {
      "properties": {
        "displayName": "Contoso Group"
      }
    }
    

In the preceding examples, the new management group is created under the root management group. To specify a different management group as the parent, use the properties.parent.id property.

  • REST API URI

    PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/Contoso?api-version=2020-05-01
    
  • Request Body

    {
      "properties": {
        "displayName": "Contoso Group",
        "parent": {
          "id": "/providers/Microsoft.Management/managementGroups/HoldingGroup"
        }
      }
    }
    

Clean up resources

To remove the management group created above, use the Management Groups - Delete endpoint:

  • REST API URI

    DELETE https://management.azure.com/providers/Microsoft.Management/managementGroups/Contoso?api-version=2020-05-01
    
  • No Request Body

Next steps

In this quickstart, you created a management group to organize your resource hierarchy. The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy, continue to: