If you think of from an organizational perspective, there will be
multiple accounts, and there will be multiple subscriptions meant for different environments and workloads.
Using management groups, you can logically group subscriptions. This way, management groups offer a new scope above the subscriptions, which can be used for granting access, assigning policies, and analyzing costs.
All access or policies assigned to the management group will be inherited to the subscriptions that are part of the management group.
Management groups enable administrators to do the following:
- They can logically group subscriptions into different containers.
- They can apply policies and access a set of subscriptions easily.
- Cost management can be scoped at the management group level for tracking the costs of multiple subscriptions in a single shot.
- Budgets can be created at the management group level, which is ideal for teams and projects having multiple subscriptions.
Management groups can be created from the Azure portal, PowerShell, and the CLI. There will be a default management group that will be provisioned along with your tenant called the root management group. All new management groups will be created as children of this root management group.
Creating a management group is a straightforward process you can perform by searching and navigating to management groups in the Azure portal
Two parameters are required while you create a management group. The first one is Management Group ID; this identifier is used to denote the management group when you want to run commands against the management group.
Second, you need to add a display name, which will act like a friendly name for your management group. Whenever you are making PowerShell, Azure CLI, or REST API calls, you will be using the identifier to point to the management group.
*Management Group ID cannot be modified once the management group is created.
To management groups, can be leveraged to apply policies and grant access easily on a larger scope.