UW Azure Management Groups

Last updated: June 6, 2024
Audience: IT Staff / Technical

Azure Management Groups (MG) provide a governance structure above subscriptions to manage policy, access control, and compliance. Management groups exist to group subscriptions so you can apply similar access control or policy to the resources within those subscriptions.

UW Azure Management Group topics

Within UW Azure, the top level of the management group structure is organized by types of subscriptions, primarily distinguished by offer identifiers. This provides the UW with the capability to set future Azure Policy by types of subscription, for example, setting a policy which would affect all Azure Student subscriptions.

By default, new subscriptions are created under the ‘Pending MG Assignment’. An automated process will evaluate subscriptions under this location for placement in one of the designated top-level MGs. See MG Structure Criteria for the criteria this process will use.

Management Groups are only relevant if you want to apply Azure Policy or access controls across multiple Azure subscriptions. Within UW Azure, you must be using an enterprise agreement subscription or an enterprise dev/test subscription to qualify for your own Management Group. UW-IT Microsoft Infrastructure Delegated OU admins can request that a management group be created which matches their OU name. UW-IT will grant the Contributor role to this management group to enable self-service assignment of a customer subscription to that management group. In order to successfully assign an Azure subscription to a Management Group, a user must be both an explicit owner on the subscription and a Contributor or better on the destination MG.

The criteria for inclusion in those top-level MGs is noted below. It primarily focuses on the type of Microsoft offer associated with a subscription.

  • Tenant Root Group
    • Pending MG Assignment – All new subscriptions are created here, then distributed to MGs
    • Azure for Students – Includes subscriptions with the following criteria:
      • Offer = MS-AZR-0170P
      • Offer = MS-AZR-0144P
      • Offer = ’empty’ and Subscription Name=Azure for Students
      • Offer = ’empty’ and Subscription Name=Azure for Students Starter
      • Offer = ’empty’ and Subscription Name=Microsoft Azure for Students Starter
    • Enterprise Agreement
      • Offer = Enterprise Agreement
      • Offer = Enterprise Dev/Test
      • Offer = MS-AZR-0017P
      • Offer = MS-AZR-0148P
    • MSDN – Includes subscriptions with the following criteria:
      • Offer = MS-AZR-0063P
      • Offer = MS-AZR-0062P
      • Offer = MS-AZR-0059P
      • Offer = ’empty’ and Subscription Name = Visual Studio Enterprise
      • Offer = ’empty’ and Subscription Name = MSDN Platforms Subscription
      • Offer = ’empty’ and Subscription Name = Visual Studio Enterprise Subscription
      • Offer = ’empty’ and Subscription Name = Visual Studio Professional
      • Offer = ’empty’ and Subscription Name = Visual Studio Professional Subscription
    • Sponsored – Includes subscriptions with the following criteria:
      • Offer = MS-AZR-0036P
      • Offer = MS-AZR-0017P
      • Offer = MS-AZR-0143P
    • Pay As You Go Includes subscriptions with the following criteria:
      • Offer = empty’ and Subscription Name = Free Trial

Your UW subscription will have a variety of roles automatically assigned to it based on its location in the Management Group hierarchy.

At the Tenant Root level, Entra ID Global Administrators have the User Access Administrator role for Azure. This enables them to modify the access controls at any level in the Azure hierarchy. These individuals can enable critical capabilities across the entire Azure infrastructure and provide a safety net to re-enable access to an Azure subscription which no longer has an account in the owner role. The Microsoft Platforms unit has team members with these roles and can assist with if you find yourself in need of someone to fix your subscription’s access controls.

The Microsoft Platforms team also has the owner role assigned for several of the top-level Management Groups: Enterprise Agreement, MSDN, NIH Strides, and Sponsored. This reflects the role the Microsoft Platforms team plays in provisioning and providing basic support for subscriptions of these types.

If you have a UW-IT managed subscription, the Microsoft Platforms team will also have the owner role to facilitate the higher level of support UW-IT provides to these customer subscriptions.