UW Azure Management Groups

Last updated: November 27, 2023
Audience: IT Staff / Technical

Azure Management Groups (MG) provide a governance structure above subscriptions to manage policy, access control, and compliance. Just like organizational units (OUs) in Active Directory, you don’t create MGs on a whim, but because you need to group objects to apply similar access control or policy to those objects. In the case of MGs, the objects are subscriptions and the resources within those subscriptions. 

UW Azure Management Group topics

Within UW Azure, the top level of the management group structure will be organized by types of subscriptions, primarily distinguished by offer identifiers. This provides the UW with the capability to set future Azure Policy by types of categories, for example, setting a policy which would affect all Azure Student subscriptions.

By default, new subscriptions are created under the ‘Pending MG Assignment’. An automated process will evaluate subscriptions under this location for placement in one of the designated top-level MGs. See MG Structure for the criteria this process will use.

Management Groups are only relevant if you want to apply Azure Policy or access controls across multiple Azure subscriptions. Within UW Azure, you must be using enterprise agreement subscriptions to qualify for your own Management Group. UW-IT Microsoft Infrastructure Delegated OU admins can request that a management group be created which matches their OU name. UW-IT will grant the Contributor role to this management group to enable self-service assignment of a customer subscription to that management group. In order to successfully assign an Azure subscription to a Management Group, a user must be both an explicit owner on the subscription and a Contributor or better on the destination MG.

The criteria for inclusion in those top-level MGs is noted below.

  • Tenant Root Group
    • Pending MG Assignment – All new subscriptions are created here, then distributed to MGs
    • Azure for Students – Includes subscriptions with the following criteria:
      • Offer = MS-AZR-0170P
      • Offer = MS-AZR-0144P
      • Offer = ’empty’ and Subscription Name=Azure for Students
      • Offer = ’empty’ and Subscription Name=Azure for Students Starter
      • Offer = ’empty’ and Subscription Name=Microsoft Azure for Students Starter
    • Enterprise Agreement – Includes any subscription with an Offer = Enterprise Agreement
      • Further structure — this aligns with delegated OUs which have requested a MG for their enterprise agreement subscriptions
    • MSDN – Includes subscriptions with the following criteria:
      • Offer = MS-AZR-0063P
      • Offer = MS-AZR-0062P
      • Offer = MS-AZR-0059P
      • Offer = ’empty’ and Subscription Name = Visual Studio Enterprise
      • Offer = ’empty’ and Subscription Name = MSDN Platforms Subscription
      • Offer = ’empty’ and Subscription Name = Visual Studio Enterprise Subscription
      • Offer = ’empty’ and Subscription Name = Visual Studio Professional
      • Offer = ’empty’ and Subscription Name = Visual Studio Professional Subscription
    • MSDN Dev Test – Includes subscriptions with the following criteria:
      • Offer = MS-AZR-0148P
    • Sponsored – Includes subscriptions with the following criteria:
      • Offer = MS-AZR-0036P
      • Offer = MS-AZR-0017P
      • Offer = MS-AZR-0143P
    • Pay As You Go Includes subscriptions with the following criteria:
      • Offer = empty’ and Subscription Name = Free Trial