Azure management groups permissions over subscription

0
votes

I'm trying to configure some management groups in Azure, I have three subscriptions (prod, dev and core), I have three mnagement groups by the same name, I then have six application groups (prod1, prod2, dev1, dev2, core1 and core2), what I;'m trying to work out is whether we can have the root management group, going into three subscription groups, which then go into 2 application groups, per subscription group and then have the two application groups going into one subscription? Or does it not work like that? All the reading I've been doing shows one management group per subscription, but I can't see why we can't do this. Help!!

Image: https://pasteboard.co/IiYTk1a.jpg

Hope that makes sense

Thanks in advance

1
azureazure-active-directory
A subscription can exist in a single management group. Why would you want to have a subscription under 2 management groups?Haitham Shaddad
@HaithamShaddad Thanks for coming back to me, I was trying to work out whether I can give all the xxx1 applications different access and policies, compared to application xxx2, but they all access the same subscription. This would give me more centralised control and I know subscription level I can always use RBACs.Norrin Rad
I don't think this is feasible. You can achieve that using RBAC but not with management groups. If it was possible to have a subscription under more than one MG, they would collide and override each otherHaitham Shaddad
@HaithamShaddad can I mark that as an answer? That’s all what I’ve read, thanksNorrin Rad
I will post it as an answerHaitham Shaddad

1 Answers

1
votes

A subscription can exist in a single management group. You can have hierarchy of groups to have more fine grain control but each group can have a single parent

If you need to control access for multiple users between different subscriptions then you can use a custom RBAC roles and give it a custom permissions.