Management Groups
The presented resiliency recommendations in this guidance include Management Groups and its associated settings.
Summary of Recommendations
| Recommendation | Category | Impact | State | ARG Query Available |
|---|---|---|---|---|
| MG-1 - Subscriptions should not be placed under the Tenant Root Management Group | Governance | Medium | Preview | Yes |
Definitions of states can be found here
Recommendations Details
MG-1 - Subscriptions should not be placed under the Tenant Root Management Group
Category: Governance
Impact: Medium
Guidance
The root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. Create management groups under your root-level management group to represent the types of workloads that you’ll host.
These groups are based on the security, compliance, connectivity, and feature needs of the workloads. With this grouping structure, you can have a set of Azure policies applied at the management group level. This grouping structure is for all workloads that require the same security, compliance, connectivity, and feature settings.
Resources
Resource Graph Query
// Azure Resource Graph Query
// Provides a list of Azure Subscriptions that are placed under the Tenant Root Management Group
resourcecontainers
| where type == 'microsoft.resources/subscriptions'
| extend mgParentSize = array_length(properties.managementGroupAncestorsChain)
| where mgParentSize == 1
| project recommendationId="mg-1", name, id, tags