0% found this document useful (0 votes)

24 views104 pages

Azure Management Groups Overview

Uploaded by

yourskrishna.bin

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

24 views104 pages

Azure Management Groups Overview

Uploaded by

yourskrishna.bin

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Tell us about your PDF experience.

Azure management groups

documentation
Azure management groups help you organize your resources and subscriptions.

About Azure Governance

ｅ OVERVIEW

Overview of management services in Azure

About Azure management groups

ｅ OVERVIEW

Azure management groups

Get started

ｆ QUICKSTART

Create a management group (Portal)

Create a management group (Azure CLI)

Create a management group (Azure PowerShell)

Create a management group (.NET)

Create a management group (Go)

Create a management group (JavaScript)

Create a management group (Python)

Create a management group (REST)

Deploy resources to management group (ARM templates)

ｃ HOW-TO GUIDE

Manage your resource hierarchy

Protect your resource hierarchy

Reference

ｉ REFERENCE

Azure CLI

Azure PowerShell

Azure SDK for .NET

Azure SDK for Go

Azure SDK for JavaScript

Azure SDK for Python

REST

Resource Manager templates

What are the Azure Management areas?
Article • 03/20/2022

Governance in Azure is one aspect of Azure Management. This article covers the
different areas of management for deploying and maintaining your resources in Azure.

Management refers to the tasks and processes required to maintain your business
applications and the resources that support them. Azure has many services and tools
that work together to provide complete management. These services aren't only for
resources in Azure, but also in other clouds and on-premises. Understanding the
different tools and how they work together is the first step in designing a complete
management environment.

The following diagram illustrates the different areas of management that are required to
maintain any application or resource. These different areas can be thought of as a
lifecycle. Each area is required in continuous succession over the lifespan of a resource.
This resource lifecycle starts with the initial deployment, through continued operation,
and finally when retired.

No single Azure service completely fills the requirements of a particular management

area. Instead, each is realized by several services working together. Some services, such
as Application Insights, provide targeted monitoring functionality for web applications.
Others, like Azure Monitor logs, store management data for other services. This feature
allows you to analyze data of different types collected by different services.
The following sections briefly describe the different management areas and provide
links to detailed content on the main Azure services intended to address them.

Monitor
Monitoring is the act of collecting and analyzing data to audit the performance, health,
and availability of your resources. An effective monitoring strategy helps you
understand the operation of components and to increase your uptime with notifications.
Read an overview of Monitoring that covers the different services used at Monitoring
Azure applications and resources.

Configure
Configure refers to the initial deployment and configuration of resources and ongoing
maintenance. Automation of these tasks allows you to eliminate redundancy, minimizing
your time and effort and increasing your accuracy and efficiency. Azure Automation
provides the bulk of services for automating configuration tasks. While runbooks handle
process automation, configuration and update management help manage
configuration.

Govern
Governance provides mechanisms and processes to maintain control over your
applications and resources in Azure. It involves planning your initiatives and setting
strategic priorities. Governance in Azure is primarily implemented with two services.
Azure Policy allows you to create, assign, and manage policy definitions to enforce rules
for your resources. This feature keeps those resources in compliance with your corporate
standards. Azure Cost Management allows you to track cloud usage and expenditures
for your Azure resources and other cloud providers.

Secure
Manage the security of your resources and data. A security program involves assessing
threats, collecting and analyzing data, and compliance of your applications and
resources. Security monitoring and threat analysis are provided by Microsoft Defender
for Cloud, which includes unified security management and advanced threat protection
across hybrid cloud workloads. See Introduction to Azure Security for comprehensive
information and guidance on securing Azure resources.
Protect
Protection refers to keeping your applications and data available, even with outages that
are beyond your control. Protection in Azure is provided by two services. Azure Backup
provides backup and recovery of your data, either in the cloud or on-premises. Azure
Site Recovery provides business continuity and immediate recovery during a disaster.

Migrate
Migration refers to transitioning workloads currently running on-premises to the Azure
cloud. Azure Migrate is a service that helps you assess the migration suitability of on-
premises virtual machines to Azure. Azure Site Recovery migrates virtual machines from
on-premises or from Amazon Web Services. Azure Database Migration Service assists
you in migrating database sources to Azure Data platforms.

Next Steps
To learn more about Azure Governance, see these articles:

Azure Governance hub.

Governance in the Cloud Adoption Framework for Azure
What are Azure management groups?
Article • 04/21/2023

If your organization has many Azure subscriptions, you may need a way to efficiently
manage access, policies, and compliance for those subscriptions. Management groups
provide a governance scope above subscriptions. You organize subscriptions into
management groups; the governance conditions you apply cascade by inheritance to all
associated subscriptions.

Management groups give you enterprise-grade management at scale no matter what

type of subscriptions you might have. However, all subscriptions within a single
management group must trust the same Azure Active Directory (Azure AD) tenant.

For example, you can apply policies to a management group that limits the regions
available for virtual machine (VM) creation. This policy would be applied to all nested
management groups, subscriptions, and resources, and allow VM creation only in
authorized regions.

Hierarchy of management groups and

subscriptions
You can build a flexible structure of management groups and subscriptions to organize
your resources into a hierarchy for unified policy and access management. The following
diagram shows an example of creating a hierarchy for governance using management
groups.

You can create a hierarchy that applies a policy, for example, which limits VM locations
to the West US region in the management group called "Corp". This policy will inherit
onto all the Enterprise Agreement (EA) subscriptions that are descendants of that
management group and will apply to all VMs under those subscriptions. This security
policy cannot be altered by the resource or subscription owner allowing for improved
governance.

７ Note

Management groups aren't currently supported in Cost Management features for

Microsoft Customer Agreement (MCA) subscriptions.

Another scenario where you would use management groups is to provide user access to
multiple subscriptions. By moving multiple subscriptions under that management group,
you can create one Azure role assignment on the management group, which will inherit
that access to all the subscriptions. One assignment on the management group can
enable users to have access to everything they need instead of scripting Azure RBAC
over different subscriptions.

Important facts about management groups

10,000 management groups can be supported in a single directory.
A management group tree can support up to six levels of depth.
This limit doesn't include the Root level or the subscription level.
Each management group and subscription can only support one parent.
Each management group can have many children.
All subscriptions and management groups are within a single hierarchy in each
directory. See Important facts about the Root management group.

Root management group for each directory

Each directory is given a single top-level management group called the root
management group. The root management group is built into the hierarchy to have all
management groups and subscriptions fold up to it. This root management group
allows for global policies and Azure role assignments to be applied at the directory level.
The Azure AD Global Administrator needs to elevate themselves to the User Access
Administrator role of this root group initially. After elevating access, the administrator
can assign any Azure role to other directory users or groups to manage the hierarchy. As
administrator, you can assign your own account as owner of the root management
group.
Important facts about the root management group
By default, the root management group's display name is Tenant root group and
operates itself as a management group. The ID is the same value as the Azure
Active Directory (Azure AD) tenant ID.
To change the display name, your account must be assigned the Owner or
Contributor role on the root management group. See Change the name of a
management group to update the name of a management group.
The root management group can't be moved or deleted, unlike other management
groups.
All subscriptions and management groups fold up to the one root management
group within the directory.
All resources in the directory fold up to the root management group for global
management.
New subscriptions are automatically defaulted to the root management group
when created.
All Azure customers can see the root management group, but not all customers
have access to manage that root management group.
Everyone who has access to a subscription can see the context of where that
subscription is in the hierarchy.
No one is given default access to the root management group. Azure AD Global
Administrators are the only users that can elevate themselves to gain access.
Once they have access to the root management group, the global
administrators can assign any Azure role to other users to manage it.

） Important

Any assignment of user access or policy on the root management group applies to
all resources within the directory. Because of this, all customers should evaluate
the need to have items defined on this scope. User access and policy assignments
should be "Must Have" only at this scope.

Initial setup of management groups

When any user starts using management groups, there's an initial setup process that
happens. The first step is the root management group is created in the directory. Once
this group is created, all existing subscriptions that exist in the directory are made
children of the root management group. The reason for this process is to make sure
there's only one management group hierarchy within a directory. The single hierarchy
within the directory allows administrative customers to apply global access and policies
that other customers within the directory can't bypass. Anything assigned on the root
will apply to the entire hierarchy, which includes all management groups, subscriptions,
resource groups, and resources within that Azure AD tenant.

Management group access

Azure management groups support Azure role-based access control (Azure RBAC) for all
resource accesses and role definitions. These permissions are inherited to child
resources that exist in the hierarchy. Any Azure role can be assigned to a management
group that will inherit down the hierarchy to the resources. For example, the Azure role
VM contributor can be assigned to a management group. This role has no action on the
management group, but will inherit to all VMs under that management group.

The following chart shows the list of roles and the supported actions on management
groups.

Azure Role Name Create Rename Move** Delete Assign Assign Read
Access Policy

Owner X X X X X X X

Contributor X X X X X

MG Contributor* X X X X X

Reader X

MG Reader* X

Resource Policy X
Contributor

User Access X X
Administrator

*: The Management Group Contributor and Management Group Reader roles allow
users to perform those actions only on the management group scope.

**: Role assignments on the root management group aren't required to move a
subscription or management group to and from it.

See Manage your resources with management groups for details on moving items
within the hierarchy.

Azure custom role definition and assignment

You can define a management group as an assignable scope in an Azure custom role
definition. The Azure custom role will then be available for assignment on that
management group and any management group, subscription, resource group, or
resource under it. The custom role will inherit down the hierarchy like any built-in role.
For information about the limitations with custom roles and management groups, see
Limitations.

Example definition
Defining and creating a custom role doesn't change with the inclusion of management
groups. Use the full path to define the management group
/providers/[Link]/managementgroups/{groupId}.

Use the management group's ID and not the management group's display name. This
common error happens since both are custom-defined fields when creating a
management group.

JSON

...
{
"Name": "MG Test Custom Role",
"Id": "id",
"IsCustom": true,
"Description": "This role provides members understand custom roles.",
"Actions": [
"[Link]/managementgroups/delete",
"[Link]/managementgroups/read",
"[Link]/managementgroup/write",
"[Link]/managementgroup/subscriptions/delete",
"[Link]/managementgroup/subscriptions/write",
"[Link]/subscriptions/read",
"[Link]/policyAssignments/*",
"[Link]/policyDefinitions/*",
"[Link]/policySetDefinitions/*",
"[Link]/*",
"[Link]/roleAssignments/*",
"[Link]/roledefinitions/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/providers/[Link]/managementGroups/ContosoCorporate"
]
}
...
Issues with breaking the role definition and assignment
hierarchy path
Role definitions are assignable scope anywhere within the management group
hierarchy. A role definition can be defined on a parent management group while the
actual role assignment exists on the child subscription. Since there's a relationship
between the two items, you'll receive an error when trying to separate the assignment
from its definition.

For example, let's look at a small section of a hierarchy for a visual.

Let's say there's a custom role defined on the Sandbox management group. That
custom role is then assigned on the two Sandbox subscriptions.

If we try to move one of those subscriptions to be a child of the Corp management

group, this move would break the path from subscription role assignment to the
Sandbox management group role definition. In this scenario, you'll receive an error
saying the move isn't allowed since it will break this relationship.

There are a couple different options to fix this scenario:

Remove the role assignment from the subscription before moving the subscription
to a new parent MG.
Add the subscription to the role definition's assignable scope.
Change the assignable scope within the role definition. In the above example, you
can update the assignable scopes from Sandbox to the root management group
so that the definition can be reached by both branches of the hierarchy.
Create another custom role that is defined in the other branch. This new role
requires the role assignment to be changed on the subscription also.

Limitations
There are limitations that exist when using custom roles on management groups.

You can only define one management group in the assignable scopes of a new
role. This limitation is in place to reduce the number of situations where role
definitions and role assignments are disconnected. This situation happens when a
subscription or management group with a role assignment moves to a different
parent that doesn't have the role definition.
Resource provider data plane actions can't be defined in management group
custom roles. This restriction is in place as there's a latency issue with updating the
data plane resource providers. This latency issue is being worked on and these
actions will be disabled from the role definition to reduce any risks.
Azure Resource Manager doesn't validate the management group's existence in
the role definition's assignable scope. If there's a typo or an incorrect management
group ID listed, the role definition is still created.

Moving management groups and subscriptions

To move a management group or subscription to be a child of another management
group, three rules need to be evaluated as true.

If you're doing the move action, you need:

Management group write and role assignment write permissions on the child
subscription or management group.
Built-in role example: Owner
Management group write access on the target parent management group.
Built-in role example: Owner, Contributor, Management Group Contributor
Management group write access on the existing parent management group.
Built-in role example: Owner, Contributor, Management Group Contributor
Exception: If the target or the existing parent management group is the root
management group, the permissions requirements don't apply. Since the root
management group is the default landing spot for all new management groups and
subscriptions, you don't need permissions on it to move an item.

If the Owner role on the subscription is inherited from the current management group,
your move targets are limited. You can only move the subscription to another
management group where you have the Owner role. You can't move it to a
management group where you're a Contributor because you would lose ownership of
the subscription. If you're directly assigned to the Owner role for the subscription (not
inherited from the management group), you can move it to any management group
where you're assigned the Contributor role.

） Important

Azure Resource Manager caches management group hierarchy details for up to 30

minutes. As a result, moving a management group may not immediately be
reflected in the Azure portal.

Audit management groups using activity logs

Management groups are supported within Azure Activity log. You can search all events
that happen to a management group in the same central location as other Azure
resources. For example, you can see all role assignments or policy assignment changes
made to a particular management group.

When looking to query on management groups outside the Azure portal, the target
scope for management groups looks like
"/providers/[Link]/managementGroups/{management-group-id}".

７ Note
Using the Azure Resource Manager REST API, you can enable diagnostic settings on
a management group to send related Azure Activity log entries to a Log Analytics
workspace, Azure Storage, or Azure Event Hub. For more information, see
Management Group Diagnostic Settings - Create Or Update.

Next steps
To learn more about management groups, see:

Create management groups to organize Azure resources

How to change, delete, or manage your management groups
See options for How to protect your resource hierarchy
Quickstart: Create a management group
Article • 12/13/2021

Management groups are containers that help you manage access, policy, and
compliance across multiple subscriptions. Create these containers to build an effective
and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access
Controls. For more information on management groups, see Organize your resources
with Azure management groups.

The first management group created in the directory could take up to 15 minutes to
complete. There are processes that run the first time to set up the management groups
service within Azure for your directory. You receive a notification when the process is
complete. For more information, see initial setup of management groups.

Prerequisites
If you don't have an Azure subscription, create a free account before you begin.

Any Azure AD user in the tenant can create a management group without the
management group write permission assigned to that user if hierarchy protection
isn't enabled. This new management group becomes a child of the Root
Management Group or the default management group and the creator is given an
"Owner" role assignment. Management group service allows this ability so that
role assignments aren't needed at the root level. No users have access to the Root
Management Group when it's created. To avoid the hurdle of finding the Azure AD
Global Admins to start using management groups, we allow the creation of the
initial management groups at the root level.

Create in portal
1. Log into the Azure portal .

2. Select All services > Management + governance.

3. Select Management Groups.

4. Select + Add management group.

5. Leave Create new selected and fill in the management group ID field.

The Management Group ID is the directory unique identifier that is used to

submit commands on this management group. This identifier isn't editable
after creation as it's used throughout the Azure system to identify this group.
The root management group is automatically created with an ID that is the
Azure Active Directory ID. For all other management groups, assign a unique
ID.
The display name field is the name that is displayed within the Azure portal. A
separate display name is an optional field when creating the management
group and can be changed at any time.

6. Select Save.

Clean up resources
To remove the management group created, follow these steps:

1. Select All services > Management + governance.

2. Select Management Groups.

3. Find the management group created above, select it, then select Details next to
the name. Then select Delete and confirm the prompt.

Next steps
In this quickstart, you created a management group to organize your resource hierarchy.
The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy,
continue to:

Manage your resources with management groups

Quickstart: Create a management group
with the Azure CLI
Article • 04/13/2023

Prerequisites
If you don't have an Azure subscription, create a free account before you begin.

This quickstart requires that you run Azure CLI version 2.0.76 or later to install and
use the CLI locally. To find the version, run az --version . If you need to install or
upgrade, see Install Azure CLI.

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use
through your browser. You can use either Bash or PowerShell with Cloud Shell to work
with Azure services. You can use the Cloud Shell preinstalled commands to run the code
in this article, without having to install anything on your local environment.
To start Azure Cloud Shell:

Option Example/Link

Select Try It in the upper-right corner of a code or command block.

Selecting Try It doesn't automatically copy the code or command to
Cloud Shell.

Go to [Link] , or select the Launch Cloud Shell

button to open Cloud Shell in your browser.

Select the Cloud Shell button on the menu bar at the upper right in
the Azure portal .

To use Azure Cloud Shell:

1. Start Cloud Shell.

2. Select the Copy button on a code block (or command block) to copy the code or
command.

3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V
on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

4. Select Enter to run the code or command.

Create in the Azure CLI

For Azure CLI, use the az account management-group create command to create a new
management group. In this example, the management group name is Contoso.

Azure CLI

az account management-group create --name 'Contoso'

The name is a unique identifier being created. This ID is used by other commands to
reference this group and it can't be changed later.

If you want the management group to show a different name within the Azure portal,
add the display-name parameter. For example, to create a management group with the
GroupName of Contoso and the display name of "Contoso Group", use the following
command:

Azure CLI
az account management-group create --name 'Contoso' --display-name 'Contoso
Group'

In the preceding examples, the new management group is created under the root
management group. To specify a different management group as the parent, use the
parent parameter and provide the name of the parent group.

Azure CLI

az account management-group create --name 'ContosoSubGroup' --parent

'Contoso'

Clean up resources
To remove the management group created above, use the az account management-
group delete command:

Azure CLI

az account management-group delete --name 'Contoso'

Next steps
In this quickstart, you created a management group to organize your resource hierarchy.
The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy,
continue to:

Manage your resources with management groups

Quickstart: Create a management group
with Azure PowerShell
Article • 05/11/2023

Prerequisites
If you don't have an Azure subscription, create a free account before you begin.

Before you start, make sure that the latest version of Azure PowerShell is installed.
See Install Azure PowerShell module for detailed information.

Azure Cloud Shell

To start Azure Cloud Shell:

Option Example/Link

Select Try It in the upper-right corner of a code or command block.

Selecting Try It doesn't automatically copy the code or command to
Cloud Shell.

Go to [Link] , or select the Launch Cloud Shell

button to open Cloud Shell in your browser.

Select the Cloud Shell button on the menu bar at the upper right in
the Azure portal .

To use Azure Cloud Shell:

1. Start Cloud Shell.

2. Select the Copy button on a code block (or command block) to copy the code or
command.

3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V
on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

4. Select Enter to run the code or command.

Create in Azure PowerShell

For PowerShell, use the New-AzManagementGroup cmdlet to create a new
management group. In this example, the management group GroupName is Contoso.

Azure PowerShell

New-AzManagementGroup -GroupName 'Contoso'

The GroupName is a unique identifier being created. This ID is used by other commands
to reference this group and it can't be changed later.

If you want the management group to show a different name within the Azure portal,
add the DisplayName parameter. For example, to create a management group with the
GroupName of Contoso and the display name of "Contoso Group", use the following
cmdlet:

Azure PowerShell

New-AzManagementGroup -GroupName 'Contoso' -DisplayName 'Contoso Group'

In the preceding examples, the new management group is created under the root
management group. To specify a different management group as the parent, use the
ParentId parameter.

Azure PowerShell

$parentGroup = Get-AzManagementGroup -GroupName Contoso

New-AzManagementGroup -GroupName 'ContosoSubGroup' -ParentId $[Link]

Clean up resources
To remove the management group created above, use the Remove-
AzManagementGroup cmdlet:

Azure PowerShell

Remove-AzManagementGroup -GroupName 'Contoso'

Next steps
In this quickstart, you created a management group to organize your resource hierarchy.
The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy,
continue to:

Manage your resources with management groups

Quickstart: Create a management group
with .NET Core
Article • 08/17/2021

Prerequisites
If you don't have an Azure subscription, create a free account before you begin.

An Azure service principal, including the clientId and clientSecret. If you don't have
a service principal for use with Azure Policy or want to create a new one, see Azure
management libraries for .NET authentication. Skip the step to install the .NET Core
packages as we'll do that in the next steps.

Azure Cloud Shell

To start Azure Cloud Shell:

Option Example/Link

Select Try It in the upper-right corner of a code or command block.

Selecting Try It doesn't automatically copy the code or command to
Cloud Shell.

Go to [Link] , or select the Launch Cloud Shell

button to open Cloud Shell in your browser.

Select the Cloud Shell button on the menu bar at the upper right in
the Azure portal .

To use Azure Cloud Shell:

1. Start Cloud Shell.

2. Select the Copy button on a code block (or command block) to copy the code or
command.

3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V
on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

4. Select Enter to run the code or command.

Application setup
To enable .NET Core to manage management groups, create a new console application
and install the required packages.

1. Check that the latest .NET Core is installed (at least 3.1.8). If it isn't yet installed,
download it at [Link] .

2. Initialize a new .NET Core console application named "mgCreate":

.NET CLI

dotnet new console --name "mgCreate"

3. Change directories into the new project folder and install the required packages
for Azure Policy:
.NET CLI

# Add the Azure Policy package for .NET Core

dotnet add package [Link] --
version 1.1.1-preview

# Add the Azure app auth package for .NET Core

dotnet add package [Link] --version
1.6.1

4. Replace the default [Link] with the following code and save the updated file:

using System;
using [Link];
using [Link];
using [Link];
using [Link];
using [Link];
using [Link];

namespace mgCreate
{
class Program
{
static async Task Main(string[] args)
{
string strTenant = args[0];
string strClientId = args[1];
string strClientSecret = args[2];
string strGroupId = args[3];
string strDisplayName = args[4];

var authContext = new

AuthenticationContext($"[Link]
;
var authResult = await [Link](
"[Link]
new ClientCredential(strClientId, strClientSecret));

using (var client = new ManagementGroupsAPIClient(new

TokenCredentials([Link])))
{
var mgRequest = new CreateManagementGroupRequest
{
DisplayName = strDisplayName
};
var response = await
[Link](strGroupId, mgRequest);
}
}
}
}

5. Build and publish the mgCreate console application:

.NET CLI

dotnet build
dotnet publish -o {run-folder}

Create the management group

In this quickstart, you create a new management group in the root management group.

1. Change directories to the {run-folder} you defined with the previous dotnet
publish command.

2. Enter the following command in the terminal:

Bash

[Link] `
"{tenantId}" `
"{clientId}" `
"{clientSecret}" `
"{groupID}" `
"{displayName}"

The preceding commands use the following information:

{tenantId} - Replace with your tenant ID

{clientId} - Replace with the client ID of your service principal

{clientSecret} - Replace with the client secret of your service principal

{groupID} - Replace with the ID for your new management group

{displayName} - Replace with the friendly name for your new management group

The result is a new management group in the root management group.

Clean up resources
Delete the new management group through the portal.
If you wish to remove the .NET Core console application and installed packages,
delete the mgCreate project folder.

Next steps
In this quickstart, you created a management group to organize your resource hierarchy.
The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy,
continue to:

Manage your resources with management groups

Quickstart: Create a management group
with Go
Article • 04/19/2023

Prerequisites
If you don't have an Azure subscription, create a free account before you begin.

Azure Cloud Shell

To start Azure Cloud Shell:

Option Example/Link

Select Try It in the upper-right corner of a code or command block.

Selecting Try It doesn't automatically copy the code or command to
Cloud Shell.

Go to [Link] , or select the Launch Cloud Shell

button to open Cloud Shell in your browser.

Select the Cloud Shell button on the menu bar at the upper right in
the Azure portal .

To use Azure Cloud Shell:

1. Start Cloud Shell.

2. Select the Copy button on a code block (or command block) to copy the code or
command.

3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V
on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

4. Select Enter to run the code or command.

Add the management group package

To enable Go to manage management groups, the package must be added. This
package works wherever Go can be used, including bash on Windows 10 or locally
installed.

1. Check that the latest Go is installed (at least 1.15). If it isn't yet installed, download
it at [Link] .

2. Check that the latest Azure CLI is installed (at least 2.5.1). If it isn't yet installed, see
Install the Azure CLI.

７ Note

Azure CLI is required to enable Go to use the [Link]()

method in the following example. For information about other options, see
Azure SDK for Go - More authentication details .

3. Authenticate through Azure CLI.

Azure CLI

az login

4. In your Go environment of choice, install the required packages for management

groups:

Bash

# Add the management group package for Go

go install [Link]/Azure/azure-sdk-for-
go/services/resources/mgmt/2020-05-01/managementgroups@latest

# Add the Azure auth package for Go

go install [Link]/Azure/go-autorest/autorest/azure/auth@latest

Application setup
With the Go packages added to your environment of choice, it's time to set up the Go
application that can create a management group.

1. Create the Go application and save the following source as [Link] :

package main

import (
"context"
"fmt"
"os"

mg "[Link]/Azure/azure-sdk-for-go/services/resources/mgmt/2020-05-
01/managementgroups"
"[Link]/Azure/go-autorest/autorest/azure/auth"
)

func main() {
// Get variables from command line arguments
var mgName = [Link][1]

// Create and authorize a client

mgClient := [Link]()
authorizer, err := [Link]()
if err == nil {
[Link] = authorizer
} else {
[Link]([Link]())
}

// Create the request

Request := [Link]{
Name: &mgName,
}

// Run the query and get the results

var results, queryErr = [Link]([Link](),
mgName, Request, "no-cache")
if queryErr == nil {
[Link]("Results: " + [Link](results) + "\n")
} else {
[Link]([Link]())
}
}

2. Build the Go application:

Bash

go build [Link]

3. Create a management group using the compiled Go application. Replace <Name>

with the name of your new management group:

Bash

mgCreate "<Name>"

The result is a new management group in the root management group.

Clean up resources
If you wish to remove the installed packages from your Go environment, you can do so
by using the following command:

Bash

# Remove the installed packages from the Go environment

go clean -i [Link]/Azure/azure-sdk-for-go/services/resources/mgmt/2020-
05-01/managementgroups
go clean -i [Link]/Azure/go-autorest/autorest/azure/auth

Next steps
In this quickstart, you created a management group to organize your resource hierarchy.
The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy,
continue to:

Manage your resources with management groups

Quickstart: Create a management group
with JavaScript
Article • 06/20/2022

Prerequisites
If you don't have an Azure subscription, create a free account before you begin.

Before you start, make sure that at least version 12 of [Link] is installed.

Azure Cloud Shell

To start Azure Cloud Shell:

Option Example/Link

Select Try It in the upper-right corner of a code or command block.

Selecting Try It doesn't automatically copy the code or command to
Cloud Shell.

Go to [Link] , or select the Launch Cloud Shell

button to open Cloud Shell in your browser.

Select the Cloud Shell button on the menu bar at the upper right in
the Azure portal .

To use Azure Cloud Shell:

1. Start Cloud Shell.

2. Select the Copy button on a code block (or command block) to copy the code or
command.

3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V
on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

4. Select Enter to run the code or command.

Application setup
To enable JavaScript to manage management groups, the environment must be set up.
This setup works wherever JavaScript can be used, including bash on Windows 10.

1. Set up a new [Link] project by running the following command.

Bash

npm init -y

2. Add a reference to the yargs module.

Bash

npm install yargs

3. Add a reference to the Azure Resource Graph module.

Bash
npm install @azure/arm-managementgroups

4. Add a reference to the Azure authentication library.

Bash

npm install @azure/identity

７ Note

Verify in [Link] @azure/arm-managementgroups is version 2.0.1 or higher

and @azure/identity is version 2.0.4 or higher.

Create the management group

1. Create a new file named [Link] and enter the following code.

JavaScript

const argv = require("yargs").argv;

const { InteractiveBrowserCredential } = require("@azure/identity");
const { ManagementGroupsAPI } = require("@azure/arm-
managementgroups");

createMG();
}

2. Enter the following command in the terminal:

Bash
node [Link] --groupID "<NEW_MG_GROUP_ID>" --displayName "
<NEW_MG_FRIENDLY_NAME>"

Make sure to replace each token <> placeholder with your management group ID
and management group friendly name, respectively.

As the script attempts to authenticate, a message similar to the following message

is displayed in the terminal:

To sign in, use a web browser to open the page

[Link] and enter the code FGB56WJUGK to
authenticate.

Once you authenticate in the browser, then the script continues to run.

The result of creating the management group is output to the console.

Clean up resources
If you wish to remove the installed libraries from your application, run the following
command.

Bash

npm uninstall @azure/arm-managementgroups @azure/identity yargs

Next steps
In this quickstart, you created a management group to organize your resource hierarchy.
The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy,
continue to:

Manage your resources with management groups

Quickstart: Create a management group
with Python
Article • 04/28/2022

Prerequisites
If you don't have an Azure subscription, create a free account before you begin.

Azure Cloud Shell

To start Azure Cloud Shell:

Option Example/Link
Option Example/Link

Select Try It in the upper-right corner of a code or command block.

Selecting Try It doesn't automatically copy the code or command to
Cloud Shell.

Go to [Link] , or select the Launch Cloud Shell

button to open Cloud Shell in your browser.

Select the Cloud Shell button on the menu bar at the upper right in
the Azure portal .

To use Azure Cloud Shell:

1. Start Cloud Shell.

2. Select the Copy button on a code block (or command block) to copy the code or
command.

3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V
on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

4. Select Enter to run the code or command.

Add the Resource Graph library

To enable Python to manage management groups, the library must be added. This
library works wherever Python can be used, including bash on Windows 10 or locally
installed.

1. Check that the latest Python is installed (at least 3.8). If it isn't yet installed,
download it at [Link] .

2. Check that the latest Azure CLI is installed (at least 2.5.1). If it isn't yet installed, see
Install the Azure CLI.

７ Note

Azure CLI is required to enable Python to use the CLI-based authentication in

the following examples. For information about other options, see
Authenticate using the Azure management libraries for Python.

3. Authenticate through Azure CLI.

Azure CLI

az login

4. In your Python environment of choice, install the required libraries for

management groups:

Bash

# Add the management groups library for Python

pip install azure-mgmt-managementgroups

# Add the Resources library for Python

pip install azure-mgmt-resource

# Add the CLI Core library for Python for authentication (development
only!)
pip install azure-cli-core

７ Note

If Python is installed for all users, these commands must be run from an
elevated console.

5. Validate that the libraries have been installed. azure-mgmt-managementgroups should

be 0.2.0 or higher, azure-mgmt-resource should be 9.0.0 or higher, and azure-cli-
core should be 2.5.0 or higher.

Bash

# Check each installed library

pip show azure-mgmt-managementgroups azure-mgmt-resource azure-cli-core

Create the management group

1. Create the Python script and save the following source as [Link] :

Python

# Import management group classes

from [Link] import ManagementGroupsAPI

# Import specific methods and models from other libraries

from [Link] import get_azure_cli_credentials
from [Link].client_factory import get_client_from_cli_profile
from [Link] import ResourceManagementClient,
SubscriptionClient

# Wrap all the work in a function

def createmanagementgroup( strName ):
# Get your credentials from Azure CLI (development only!) and get
your subscription list
subsClient = get_client_from_cli_profile(SubscriptionClient)
subsRaw = []
for sub in [Link]():
[Link](sub.as_dict())
subsList = []
for sub in subsRaw:
[Link]([Link]('subscription_id'))

# Create management group client and set options

mgClient = get_client_from_cli_profile(ManagementGroupsAPI)
mg_request = {'name': strName, 'display_name': strName}

# Create management group

mg =
mgClient.management_groups.create_or_update(group_id=strName,create_man
agement_group_request=mg_request)

# Show results
print(mg)

createmanagementgroup("MyNewMG")

2. Authenticate with Azure CLI with az login .

3. Enter the following command in the terminal:

Bash

py [Link]

The result of creating the management group is output to the console as an LROPoller
object.

Clean up resources
If you wish to remove the installed libraries from your Python environment, you can do
so by using the following command:

Bash
# Remove the installed libraries from the Python environment
pip uninstall azure-mgmt-managementgroups azure-mgmt-resource azure-cli-core

Next steps
In this quickstart, you created a management group to organize your resource hierarchy.
The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy,
continue to:

Manage your resources with management groups

Quickstart: Create a management group
with REST API
Article • 08/17/2021

Prerequisites
If you don't have an Azure subscription, create a free account before you begin.

If you haven't already, install ARMClient . It's a tool that sends HTTP requests to
Azure Resource Manager-based REST APIs. Instead, you can use the "Try It" feature
in REST documentation or tooling like PowerShell's Invoke-RestMethod or
Postman .

Azure Cloud Shell

To start Azure Cloud Shell:

Option Example/Link

Select Try It in the upper-right corner of a code or command block.

Selecting Try It doesn't automatically copy the code or command to
Cloud Shell.

Go to [Link] , or select the Launch Cloud Shell

button to open Cloud Shell in your browser.

Select the Cloud Shell button on the menu bar at the upper right in
the Azure portal .

To use Azure Cloud Shell:

1. Start Cloud Shell.

2. Select the Copy button on a code block (or command block) to copy the code or
command.

3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V
on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

4. Select Enter to run the code or command.

Create in REST API

For REST API, use the Management Groups - Create or Update endpoint to create a new
management group. In this example, the management group groupId is Contoso.

REST API URI

HTTP

PUT
[Link]
roups/Contoso?api-version=2020-05-01

No Request Body

The groupId is a unique identifier being created. This ID is used by other commands to
reference this group and it can't be changed later.
If you want the management group to show a different name within the Azure portal,
add the [Link] property in the request body. For example, to create a
management group with the groupId of Contoso and the display name of Contoso
Group, use the following endpoint and request body:

REST API URI

HTTP

PUT
[Link]
roups/Contoso?api-version=2020-05-01

Request Body

JSON

{
"properties": {
"displayName": "Contoso Group"
}
}

In the preceding examples, the new management group is created under the root
management group. To specify a different management group as the parent, use the
[Link] property.

REST API URI

HTTP

PUT
[Link]
roups/Contoso?api-version=2020-05-01

Request Body

JSON

{
"properties": {
"displayName": "Contoso Group",
"parent": {
"id":
"/providers/[Link]/managementGroups/HoldingGroup"
}
}
}

Clean up resources
To remove the management group created above, use the Management Groups -
Delete endpoint:

REST API URI

HTTP

DELETE
[Link]
roups/Contoso?api-version=2020-05-01

No Request Body

Next steps
In this quickstart, you created a management group to organize your resource hierarchy.
The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy,
continue to:

Manage your resources with management groups

Azure Resource Graph sample queries
for management groups
Article • 03/08/2023

This page is a collection of Azure Resource Graph sample queries for management
groups. For a complete list of Azure Resource Graph samples, see Resource Graph
samples by Category and Resource Graph samples by Table.

Sample queries

Count of subscriptions per management group

Summarizes the count of subscriptions in each management group.

Kusto

Azure CLI

az graph query -q "ResourceContainers | where type =~

List all management group ancestors for a specified

management group
Provides the management group hierarchy details for the management group specified
in the query scope. In this example, the management group is named Application.

Kusto

ResourceContainers
| where type =~ '[Link]/managementgroups'
| extend mgParent = [Link]
| mv-expand with_itemindex=MGHierarchy mgParent
| project name, [Link], mgParent, MGHierarchy, [Link]

Azure CLI

az graph query -q "ResourceContainers | where type =~

'[Link]/managementgroups' | extend mgParent =
[Link] | mv-expand
with_itemindex=MGHierarchy mgParent | project name,
[Link], mgParent, MGHierarchy, [Link]" --
management-groups Application

List all management group ancestors for a specified

subscription
Provides the management group hierarchy details for the subscription specified in the
query scope. In this example, the subscription GUID is 11111111-1111-1111-1111-111111111111.

Kusto

ResourceContainers
| where type =~ '[Link]/subscriptions'
| extend mgParent = [Link]
| mv-expand with_itemindex=MGHierarchy mgParent
| project subscriptionId, name, mgParent, MGHierarchy, [Link]

Azure CLI

az graph query -q "ResourceContainers | where type =~

'[Link]/subscriptions' | extend mgParent =
[Link] | mv-expand
with_itemindex=MGHierarchy mgParent | project subscriptionId, name,
mgParent, MGHierarchy, [Link]" --subscriptions 11111111-1111-
1111-1111-111111111111

List all subscriptions under a specified management

group
Provides the name and subscription ID of all subscriptions under the management
group specified in the query scope. In this example, the management group is named
Application.

Kusto

ResourceContainers
| where type =~ '[Link]/subscriptions'
| project subscriptionId, name

Azure CLI

az graph query -q "ResourceContainers | where type =~

'[Link]/subscriptions' | project subscriptionId, name" --
management-groups Application

Secure score per management group

Returns secure score per management group.

Kusto

SecurityResources
| where type == '[Link]/securescores'
| project subscriptionId,
subscriptionTotal = iff([Link] == 0, 0.00,
round(tolong([Link]) *
todouble([Link])/tolong([Link]),2)),
weight = tolong(iff([Link] == 0, 1, [Link]))
| join kind=leftouter (
ResourceContainers
| where type == '[Link]/subscriptions' and [Link]
== 'Enabled'
| project subscriptionId,
mgChain=[Link] )
on subscriptionId
| mv-expand mg=mgChain
| summarize sumSubs = sum(subscriptionTotal), sumWeight = sum(weight),
resultsNum = count() by tostring([Link]), mgId = tostring([Link])
| extend secureScore = iff(tolong(resultsNum) == 0, 404.00,
round(sumSubs/sumWeight*100,2))
| project mgName=mg_displayName, mgId, sumSubs, sumWeight, resultsNum,
secureScore
| order by mgName asc

Azure CLI

az graph query -q "SecurityResources | where type ==

'[Link]/securescores' | project subscriptionId,
subscriptionTotal = iff([Link] == 0, 0.00,
round(tolong([Link]) *
todouble([Link])/tolong([Link]),2)),
weight = tolong(iff([Link] == 0, 1, [Link])) |
join kind=leftouter ( ResourceContainers | where type ==
'[Link]/subscriptions' and [Link] == 'Enabled' |
project subscriptionId, mgChain=[Link]
) on subscriptionId | mv-expand mg=mgChain | summarize sumSubs =
sum(subscriptionTotal), sumWeight = sum(weight), resultsNum = count() by
tostring([Link]), mgId = tostring([Link]) | extend secureScore
= iff(tolong(resultsNum) == 0, 404.00, round(sumSubs/sumWeight*100,2)) |
project mgName=mg_displayName, mgId, sumSubs, sumWeight, resultsNum,
secureScore | order by mgName asc"

Next steps
Learn more about the query language.
Learn more about how to explore resources.
See samples of Starter language queries.
See samples of Advanced language queries.
Manage your Azure subscriptions at
scale with management groups
Article • 03/08/2023

If your organization has many subscriptions, you may need a way to efficiently manage
access, policies, and compliance for those subscriptions. Azure management groups
provide a level of scope above subscriptions. You organize subscriptions into containers
called "management groups" and apply your governance conditions to the
management groups. All subscriptions within a management group automatically inherit
the conditions applied to the management group.

Management groups give you enterprise-grade management at a large scale no matter

what type of subscriptions you might have. To learn more about management groups,
see Organize your resources with Azure management groups.

７ Note

This article provides steps about how to delete personal data from the device or
service and can be used to support your obligations under the GDPR. For general
information about GDPR, see the GDPR section of the Microsoft Trust Center
and the GDPR section of the Service Trust portal .

） Important

Azure Resource Manager user tokens and management group cache lasts for 30
minutes before they are forced to refresh. After doing any action like moving a
management group or subscription, it might take up to 30 minutes to show. To see
the updates sooner you need to update your token by refreshing the browser,
signing in and out, or requesting a new token.

） Important

AzManagementGroup related Az PowerShell cmdlets mention that the -GroupId is

alias of -GroupName parameter so we can use either of it to provide Management
Group Id as a string value.

Change the name of a management group

You can change the name of the management group by using the portal, PowerShell, or
Azure CLI.

Change the name in the portal

1. Log into the Azure portal .

2. Select All services > Management groups.

3. Select the management group you would like to rename.

4. Select details.

5. Select the Rename group option at the top of the page.

6. When the menu opens, enter the new name you would like to have displayed.

7. Select Save.

Change the name in PowerShell

To update the display name use Update-AzManagementGroup. For example, to change
a management groups display name from "Contoso IT" to "Contoso Group", you run the
following command:

Azure PowerShell

Update-AzManagementGroup -GroupId 'ContosoIt' -DisplayName 'Contoso Group'

Change the name in Azure CLI
For Azure CLI, use the update command.

Azure CLI

az account management-group update --name 'Contoso' --display-name 'Contoso

Group'

Delete a management group

To delete a management group, the following requirements must be met:

1. There are no child management groups or subscriptions under the management

group. To move a subscription or management group to another management
group, see Moving management groups and subscriptions in the hierarchy.

2. You need write permissions on the management group ("Owner", "Contributor", or

"Management Group Contributor"). To see what permissions you have, select the
management group and then select IAM. To learn more on Azure roles, see Azure
role-based access control (Azure RBAC).

Delete in the portal

1. Log into the Azure portal .

2. Select All services > Management groups.

3. Select the management group you would like to delete.

4. Select details.

5. Select Delete
 Tip

If the icon is disabled, hovering your mouse selector over the icon shows you
the reason.

6. There's a window that opens confirming you want to delete the management
group.

7. Select Yes.

Delete in PowerShell
Use the Remove-AzManagementGroup command within PowerShell to delete
management groups.

Azure PowerShell

Remove-AzManagementGroup -GroupId 'Contoso'

Delete in Azure CLI

With Azure CLI, use the command az account management-group delete.

Azure CLI

az account management-group delete --name 'Contoso'

View management groups

You can view any management group you have a direct or inherited Azure role on.

View in the portal

1. Log into the Azure portal .

2. Select All services > Management groups.

3. The management group hierarchy page will load. This page is where you can
explore all the management groups and subscriptions you have access to.
Selecting the group name takes you to a lower level in the hierarchy. The
navigation works the same as a file explorer does.

4. To see the details of the management group, select the (details) link next to the
title of the management group. If this link isn't available, you don't have
permissions to view that management group.

View in PowerShell
You use the Get-AzManagementGroup command to retrieve all groups. See
[Link] modules for the full list of management group GET PowerShell commands.

Azure PowerShell

Get-AzManagementGroup

For a single management group's information, use the -GroupId parameter

Azure PowerShell

Get-AzManagementGroup -GroupId 'Contoso'

To return a specific management group and all the levels of the hierarchy under it, use -
Expand and -Recurse parameters.

Azure PowerShell
PS C:\> $response = Get-AzManagementGroup -GroupId TestGroupParent -Expand -
Recurse
PS C:\> $response

Id :
/providers/[Link]/managementGroups/TestGroupParent
Type : /providers/[Link]/managementGroups
Name : TestGroupParent
TenantId : 00000000-0000-0000-0000-000000000000
DisplayName : TestGroupParent
UpdatedTime : 2/1/2018 [Link] AM
UpdatedBy : 00000000-0000-0000-0000-000000000000
ParentId :
/providers/[Link]/managementGroups/00000000-0000-0000-0000-
000000000000
ParentName : 00000000-0000-0000-0000-000000000000
ParentDisplayName : 00000000-0000-0000-0000-000000000000
Children : {TestGroup1DisplayName, TestGroup2DisplayName}

PS C:\> $[Link][0]

Type : /managementGroup
Id : /providers/[Link]/managementGroups/TestGroup1
Name : TestGroup1
DisplayName : TestGroup1DisplayName
Children : {TestRecurseChild}

PS C:\> $[Link][0].Children[0]

Type : /managementGroup
Id :
/providers/[Link]/managementGroups/TestRecurseChild
Name : TestRecurseChild
DisplayName : TestRecurseChild
Children :

View in Azure CLI

You use the list command to retrieve all groups.

Azure CLI

az account management-group list

For a single management group's information, use the show command

Azure CLI

az account management-group show --name 'Contoso'

To return a specific management group and all the levels of the hierarchy under it, use -
Expand and -Recurse parameters.

Azure CLI

az account management-group show --name 'Contoso' -e -r

Moving management groups and subscriptions

One reason to create a management group is to bundle subscriptions together. Only
management groups and subscriptions can be made children of another management
group. A subscription that moves to a management group inherits all user access and
policies from the parent management group

When moving a management group or subscription to be a child of another

management group, three rules need to be evaluated as true.

If you're doing the move action, you need permission at each of the following layers:

Child subscription / management group

[Link]/managementgroups/write
[Link]/managementgroups/subscriptions/write (only for

Subscriptions)
[Link]/roleAssignments/write
[Link]/roleAssignments/delete

[Link]/register/action
Target parent management group
[Link]/managementgroups/write

Current parent management group

[Link]/managementgroups/write

Exception: If the target or the existing parent management group is the Root
management group, the permissions requirements don't apply. Since the Root
management group is the default landing spot for all new management groups and
subscriptions, you don't need permissions on it to move an item.

If the Owner role on the subscription is inherited from the current management group,
your move targets are limited. You can only move the subscription to another
management group where you have the Owner role. You can't move the subscription to
a management group where you're only a contributor because you would lose
ownership of the subscription. If you're directly assigned to the Owner role for the
subscription, you can move it to any management group where you're a contributor.

To see what permissions you have in the Azure portal, select the management group
and then select IAM. To learn more on Azure roles, see Azure role-based access control
(Azure RBAC).

Move subscriptions

Add an existing Subscription to a management group in

the portal
1. Log into the Azure portal .

2. Select All services > Management groups.

3. Select the management group you're planning to be the parent.

4. At the top of the page, select Add subscription.

5. Select the subscription in the list with the correct ID.

6. Select "Save".

Remove a subscription from a management group in the

portal
1. Log into the Azure portal .

2. Select All services > Management groups.

3. Select the management group you're planning that is the current parent.

4. Select the ellipse at the end of the row for the subscription in the list you want to
move.

5. Select Move.

6. On the menu that opens, select the Parent management group.

7. Select Save.

Move subscriptions in PowerShell

To move a subscription in PowerShell, you use the New-
AzManagementGroupSubscription command.

Azure PowerShell

New-AzManagementGroupSubscription -GroupId 'Contoso' -SubscriptionId

'12345678-1234-1234-1234-123456789012'

To remove the link between the subscription and the management group use the
Remove-AzManagementGroupSubscription command.
Azure PowerShell

Remove-AzManagementGroupSubscription -GroupId 'Contoso' -SubscriptionId

'12345678-1234-1234-1234-123456789012'

Move subscriptions in Azure CLI

To move a subscription in CLI, you use the add command.

Azure CLI

az account management-group subscription add --name 'Contoso' --subscription

'12345678-1234-1234-1234-123456789012'

To remove the subscription from the management group, use the subscription remove
command.

Azure CLI

az account management-group subscription remove --name 'Contoso' --

subscription '12345678-1234-1234-1234-123456789012'

Move subscriptions in ARM template

To move a subscription in an Azure Resource Manager template (ARM template), use
the following template and deploy it at tenant level.

JSON

{
"$schema": "[Link]
01/[Link]#",
"contentVersion": "[Link]",
"parameters": {
"targetMgId": {
"type": "string",
"metadata": {
"description": "Provide the ID of the management group that
you want to move the subscription to."
}
},
"subscriptionId": {
"type": "string",
"metadata": {
"description": "Provide the ID of the existing subscription
to move."
}
}
},
"resources": [
{
"scope": "/",
"type": "[Link]/managementGroups/subscriptions",
"apiVersion": "2020-05-01",
"name": "[concat(parameters('targetMgId'), '/',
parameters('subscriptionId'))]",
"properties": {
}
}
],
"outputs": {}
}

Or, the following Bicep file.

Bicep

targetScope = 'managementGroup'

@description('Provide the ID of the management group that you want to move

the subscription to.')
param targetMgId string

@description('Provide the ID of the existing subscription to move.')

param subscriptionId string

resource subToMG '[Link]/managementGroups/subscriptions@2020-

05-01' = {
scope: tenant()
name: '${targetMgId}/${subscriptionId}'
}

Move management groups

Move management groups in the portal

1. Log into the Azure portal .

2. Select All services > Management groups.

3. Select the management group you're planning to be the parent.

4. At the top of the page, select Add management group.

5. In the menu that opens, select if you want a new or use an existing management
group.

Selecting new will create a new management group.

Selecting an existing will present you with a dropdown list of all the
management groups you can move to this management group.

6. Select Save.

Move management groups in PowerShell

Use the Update-AzManagementGroup command in PowerShell to move a management
group under a different group.

Azure PowerShell

$parentGroup = Get-AzManagementGroup -GroupId ContosoIT

Update-AzManagementGroup -GroupId 'Contoso' -ParentId $[Link]

Move management groups in Azure CLI

Use the update command to move a management group with Azure CLI.

Azure CLI

az account management-group update --name 'Contoso' --parent ContosoIT

Audit management groups using activity logs
Management groups are supported within Azure Activity Log. You can query all events
that happen to a management group in the same central location as other Azure
resources. For example, you can see all Role Assignments or Policy Assignment changes
made to a particular management group.

When looking to query on Management Groups outside of the Azure portal, the target
scope for management groups looks like
"/providers/[Link]/managementGroups/{yourMgID}".

Referencing management groups from other

Resource Providers
When referencing management groups from other Resource Provider's actions, use the
following path as the scope. This path is used when using PowerShell, Azure CLI, and
REST APIs.

/providers/[Link]/managementGroups/{yourMgID}

An example of using this path is when assigning a new role assignment to a

management group in PowerShell:

Azure PowerShell

New-AzRoleAssignment -Scope
"/providers/[Link]/managementGroups/Contoso"

The same scope path is used when retrieving a policy definition at a management
group.

HTTP
GET
[Link]
/MyManagementGroup/providers/[Link]/policyDefinitions/Resou
rceNaming?api-version=2019-09-01

Next steps
To learn more about management groups, see:

Create management groups to organize Azure resources

How to change, delete, or manage your management groups
Review management groups in Azure PowerShell Resources Module
Review management groups in REST API
Review management groups in Azure CLI
How to protect your resource hierarchy
Article • 08/17/2021

Your resources, resource groups, subscriptions, management groups, and tenant

collectively make up your resource hierarchy. Settings at the root management group,
such as Azure custom roles or Azure Policy policy assignments, can impact every
resource in your resource hierarchy. It's important to protect the resource hierarchy
from changes that could negatively impact all resources.

Management groups now have hierarchy settings that enable the tenant administrator
to control these behaviors. This article covers each of the available hierarchy settings
and how to set them.

Azure RBAC permissions for hierarchy settings

Configuring any of the hierarchy settings requires the following two resource provider
operations on the root management group:

[Link]/managementgroups/settings/write

[Link]/managementgroups/settings/read

These operations only allow a user to read and update the hierarchy settings. The
operations don't provide any other access to the management group hierarchy or
resources in the hierarchy. Both of these operations are available in the Azure built-in
role Hierarchy Settings Administrator.

Setting - Default management group

By default, a new subscription added within a tenant is added as a member of the root
management group. If policy assignments, Azure role-based access control (Azure
RBAC), and other governance constructs are assigned to the root management group,
they immediately effect these new subscriptions. For this reason, many organizations
don't apply these constructs at the root management group even though that is the
desired place to assign them. In other cases, a more restrictive set of controls is desired
for new subscriptions, but shouldn't be assigned to all subscriptions. This setting
supports both use cases.

By allowing the default management group for new subscriptions to be defined,

organization-wide governance constructs can be applied at the root management
group, and a separate management group with policy assignments or Azure role
assignments more suited to a new subscription can be defined.

Set default management group in portal

To configure this setting in the Azure portal, follow these steps:

1. Use the search bar to search for and select 'Management groups'.

2. On the root management group, select details next to the name of the
management group.

3. Under Settings, select Hierarchy settings.

4. Select the Change default management group button.

７ Note

If the Change default management group button is disabled, either the

management group being viewed isn't the root management group or your
security principal doesn't have the necessary permissions to alter the
hierarchy settings.

5. Select a management group from your hierarchy and use the Select button.

Set default management group with REST API

To configure this setting with REST API, the Hierarchy Settings endpoint is called. To do
so, use the following REST API URI and body format. Replace {rootMgID} with the ID of
your root management group and {defaultGroupID} with the ID of the management
group to become the default management group:

REST API URI

HTTP

PUT
[Link]
roups/{rootMgID}/settings/default?api-version=2020-05-01

Request Body

JSON
{
"properties": {
"defaultManagementGroup":
"/providers/[Link]/managementGroups/{defaultGroupID}"
}
}

To set the default management group back to the root management group, use the
same endpoint and set defaultManagementGroup to a value of
/providers/[Link]/managementGroups/{rootMgID} .

Setting - Require authorization

Any user, by default, can create new management groups within a tenant. Admins of a
tenant may wish to only provide these permissions to specific users to maintain
consistency and conformity in the management group hierarchy. If enabled, a user
requires the [Link]/managementGroups/write operation on the root
management group to create new child management groups.

Set require authorization in portal

To configure this setting in the Azure portal, follow these steps:

1. Use the search bar to search for and select 'Management groups'.

2. On the root management group, select details next to the name of the
management group.

3. Under Settings, select Hierarchy settings.

4. Toggle the Require permissions for creating new management groups. option to
on.

７ Note

If the Require permissions for creating new management groups. toggle is

disabled, either the management group being viewed isn't the root
management group or your security principal doesn't have the necessary
permissions to alter the hierarchy settings.

Set require authorization with REST API

To configure this setting with REST API, the Hierarchy Settings endpoint is called. To do
so, use the following REST API URI and body format. This value is a boolean, so provide
either true or false for the value. A value of true enables this method of protecting your
management group hierarchy:

REST API URI

HTTP

PUT
[Link]
roups/{rootMgID}/settings/default?api-version=2020-05-01

Request Body

JSON

{
"properties": {
"requireAuthorizationForGroupCreation": true
}
}

To turn the setting back off, use the same endpoint and set
requireAuthorizationForGroupCreation to a value of false.

PowerShell sample
PowerShell doesn't have an 'Az' command to set the default management group or set
require authorization, but as a workaround you can use the REST API with the
PowerShell sample below:

PowerShell

$root_management_group_id = "Enter the ID of root management group"

$default_management_group_id = "Enter the ID of default management group (or
use the same ID of the root management group)"

$body = '{
"properties": {
"defaultManagementGroup":
"/providers/[Link]/managementGroups/' +
$default_management_group_id + '",
"requireAuthorizationForGroupCreation": true
}
}'
$token = (Get-AzAccessToken).Token
$headers = @{"Authorization"= "Bearer $token"; "Content-Type"=
"application/json"}
$uri =
"[Link]
s/$root_management_group_id/settings/default?api-version=2020-05-01"

Invoke-RestMethod -Method PUT -Uri $uri -Headers $headers -Body $body

Next steps
To learn more about management groups, see:

Create management groups to organize Azure resources

How to change, delete, or manage your management groups
Troubleshoot errors using management
groups
Article • 09/07/2021

When you create and work with management groups you might run into errors. This
article describes various general errors that might occur, and it suggests ways to resolve
them.

Finding error details

Most errors are the result of an issue while running a command with management
groups. When a command fails, the SDK provides details about the failure. This
information indicates the issue so that it can be fixed and a later command succeeds.

General errors

Scenario: Response size too large

Issue

Customers with a large resource hierarchy may get the following message when
querying the Management Groups - Get REST API with a combination of $expand and
$recurse parameters:

Output

The response of the message was too large. Use another API or other
workarounds. See [Link] for more info.

Cause

The Get management group REST API doesn't return results if the payload is larger than
15 MB. This REST API is intended to get details for a single management group.

Resolution

There are several methods of dealing with a response that is too large:
Use the Management Groups - Get Descendants REST API. This API supports
pagination.
If looking for a single management group, remove the $expand and $recurse
parameters from the request to reduce the response size.

Next steps
If you didn't see your problem or are unable to solve your issue, visit one of the
following channels for more support:

Get answers from Azure experts through Azure Forums .

Connect with @AzureSupport - the official Microsoft Azure account for
improving customer experience by connecting the Azure community to the right
resources: answers, support, and experts.
If you need more help, you can file an Azure support incident. Go to the Azure
support site and select Get Support.
az account management-group
Reference

Manage Azure Management Groups.

Commands
Name Description Type Status

az account management- Check if a Management Group Name is Valid. Core GA

group check-name-
availability

az account management- Create a new management group. Core GA

group create

az account management- Delete an existing management group. Core GA

group delete

az account management- Entity operations (Management Group and Core GA

group entities Subscriptions) for Management Groups.

az account management- List all entities for the authenticated user. Core GA
group entities list

az account management- Provide operations for hierarchy settings defined Core GA

group hierarchy-settings at the management group level. Settings can only
be set on the root Management Group of the
hierarchy.

az account management- Create hierarchy settings defined at the Core GA

group hierarchy-settings Management Group level.
create

az account management- Delete the hierarchy settings defined at the Core GA

group hierarchy-settings Management Group level.
delete

az account management- Get all the hierarchy settings defined at the Core GA
group hierarchy-settings Management Group level.
list

az account management- Update the hierarchy settings defined at the Core GA

group hierarchy-settings Management Group level.
update

az account management- List all management groups. Core GA

Name Description Type Status

group list

az account management- Get a specific management group. Core GA

group show

az account management- Subscription operations for Management Groups. Core GA

group subscription

az account management- Add a subscription to a management group. Core GA

group subscription add

az account management- Remove an existing subscription from a Core GA

group subscription remove management group.

az account management- Show the details of a subscription under a known Core GA

group subscription show management group.

az account management- Get the subscription under a management group. Core GA

group subscription show-
sub-under-mg

az account management- Backfill Tenant Subscription Operations for Core GA

group tenant-backfill Management Groups.

az account management- Get the backfill status for a tenant. Core GA

group tenant-backfill get

az account management- Start backfilling subscriptions for a tenant. Core GA

group tenant-backfill start

az account management- Update an existing management group. Core GA

group update

az account management-group check-

name-availability ／ Edit

Check if a Management Group Name is Valid.

Azure CLI

az account management-group check-name-availability --name

Examples
Check if a Management Group Name is Valid.

Azure CLI

az account management-group check-name-availability --name GroupName

Required Parameters

--name -n

Name of the management group.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.
accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json

--query

JMESPath query string. See [Link] for more information and

examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az

account set -s NAME_OR_ID .
--verbose

Increase logging verbosity. Use --debug for full debug logs.

az account management-group create ／ Edit

Create a new management group.

Azure CLI

az account management-group create --name

[--display-name]
[--no-register]
[--parent]

Examples
Create a new management group.

Azure CLI

az account management-group create --name GroupName

Create a new management group with a specific display name.

Azure CLI

az account management-group create --name GroupName --display-name

DisplayName

Create a new management group with a specific parent.

Azure CLI

az account management-group create --name GroupName --parent

ParentId/ParentName

Create a new management group with a specific display name and parent.

Azure CLI

az account management-group create --name GroupName --display-name

DisplayName --parent ParentId/ParentName

Required Parameters

--name -n

Name of the management group.

Optional Parameters

--display-name -d

Sets the display name of the management group. If null, the group name is set as
the display name.

--no-register

Skip registration for resource provider [Link].

default value: False

--parent -p

Sets the parent of the management group. Can be the fully qualified id or the name
of the management group. If null, the root tenant group is set as the parent.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o
Output format.
accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json

--query

JMESPath query string. See [Link] for more information and

examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az

account set -s NAME_OR_ID .

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az account management-group delete ／ Edit

Delete an existing management group.

Azure CLI

az account management-group delete --name

[--no-register]

Examples
Delete an existing management group

Azure CLI

az account management-group delete --name GroupName

Required Parameters

--name -n
Name of the management group.

Optional Parameters

--no-register

Skip registration for resource provider [Link].

default value: False

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.
accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json

--query

JMESPath query string. See [Link] for more information and

examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az

account set -s NAME_OR_ID .

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az account management-group list ／ Edit

List all management groups.

List of all management groups in the current tenant.

Azure CLI

az account management-group list [--no-register]

Examples
List all management groups

Azure CLI

az account management-group list

Optional Parameters

--no-register

Skip registration for resource provider [Link].

default value: False

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o
Output format.
accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json

--query

JMESPath query string. See [Link] for more information and

examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az

account set -s NAME_OR_ID .

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az account management-group show ／ Edit

Get a specific management group.

Get the details of the management group.

Azure CLI

az account management-group show --name

[--expand]
[--no-register]
[--recurse]

Examples
Get a management group.

Azure CLI

az account management-group show --name GroupName

Get a management group with children in the first level of hierarchy.

Azure CLI
az account management-group show --name GroupName -e

Get a management group with children in all levels of hierarchy.

Azure CLI

az account management-group show --name GroupName -e -r

Required Parameters

--name -n

Name of the management group (the last segment of the resource ID). Do not use
display name.

Optional Parameters

--expand -e

If given, lists the children in the first level of hierarchy.

default value: False

--no-register

Skip registration for resource provider [Link].

default value: False

--recurse -r

If given, lists the children in all levels of hierarchy.

default value: False

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h
Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.
accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json

--query

JMESPath query string. See [Link] for more information and

examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az

account set -s NAME_OR_ID .

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az account management-group update ／ Edit

Update an existing management group.

Azure CLI

az account management-group update --name

[--add]
[--display-name]
[--force-string]
[--parent]
[--remove]
[--set]

Examples
Update an existing management group with a specific display name.

Azure CLI

az account management-group update --name GroupName --display-name

DisplayName

Update an existing management group with a specific parent.

Azure CLI

az account management-group update --name GroupName --parent

ParentId/ParentName

Update an existing management group with a specific display name and parent.

Azure CLI

az account management-group update --name GroupName --display-name

DisplayName --parent ParentId/ParentName

Required Parameters

--name -n

Name of the management group.

Optional Parameters

--add

Add an object to a list of objects by specifying a path and key value pairs. Example: -
-add [Link] <key=value, string or JSON string>.
default value: []

--display-name -d

Updates the display name of the management group. If null, no change is made.

--force-string
When using 'set' or 'add', preserve string literals instead of attempting to convert to
JSON.
default value: False

--parent -p

Update the parent of the management group. Can be the fully qualified id or the
name of the management group. If null, no change is made.

--remove

Remove a property or an element from a list. Example: --remove [Link] OR --

remove propertyToRemove.
default value: []

--set

Update an object by specifying a property path and value to set. Example: --set
property1.property2=.
default value: []

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.
accepted values: json, jsonc, none, table, tsv, yaml, yamlc
default value: json

--query
JMESPath query string. See [Link] for more information and
examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az

account set -s NAME_OR_ID .

--verbose

Increase logging verbosity. Use --debug for full debug logs.

[Link]
Reference

This topic displays help topics for the Azure Resource Manager Cmdlets.

Active Directory
Add-AzADAppPermission Adds an API permission.

Add-AzADGroupMember Adds member to group.

Get-AzADAppCredential Lists key credentials and password credentials for an application.

Get- Get federatedIdentityCredentials by Id from applications.

AzADAppFederatedCredential

Get-AzADApplication Lists entities from applications or get entity from applications by key

Get-AzADAppPermission Lists API permissions the application has requested.

Get-AzADGroup Lists entities from groups or get entity from groups by key

Get-AzADGroupMember Lists members from group.

Get-AzADGroupOwner The owners of the group. Limited to 100 owners. Nullable. If this property is not specified when creating a Microsoft 365 group,
the calling user is automatically assigned as the group owner. Supports $filter (/$count eq 0, /$count ne 0, /$count eq 1,
/$count ne 1). Supports $expand including nested $select. For example, /groups?
$filter=startsWith(displayName,'Role')&$select=id,displayName&$expand=owners($select=id,userPrincipalName,displayName).

Get-AzADOrganization Retrieve a list of organization objects.

Get-AzADServicePrincipal Lists entities from service principals or get entity from service principals by key

Get-AzADSpCredential Lists key credentials and password credentials for an service principal.

Get-AzADUser Lists entities from users or get entity from users by key

New-AzADAppCredential Creates key credentials or password credentials for an application.

New- Create federatedIdentityCredential for applications.

AzADAppFederatedCredential

New-AzADApplication Adds new entity to applications

New-AzADGroup Adds new entity to groups

New-AzADGroupOwner Create new navigation property ref to owners for groups

New-AzADServicePrincipal Adds new entity to servicePrincipals

New-AzADSpCredential Creates key credentials or password credentials for an service principal.

New-AzADUser Adds new entity to users

Remove-AzADAppCredential Removes key credentials or password credentials for an application.

Remove- Delete navigation property federatedIdentityCredentials for applications

AzADAppFederatedCredential

Remove-AzADApplication Deletes entity from applications

Remove-AzADAppPermission Removes an API permission.

Remove-AzADGroup Deletes entity from groups.

Remove-AzADGroupMember Deletes member from group Users, contacts, and groups that are members of this group. HTTP Methods: GET (supported for
all groups), POST (supported for security groups and mail-enabled security groups), DELETE (supported only for security
groups) Read-only. Nullable. Supports $expand.

Remove-AzADGroupOwner Delete ref of navigation property owners for groups

Remove- Deletes entity from service principal.

AzADServicePrincipal
Remove-AzADSpCredential Removes key credentials or password credentials for an service principal.

Remove-AzADUser Deletes entity from users.

Update- Update the navigation property federatedIdentityCredentials in applications

AzADAppFederatedCredential

Update-AzADApplication Updates entity in applications

Update-AzADGroup Update entity in groups

Update-AzADServicePrincipal Updates entity in service principal

Update-AzADUser Updates entity in users

Managed Applications
Get-AzManagedApplication Gets managed applications

Get-AzManagedApplicationDefinition Gets managed application definitions

New-AzManagedApplication Creates an Azure managed application.

New-AzManagedApplicationDefinition Creates a managed application definition.

Remove-AzManagedApplication Removes a managed application

Remove-AzManagedApplicationDefinition Removes a managed application definition

Set-AzManagedApplication Updates managed application

Set-AzManagedApplicationDefinition Updates managed application definition

Policy
Get-AzPolicyAlias Get-AzPolicyAlias retrieves and outputs Azure provider resource types that have aliases defined and
match the given parameter values. If no parameters are provided, all provider resource types that
contain an alias will be output. The -ListAvailable switch modifies this behavior by listing all matching
resource types including those without aliases.

Get-AzPolicyAssignment Gets policy assignments.

Get-AzPolicyDefinition Gets policy definitions.

Get-AzPolicyExemption Gets policy exemptions.

Get-AzPolicySetDefinition Gets policy set definitions.

Get-AzRoleManagementPolicy Get the specified role management policy for a resource scope

Get-AzRoleManagementPolicyAssignment Get the specified role management policy assignment for a resource scope

New-AzPolicyAssignment Creates a policy assignment.

New-AzPolicyDefinition Creates a policy definition.

New-AzPolicyExemption Creates a policy exemption.

New-AzPolicySetDefinition Creates a policy set definition.

New-AzRoleManagementPolicyAssignment Create a role management policy assignment

Remove-AzPolicyAssignment Removes a policy assignment.

Remove-AzPolicyDefinition Removes a policy definition.

Remove-AzPolicyExemption Removes a policy exemption.

Remove-AzPolicySetDefinition Removes a policy set definition.

Remove-AzRoleManagementPolicy Delete a role management policy

Remove-AzRoleManagementPolicyAssignment Delete a role management policy assignment

Set-AzPolicyAssignment Modifies a policy assignment.

Set-AzPolicyDefinition Modifies a policy definition.

Set-AzPolicyExemption Modifies a policy exemption.

Set-AzPolicySetDefinition Modifies a policy set definition

Update-AzRoleManagementPolicy Update a role management policy

Resources
Export-AzResourceGroup Captures a resource group as a template and saves it to a file.

Export-AzTemplateSpec Exports a Template Spec to the local filesystem

Get-AzDenyAssignment Lists Azure RBAC deny assignments at the specified scope. By default it lists all deny assignments in
the selected Azure subscription. Use respective parameters to list deny assignments to a specific
user, or to list deny assignments on a specific resource group or resource.

The cmdlet may call below Microsoft Graph API according to input parameters:

GET /directoryObjects/{id}
POST /directoryObjects/getByIds

Get-AzDeployment Get deployment

Get-AzDeploymentOperation Get deployment operation

Get-AzDeploymentScript Gets or lists deployment scripts.

Get-AzDeploymentScriptLog Gets the log of a deployment script execution.

Get-AzDeploymentWhatIfResult Gets a template What-If result for a deployment at subscription scope.

Get-AzLocation Gets all locations and the supported resource providers for each location.

Get-AzManagementGroup Gets Management Group(s)

Get-AzManagementGroupDeployment Get deployment at a management group

Get- Get deployment operation for management group deployment

AzManagementGroupDeploymentOperation

Get-AzManagementGroupDeploymentStack Gets Management Group scoped Deployment Stacks.

Get- Gets a template What-If result for a deployment at management group scope.
AzManagementGroupDeploymentWhatIfResult

Get-AzManagementGroupEntity Lists all Entities under the current Tenant

Get-AzManagementGroupHierarchySetting Gets the Hierarchy Settings under the current tenant

Get-AzManagementGroupNameAvailability Checks if the Management Group name is available in the Tenant and a valid name.

Get-AzManagementGroupSubscription Gets the details of Subscription(s) under a Management Group.

Get-AzPrivateLinkAssociation Gets all the Azure Resource Management Private Link Association(s).

Get-AzProviderFeature Gets information about Azure provider features.

Get-AzProviderOperation Gets the operations for an Azure resource provider that are securable using Azure RBAC.

Get-AzProviderPreviewFeature Gets a feature registration in your account.

Get-AzResource Gets resources.

Get-AzResourceGroup Gets resource groups.

Get-AzResourceGroupDeployment Gets the deployments in a resource group.

Get-AzResourceGroupDeploymentOperation Gets the resource group deployment operation

Get-AzResourceGroupDeploymentStack Gets Resource Group scoped Deployment Stacks.

Get-AzResourceGroupDeploymentWhatIfResult Gets a template What-If result for a deployment at resource group scope.

Get-AzResourceLock Gets a resource lock.

Get-AzResourceManagementPrivateLink Gets Azure Resource Management Private Link(s)

Get-AzResourceProvider Gets a resource provider.

Get-AzRoleAssignment Lists Azure RBAC role assignments at the specified scope. By default it lists all role assignments in
the selected Azure subscription. Use respective parameters to list assignments to a specific user, or
to list assignments on a specific resource group or resource.

The cmdlet may call below Microsoft Graph API according to input parameters:

GET /users/{id}
GET /servicePrincipals/{id}
GET /groups/{id}
GET /directoryObjects/{id}
POST /directoryObjects/getByIds

Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role
assignment is not found or current account has insufficient privileges to get object type.

Get-AzRoleAssignmentSchedule Get the specified role assignment schedule for a resource scope

Get-AzRoleAssignmentScheduleInstance Gets the specified role assignment schedule instance.

Get-AzRoleAssignmentScheduleRequest Get the specified role assignment schedule request.

Get-AzRoleDefinition Lists all Azure RBAC roles that are available for assignment.

Get-AzRoleEligibilitySchedule Get the specified role eligibility schedule for a resource scope

Get-AzRoleEligibilityScheduleInstance Gets the specified role eligibility schedule instance.

Get-AzRoleEligibilityScheduleRequest Get the specified role eligibility schedule request.

Get-AzRoleEligibleChildResource Get the child resources of a resource on which user has eligible access

Get-AzSubscriptionDeploymentStack Gets Subscription scoped Deployment Stacks.

Get-AzTag Gets predefined Azure tags | Gets the entire set of tags on a resource or subscription.

Get-AzTemplateSpec Gets or lists Template Specs

Get-AzTenantBackfillStatus Get the current Tenant Backfill Subscription Status

Get-AzTenantDeployment Get deployment at tenant scope

Get-AzTenantDeploymentOperation Get deployment operation for deployment at tenant scope

Get-AzTenantDeploymentWhatIfResult Gets a template What-If result for a deployment at tenant scope.

Invoke-AzResourceAction Invokes an action on a resource.

Move-AzResource Moves a resource to a different resource group or subscription.

New-AzDeployment Create a deployment at the current subscription scope.

New-AzManagementGroup Creates a Management Group

New-AzManagementGroupDeployment Create a deployment at a management group

New-AzManagementGroupDeploymentStack Creates a new Management Group scoped Deployment Stack.

New-AzManagementGroupHierarchySetting Creates Hierarchy Settings under the current tenant

New-AzManagementGroupSubscription Adds a Subscription to a Management Group.

New-AzPrivateLinkAssociation Creates the Azure Resource Management Private Link Association.

New-AzResource Creates a resource.

New-AzResourceGroup Creates an Azure resource group.

New-AzResourceGroupDeployment Adds an Azure deployment to a resource group.

New-AzResourceGroupDeploymentStack Creates a new Resource Group scoped Deployment Stack.

New-AzResourceLock Creates a resource lock.

New-AzResourceManagementPrivateLink Create Azure Resource Management Private Link

New-AzRoleAssignment Assigns the specified RBAC role to the specified principal, at the specified scope.

The cmdlet may call below Microsoft Graph API according to input parameters:

GET /users/{id}
GET /servicePrincipals/{id}
GET /groups/{id}
GET /directoryObjects/{id}

Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role
assignment is not found or current account has insufficient privileges to get object type.

New-AzRoleAssignmentScheduleRequest Creates a role assignment schedule request.

New-AzRoleDefinition Creates a custom role in Azure RBAC. Provide either a JSON role definition file or a PSRoleDefinition
object as input. First, use the Get-AzRoleDefinition command to generate a baseline role definition
object. Then, modify its properties as required. Finally, use this command to create a custom role
using role definition.

New-AzRoleEligibilityScheduleRequest Creates a role eligibility schedule request.

New-AzSubscriptionDeploymentStack Creates a new Subscription scoped Deployment Stack.

New-AzTag Creates a predefined Azure tag or adds values to an existing tag | Creates or updates the entire set
of tags on a resource or subscription.

New-AzTemplateSpec Creates a new Template Spec.

New-AzTenantDeployment Create a deployment at tenant scope

Publish-AzBicepModule Publishes a Bicep file to a registry.

Register-AzProviderFeature Registers an Azure provider feature in your current subscription context.

Register-AzProviderPreviewFeature Creates a feature registration in your account.

Register-AzResourceProvider Registers a resource provider.

Remove-AzDeployment Removes a deployment and any associated operations

Remove-AzDeploymentScript Removes a deployment script and its associated resources.

Remove-AzManagementGroup Removes a Management Group

Remove-AzManagementGroupDeployment Removes a deployment at a management group and any associated operations

Remove-AzManagementGroupDeploymentStack Removes a Management Group scoped Deployment Stack.

Remove-AzManagementGroupHierarchySetting Deletes all Hierarchy Settings under the current tenant

Remove-AzManagementGroupSubscription Removes a Subscription from a Management Group.

Remove-AzPrivateLinkAssociation Delete a specific azure private link association.

Remove-AzResource Removes a resource.

Remove-AzResourceGroup Removes a resource group.

Remove-AzResourceGroupDeployment Removes a resource group deployment and any associated operations.

Remove-AzResourceGroupDeploymentStack Removes a Resource Group scoped Deployment Stack.

Remove-AzResourceLock Removes a resource lock.

Remove-AzResourceManagementPrivateLink Deletes the Resource Manangement Private Link.

Remove-AzRoleAssignment Removes a role assignment to the specified principal who is assigned to a particular role at a
particular scope.

The cmdlet may call below Microsoft Graph API according to input parameters:

GET /users/{id}
GET /servicePrincipals/{id}
GET /groups/{id}
GET /directoryObjects/{id}
POST /directoryObjects/getByIds

Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role
assignment is not found or current account has insufficient privileges to get object type.

Remove-AzRoleDefinition Deletes a custom role in Azure RBAC. The role to be deleted is specified using the Id property of the
role. Delete will fail if there are existing role assignments made to the custom role.

Remove-AzSubscriptionDeploymentStack Removes a Subscription scoped Deployment Stack.

Remove-AzTag Deletes predefined Azure tags or values | Deletes the entire set of tags on a resource or subscription.

Remove-AzTemplateSpec Removes a Template Spec

Remove-AzTenantDeployment Removes a deployment at tenant scope and any associated operations

Save-AzDeploymentScriptLog Saves the log of a deployment script execution to disk.

Save-AzDeploymentTemplate Saves a deployment template to a file.

Save- Saves a Management Group scoped Deployment Stack Template.

AzManagementGroupDeploymentStackTemplate

Save- Saves a deployment template to a file.

AzManagementGroupDeploymentTemplate

Save- Saves a Resource Group scoped Deployment Stack Template.

AzResourceGroupDeploymentStackTemplate

Save-AzResourceGroupDeploymentTemplate Saves a resource group deployment template to a file.

Save-AzSubscriptionDeploymentStackTemplate Saves a Subscription scoped Deployment Stack Template.

Save-AzTenantDeploymentTemplate Saves a deployment template to a file.

Set-AzManagementGroupDeploymentStack Sets a new Management Group scoped Deployment Stack.

Set-AzResource Modifies a resource.

Set-AzResourceGroup Modifies a resource group.

Set-AzResourceGroupDeploymentStack Sets a new Resource Group scoped Deployment Stack.

Set-AzResourceLock Modifies a resource lock.

Set-AzRoleAssignment Update an existing Role Assignment.

The cmdlet may call below Microsoft Graph API according to input parameters:

GET /users/{id}
GET /servicePrincipals/{id}
GET /groups/{id}
GET /directoryObjects/{id}
POST /directoryObjects/getByIds

Please notice that this cmdlet will mark ObjectType as Unknown in output if the object of role
assignment is not found or current account has insufficient privileges to get object type.

Set-AzRoleDefinition Modifies a custom role in Azure RBAC. Provide the modified role definition either as a JSON file or as
a PSRoleDefinition. First, use the Get-AzRoleDefinition command to retrieve the custom role that you
wish to modify. Then, modify the properties that you wish to change. Finally, save the role definition
using this command.

Set-AzSubscriptionDeploymentStack Sets a new Subscription scoped Deployment Stack.

Set-AzTemplateSpec Modifies a Template Spec.

Start-AzTenantBackfill Starts backfilling subscriptions for the current Tenant

Stop-AzDeployment Cancel a running deployment

Stop-AzManagementGroupDeployment Cancel a running deployment at a management group

Stop-AzResourceGroupDeployment Cancels a resource group deployment.

Stop-AzRoleAssignmentScheduleRequest Cancels a pending role assignment schedule request.

Stop-AzRoleEligibilityScheduleRequest Cancels a pending role eligibility schedule request.

Stop-AzTenantDeployment Cancel a running deployment at tenant scope

Test-AzDeployment Validates a deployment.

Test-AzManagementGroupDeployment Validates a deployment at a management group.

Test-AzResourceGroupDeployment Validates a resource group deployment.

Test-AzTenantDeployment Validates a deployment at tenant scope.

Unregister-AzProviderFeature Unregisters an Azure provider feature in your account.

Unregister-AzProviderPreviewFeature Removes a feature registration from your account.

Unregister-AzResourceProvider Unregisters a resource provider.

Update-AzManagementGroup Updates a Management Group

Update-AzManagementGroupHierarchySetting Updates Hierarchy Settings under the current tenant

Update-AzTag Selectively updates the set of tags on a resource or subscription.

６ Collaborate with us on GitHub Azure PowerShell feedback

The source for this content can be Azure PowerShell is an open source project. Select a link to provide feedback:
found on GitHub, where you can also
create and review issues and pull  Open a documentation issue
requests. For more information, see
our contributor guide.  Provide product feedback
Azure Management Groups SDK for
.NET - legacy
Article • 11/16/2023

Packages - legacy
Reference Package Source

Management - Management [Link] GitHub

Groups
ManagementGroups interface
Reference
Package: @azure/arm-managementgroups

Interface representing a ManagementGroups.

Methods
beginCreateOrUpdate(string, Create or update a management group. If a management group
CreateManagementGroup is already created and a subsequent create request is issued with
Request, ManagementGroups different properties, the management group properties will be
CreateOrUpdateOptional updated.
Params)

beginCreateOrUpdateAnd Create or update a management group. If a management group

Wait(string, Create is already created and a subsequent create request is issued with
ManagementGroupRequest, different properties, the management group properties will be
ManagementGroupsCreate updated.
OrUpdateOptionalParams)

beginDelete(string, Delete management group. If a management group contains

ManagementGroupsDelete child resources, the request will fail.
OptionalParams)

beginDeleteAndWait(string, Delete management group. If a management group contains

ManagementGroupsDelete child resources, the request will fail.
OptionalParams)

get(string, Management Get the details of the management group.

GroupsGetOptionalParams)

list(ManagementGroupsList List management groups for the authenticated user.

OptionalParams)

listDescendants(string, List all entities that descend from a management group.

ManagementGroupsGet
DescendantsOptionalParams)

update(string, Patch Update a management group.

ManagementGroupRequest,
ManagementGroupsUpdate
OptionalParams)

Method Details
beginCreateOrUpdate(string, CreateManagementGroup
Request, ManagementGroupsCreateOrUpdateOptional
Params)
Create or update a management group. If a management group is already created
and a subsequent create request is issued with different properties, the management
group properties will be updated.

TypeScript

function beginCreateOrUpdate(groupId: string,

createManagementGroupRequest: CreateManagementGroupRequest, options?:
ManagementGroupsCreateOrUpdateOptionalParams):
Promise<PollerLike<PollOperationState<ManagementGroup>, ManagementGroup>>

Parameters
groupId string
Management Group ID.

createManagementGroupRequest CreateManagementGroupRequest
Management group creation parameters.

options ManagementGroupsCreateOrUpdateOptionalParams
The options parameters.

Returns
Promise<PollerLike<PollOperationState<ManagementGroup>,
ManagementGroup>>

beginCreateOrUpdateAndWait(string, Create
ManagementGroupRequest, ManagementGroupsCreate
OrUpdateOptionalParams)
Create or update a management group. If a management group is already created
and a subsequent create request is issued with different properties, the management
group properties will be updated.

TypeScript
function beginCreateOrUpdateAndWait(groupId: string,
createManagementGroupRequest: CreateManagementGroupRequest, options?:
ManagementGroupsCreateOrUpdateOptionalParams): Promise<ManagementGroup>

Parameters
groupId string
Management Group ID.

createManagementGroupRequest CreateManagementGroupRequest
Management group creation parameters.

options ManagementGroupsCreateOrUpdateOptionalParams
The options parameters.

Returns
Promise<ManagementGroup>

beginDelete(string, ManagementGroupsDeleteOptional
Params)
Delete management group. If a management group contains child resources, the
request will fail.

TypeScript

function beginDelete(groupId: string, options?:

ManagementGroupsDeleteOptionalParams):
Promise<PollerLike<PollOperationState<ManagementGroupsDeleteResponse>,
ManagementGroupsDeleteResponse>>

Parameters
groupId string
Management Group ID.

options ManagementGroupsDeleteOptionalParams
The options parameters.
Returns
Promise<PollerLike<PollOperationState<ManagementGroupsDeleteResponse>,
ManagementGroupsDeleteResponse>>

beginDeleteAndWait(string, ManagementGroupsDelete
OptionalParams)
Delete management group. If a management group contains child resources, the
request will fail.

TypeScript

function beginDeleteAndWait(groupId: string, options?:

ManagementGroupsDeleteOptionalParams):
Promise<ManagementGroupsDeleteResponse>

Parameters
groupId string
Management Group ID.

options ManagementGroupsDeleteOptionalParams
The options parameters.

Returns
Promise<ManagementGroupsDeleteResponse>

get(string, ManagementGroupsGetOptionalParams)
Get the details of the management group.

TypeScript

function get(groupId: string, options?:

ManagementGroupsGetOptionalParams): Promise<ManagementGroup>

Parameters
groupId string
Management Group ID.
options ManagementGroupsGetOptionalParams
The options parameters.

Returns
Promise<ManagementGroup>

list(ManagementGroupsListOptionalParams)
List management groups for the authenticated user.

TypeScript

function list(options?: ManagementGroupsListOptionalParams):

PagedAsyncIterableIterator<ManagementGroupInfo, ManagementGroupInfo[],
PageSettings>

Parameters
options ManagementGroupsListOptionalParams
The options parameters.

Returns
PagedAsyncIterableIterator<ManagementGroupInfo, ManagementGroupInfo[],
PageSettings>

listDescendants(string, ManagementGroupsGet
DescendantsOptionalParams)
List all entities that descend from a management group.

TypeScript

function listDescendants(groupId: string, options?:

ManagementGroupsGetDescendantsOptionalParams):
PagedAsyncIterableIterator<DescendantInfo, DescendantInfo[],
PageSettings>

Parameters
groupId string
Management Group ID.

options ManagementGroupsGetDescendantsOptionalParams
The options parameters.

Returns
PagedAsyncIterableIterator<DescendantInfo, DescendantInfo[], PageSettings>

update(string, PatchManagementGroupRequest,
ManagementGroupsUpdateOptionalParams)
Update a management group.

TypeScript

function update(groupId: string, patchGroupRequest:

PatchManagementGroupRequest, options?:
ManagementGroupsUpdateOptionalParams): Promise<ManagementGroup>

Parameters
groupId string
Management Group ID.

patchGroupRequest PatchManagementGroupRequest
Management group patch parameters.

options ManagementGroupsUpdateOptionalParams
The options parameters.

Returns
Promise<ManagementGroup>
managementgroups Package
Reference

Packages
aio

models

operations

Classes
ManagementGroupsAPI The Azure Management Groups API enables consolidation of multiple
subscriptions/resources into an organizational hierarchy and centrally manage access
control, policies, alerting and reporting for those resources.

ivar management_groups: ManagementGroupsOperations operations

vartype management_groups:
[Link]

ivar management_group_subscriptions: ManagementGroupSubscriptionsOperations

operations

vartype management_group_subscriptions:
[Link]

ivar hierarchy_settings: HierarchySettingsOperations operations

vartype hierarchy_settings:
[Link]

ivar operations: Operations operations

vartype operations: [Link]

ivar entities: EntitiesOperations operations

vartype entities: [Link]

param credential: Credential needed for the client to connect to Azure.

type credential: ~[Link]

param str base_url: Service URL

keyword int polling_interval: Default waiting time between two polls for LRO operations
if no Retry-After header is present.
Management Groups
Article • 10/31/2023

Management groups enable you to manage access, policies, and compliance for your
Azure subscriptions. For an introduction, see What are Azure management groups?.

See also
What are Azure management groups?
Quickstart: Create a management group with REST API
[Link]
managementGroups
Article • 08/11/2023

Bicep resource definition

The managementGroups resource type is an extension resource, which means you can
apply it to another resource.

Use the scope property on this resource to set the scope for this resource. See Set scope on
extension resources in Bicep.

The managementGroups resource type can be deployed with operations that target:

Tenants - See tenant deployment commands

For a list of changed properties in each API version, see change log.

Remarks
When deployed at tenant scope, don't set the scope property. See create management
groups with tenant deployments in Bicep file or ARM templates.

When deployed at other scopes, set the scope property to tenant() for Bicep files or / for
ARM templates. See create management groups with management group deployments in
Bicep file or ARM templates.

Resource format
To create a [Link]/managementGroups resource, add the following Bicep
to your template.

Bicep

resource symbolicname '[Link]/managementGroups@2021-04-01' = {

name: 'string'
scope: tenant()
properties: {
details: {
parent: {
id: 'string'
}
}
displayName: 'string'
}
}

Property values

managementGroups

Name Description Value

name The resource name string (required)

scope Use when creating an For Bicep: tenant() .

extension resource at
a scope that is
different than the
deployment scope.

properties The generic CreateManagementGroupPropertiesOrManagementGroupProp...

properties of a
management group
used during creation.

CreateManagementGroupPropertiesOrManagementGroupProp...

Name Description Value

details The details of a CreateManagementGroupDetailsOrManagementGroupDetails

management group
used during creation.

displayName The friendly name of string

the management
group. If no value is
passed then this field
will be set to the
groupId.

CreateManagementGroupDetailsOrManagementGroupDetails

Name Description Value

parent (Optional) The ID of the parent management CreateParentGroupInfoOrParentGroupInfo

group used during creation.

CreateParentGroupInfoOrParentGroupInfo
Name Description Value

id The fully qualified ID for the parent management group. For example, string
/providers/[Link]/managementGroups/0000000-0000-0000-0000-
000000000000

Quickstart templates
The following quickstart templates deploy this resource type.

Template Description

Create a New Management Group This template is a tenant level template that will
create a new management group.

Azure Unit-2 Notes
No ratings yet
Azure Unit-2 Notes
31 pages
Azure Resource Management Overview
No ratings yet
Azure Resource Management Overview
29 pages
Azure Resource Management Overview
No ratings yet
Azure Resource Management Overview
371 pages
Azure Governance and DevOps Insights
No ratings yet
Azure Governance and DevOps Insights
10 pages
Azure Governance & Services Overview
No ratings yet
Azure Governance & Services Overview
12 pages
Azure Resource Manager Overview
No ratings yet
Azure Resource Manager Overview
29 pages
Azure Governance and Compliance Overview
No ratings yet
Azure Governance and Compliance Overview
43 pages
Azure Management and Governance Guide
No ratings yet
Azure Management and Governance Guide
34 pages
Azure ARM
No ratings yet
Azure ARM
704 pages
AZ 104T00A ENU PowerPoint - 02
No ratings yet
AZ 104T00A ENU PowerPoint - 02
40 pages
AZ 104T00A ENU PowerPoint - 02
No ratings yet
AZ 104T00A ENU PowerPoint - 02
40 pages
Azure Governance and Management Design
No ratings yet
Azure Governance and Management Design
92 pages
Azure AZ-104 Study Guide Overview
100% (4)
Azure AZ-104 Study Guide Overview
104 pages
AZ-104 Azure Administrator Course Overview
No ratings yet
AZ-104 Azure Administrator Course Overview
191 pages
Azure Book
No ratings yet
Azure Book
44 pages
Azure Administration: Resource Management Guide
No ratings yet
Azure Administration: Resource Management Guide
44 pages
Configuring Azure Image Builder for Gallery1
No ratings yet
Configuring Azure Image Builder for Gallery1
723 pages
005 Administer Governance and Compliance
No ratings yet
005 Administer Governance and Compliance
36 pages
Azure Quick Start for .NET Developers
No ratings yet
Azure Quick Start for .NET Developers
40 pages
Az 104t00a Enu Powerpoint 03
No ratings yet
Az 104t00a Enu Powerpoint 03
35 pages
AZ-104 Certification Study Guide
No ratings yet
AZ-104 Certification Study Guide
152 pages
Azure AZ-900 Certification Guide
No ratings yet
Azure AZ-900 Certification Guide
40 pages
Azure Resource Manager Overview
No ratings yet
Azure Resource Manager Overview
7 pages
Azure Resource Manager Overview Guide
No ratings yet
Azure Resource Manager Overview Guide
33 pages
Organizing Azure Resources with ARM
No ratings yet
Organizing Azure Resources with ARM
14 pages
AZ 104T00A ENU PowerPoint - 02
No ratings yet
AZ 104T00A ENU PowerPoint - 02
36 pages
Azure Fundamentals Exam Prep Guide
No ratings yet
Azure Fundamentals Exam Prep Guide
18 pages
Azure Subscription Management & Cost Control
No ratings yet
Azure Subscription Management & Cost Control
3 pages
Azure Cost Management and Optimization Guide
No ratings yet
Azure Cost Management and Optimization Guide
18 pages
AZ 900T00A ENU PowerPoint 02
No ratings yet
AZ 900T00A ENU PowerPoint 02
62 pages
Unit3 Ch2
No ratings yet
Unit3 Ch2
12 pages
Azure Admin Exam AZ-103 Overview
100% (3)
Azure Admin Exam AZ-103 Overview
132 pages
Az 104t00a Enu Powerpoint 02
No ratings yet
Az 104t00a Enu Powerpoint 02
36 pages
Implementing Azure Arc for Hybrid Cloud
No ratings yet
Implementing Azure Arc for Hybrid Cloud
20 pages
AZ 104T00A ENU PowerPoint - 02
No ratings yet
AZ 104T00A ENU PowerPoint - 02
39 pages
Describe Features and Tools For Managing and Deploying Azure Resources
No ratings yet
Describe Features and Tools For Managing and Deploying Azure Resources
5 pages
Azure Administrator Associate
No ratings yet
Azure Administrator Associate
105 pages
AZ 104 Slides Student+Version v1
No ratings yet
AZ 104 Slides Student+Version v1
309 pages
Azure Governance Tools and Best Practices
No ratings yet
Azure Governance Tools and Best Practices
12 pages
Administer Azure Resources: Module 03
No ratings yet
Administer Azure Resources: Module 03
43 pages
Azure Cloud Computing Overview Guide
No ratings yet
Azure Cloud Computing Overview Guide
34 pages
Azure Cloud Computing Fundamentals
No ratings yet
Azure Cloud Computing Fundamentals
5 pages
Describe Core Architectural Components of Azure
No ratings yet
Describe Core Architectural Components of Azure
5 pages
Benefits of Azure for SQL & Windows Server
No ratings yet
Benefits of Azure for SQL & Windows Server
14 pages
Core Azure Services Overview
No ratings yet
Core Azure Services Overview
36 pages
Azure Architecture and Services Overview
No ratings yet
Azure Architecture and Services Overview
63 pages
Az 900t00a Enu Powerpoint 02
No ratings yet
Az 900t00a Enu Powerpoint 02
62 pages
Azure Regions, Region Pairs, and Sovereign Regions
No ratings yet
Azure Regions, Region Pairs, and Sovereign Regions
10 pages
Managing Services in Azure Portal
No ratings yet
Managing Services in Azure Portal
25 pages
Notes - Section 12 - Azure
No ratings yet
Notes - Section 12 - Azure
9 pages
Azure Fundamentals for Beginners Guide
No ratings yet
Azure Fundamentals for Beginners Guide
6 pages
Azure VMware Solution Overview
No ratings yet
Azure VMware Solution Overview
2 pages
Understanding Microsoft Azure
No ratings yet
Understanding Microsoft Azure
21 pages
Microsoft Azure Architecture Overview
No ratings yet
Microsoft Azure Architecture Overview
42 pages
AZ 104T00A ENU PowerPoint - 03
No ratings yet
AZ 104T00A ENU PowerPoint - 03
43 pages
AZ-305 Exam Study Guide Overview
100% (1)
AZ-305 Exam Study Guide Overview
38 pages
Azure Administrator: Hands-On Learning Guide
No ratings yet
Azure Administrator: Hands-On Learning Guide
40 pages
TOGAF 10 Exam Cheatsheet Overview
100% (1)
TOGAF 10 Exam Cheatsheet Overview
35 pages
PMI-RMP Certification Benefits Explained
No ratings yet
PMI-RMP Certification Benefits Explained
5 pages
gRPC Client and Server in ASP.NET Core
No ratings yet
gRPC Client and Server in ASP.NET Core
9 pages
ASP.NET Core Minimal API Tutorial
No ratings yet
ASP.NET Core Minimal API Tutorial
24 pages
Azure SDK for Java: Maven Setup Guide
No ratings yet
Azure SDK for Java: Maven Setup Guide
239 pages
Microsoft Build of OpenJDK Downloads
No ratings yet
Microsoft Build of OpenJDK Downloads
93 pages
Financial Analysis of Jyoti Bikash Bank
No ratings yet
Financial Analysis of Jyoti Bikash Bank
55 pages
Transforming Healthcare Strategies Guide
No ratings yet
Transforming Healthcare Strategies Guide
14 pages
VRI - Chapman Executive Summary - 031014 - Chapman Rehab Center - Carfax - Donna Doc With Dan Notes v2
No ratings yet
VRI - Chapman Executive Summary - 031014 - Chapman Rehab Center - Carfax - Donna Doc With Dan Notes v2
3 pages
Karen Refugees: Controversy Over Deportation
No ratings yet
Karen Refugees: Controversy Over Deportation
3 pages
Understanding Prospectus for Securities
No ratings yet
Understanding Prospectus for Securities
29 pages
Print Culture: Key Questions & Insights
100% (2)
Print Culture: Key Questions & Insights
4 pages
Site Clearing Method Statement for SMD39
100% (1)
Site Clearing Method Statement for SMD39
4 pages
Surguja Court Clerk Recruitment Details
No ratings yet
Surguja Court Clerk Recruitment Details
2 pages
Emil CV
No ratings yet
Emil CV
3 pages
Safety Standards for Ladders in Construction
No ratings yet
Safety Standards for Ladders in Construction
7 pages
Get Out of ChexSystems Guide
No ratings yet
Get Out of ChexSystems Guide
6 pages
Netflow Tracker: Real-Time Monitoring of Netflow and Ipfix Data Providing Network Managers Detailed Traffic Information
No ratings yet
Netflow Tracker: Real-Time Monitoring of Netflow and Ipfix Data Providing Network Managers Detailed Traffic Information
3 pages
Scaling Up Lab-Grown Meat Production
No ratings yet
Scaling Up Lab-Grown Meat Production
14 pages
Public Domain Status of Christmas Songs
No ratings yet
Public Domain Status of Christmas Songs
6 pages
Gogol's Dead Souls: A Humorous Classic
No ratings yet
Gogol's Dead Souls: A Humorous Classic
380 pages
Carino vs Carino: Marriage Nullity Case
No ratings yet
Carino vs Carino: Marriage Nullity Case
2 pages
Leveraging IT for Competitive Advantage
100% (2)
Leveraging IT for Competitive Advantage
41 pages
590 MW Coal-Fired Power Plant Design
No ratings yet
590 MW Coal-Fired Power Plant Design
4 pages
Navi Recharge Account Statement
No ratings yet
Navi Recharge Account Statement
5 pages
Revenue and Cost Analysis FY23-FY27
No ratings yet
Revenue and Cost Analysis FY23-FY27
7 pages
MPSC Assistant Secretary Exam 2025 Guide
No ratings yet
MPSC Assistant Secretary Exam 2025 Guide
37 pages
Media Influence on Crime and Violence
No ratings yet
Media Influence on Crime and Violence
2 pages
Culture and Identity in Global Education
No ratings yet
Culture and Identity in Global Education
1 page
Mayberry's Wild Nights and New Faces
No ratings yet
Mayberry's Wild Nights and New Faces
4 pages
International Business Academic Profile
No ratings yet
International Business Academic Profile
2 pages
Global Sufi Cult Anthropology
No ratings yet
Global Sufi Cult Anthropology
350 pages
Local Materials in Philippine Arts
100% (1)
Local Materials in Philippine Arts
33 pages
2020 Cerner Annual Report
No ratings yet
2020 Cerner Annual Report
121 pages
IFFCO: Empowering Indian Farmers
100% (2)
IFFCO: Empowering Indian Farmers
40 pages