IT Operations & Cybersecurity Encyclopedia
Azure management group hierarchy design guide
Azure management groups organize subscriptions so policy, RBAC, governance, and security baselines can be inherited consistently. A good hierarchy helps cloud teams scale Azure without losing control of compliance, access, cost, or operational ownership.
Why it matters
Use the hierarchy to enforce governance, not to mirror every department
Management groups are most valuable when they support policy inheritance, security baselines, subscription organization, and delegated operations. If the hierarchy is built only around short-term department names, it can become brittle and hard to govern.
A professional hierarchy separates platform and landing-zone responsibilities, defines production and non-production boundaries, maps subscriptions to business ownership, and makes clear where policy, RBAC, budgets, logging, and compliance controls are assigned.
Practical rule: Before creating or moving subscriptions, document the management group purpose, inherited policies, RBAC owners, subscription placement criteria, exemptions, and expected evidence for each tier.
Review scope
What Azure management group design should cover
Hierarchy purpose
Define why each management group exists and which subscriptions should be placed under it.
Policy inheritance
Map required policies, initiatives, enforcement modes, remediation, and exemptions by hierarchy level.
RBAC delegation
Limit high-scope roles and document which teams can manage platform, security, and workload subscriptions.
Subscription placement
Use clear criteria for production, non-production, sandbox, platform, connectivity, and regulated workloads.
Exception handling
Track policy exemptions, temporary exceptions, risk acceptances, owners, expiration dates, and review cadence.
Governance evidence
Prepare hierarchy diagrams, policy compliance reports, RBAC exports, subscription inventory, and change history.
Review matrix
Azure management group hierarchy decision matrix
| Area | What to verify | Questions to answer | Evidence |
|---|---|---|---|
| Root-level policy | A control must apply to all subscriptions in the tenant. | Assign only broadly accepted baseline policies at the highest level to avoid unwanted inheritance. | Which subscriptions are harmed if this policy is inherited everywhere? |
| Platform management group | Shared services such as connectivity, identity, management, or security need separate governance. | Separate platform subscriptions from workload subscriptions so shared services can be tightly controlled. | Who operates the platform and who consumes it? |
| Production workload group | Production workloads require stronger controls than test or sandbox environments. | Use production-specific policies, logging, backup, Defender, tagging, and access standards. | What evidence proves production controls are inherited? |
| Regulated workload group | A workload is subject to HIPAA, PCI DSS, SOC 2, ISO 27001, or other compliance requirements. | Create a placement model that supports extra policy, logging, data protection, and access review. | Which compliance obligations change the baseline? |
| Subscription move | A subscription needs to move to another management group. | Assess inherited policy, RBAC, budgets, diagnostics, and workload impact before moving. | Which controls are added or removed after the move? |
Step-by-step review
Azure management group hierarchy design runbook
Inventory subscriptions
List subscriptions, owners, environments, cost centers, compliance scope, workloads, and current hierarchy placement.
Define hierarchy model
Design root, platform, landing zone, production, non-production, sandbox, and regulated branches as needed.
Map policies
Document policy and initiative assignments, inheritance paths, exemptions, remediation tasks, and compliance status.
Review RBAC
Validate privileged roles, delegated administration, group-based access, emergency access, and least-privilege scope.
Test subscription placement
Assess what policies, roles, budgets, and diagnostic requirements a subscription inherits before it is moved.
Publish governance evidence
Maintain hierarchy diagrams, subscription inventory, policy compliance reports, exception register, and review actions.
Common risks
Common Azure management group hierarchy mistakes
Department-only hierarchy
A structure based only on departments may not support policy inheritance, security baselines, or workload lifecycle.
Too many high-scope roles
Broad RBAC assignments at management group scope can affect many subscriptions at once.
Unplanned inheritance
Policies assigned too high can break workloads or create unnecessary exemptions.
Weak subscription placement
Subscriptions without placement criteria can drift into the wrong compliance or operations model.
No exemption register
Policy exemptions become invisible risk when they lack owners, expiration dates, and review records.
Missing evidence
Auditors and executives need clear diagrams, inventory, RBAC records, compliance reports, and change history.
Related support
Where IT Perfection can help
IT Perfection can help organizations plan Azure management groups, landing zones, subscription organization, policy baselines, and cloud operations through cloud support services and managed IT services.
For independent Azure governance and cloud security review, OC Security Audit can support security audit services and cybersecurity risk assessments.
Created by Ali Hassani, CISO
Azure governance perspective from Ali Hassani
Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.
This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.
A clear hierarchy makes governance repeatable
Ali Hassani, CISO and IT infrastructure consultant, has 25+ years of experience across Microsoft infrastructure, Azure operations, cybersecurity governance, compliance readiness, network security, and managed IT services.
FAQ
Azure management group hierarchy FAQ
What are Azure management groups used for?
Management groups organize subscriptions so Azure Policy, RBAC, compliance, and governance controls can be inherited at scale.
Should the hierarchy match the company org chart?
Not always. It should primarily support governance, policy inheritance, workload lifecycle, compliance boundaries, and operational ownership.
What should be assigned at the root management group?
Only tenant-wide baseline controls that truly apply to every subscription should be assigned at the highest level.
How should exemptions be handled?
Exemptions should have owners, reasons, expiration dates, compensating controls, and recurring review.
Can IT Perfection help design Azure management groups?
Yes. IT Perfection can help document subscriptions, design the hierarchy, review policy inheritance, and improve Azure governance operations.