Management Groups & Policy Scope

AZ-104: Azure Administrator

Management Groups

Containers above subscriptions used to apply governance at scale.
A management group can contain:
- Other management groups
- One or more subscriptions
Policies, RBAC roles, and compliance rules applied at the management group level are inherited by all subscriptions inside it.

Use Case:

A company with 10 subscriptions (Prod, Dev, Test, etc.) uses a Management Group to enforce a single set of rules across all.

Policy Scope

Azure Policy allows you to define and enforce rules (like encryption, allowed SKUs).

Scope can be:
- Management Group → applies across all subscriptions inside it.
- Subscription → applies to all resource groups/resources inside.
- Resource Group → applies to all resources inside.
- Resource → applies to one specific resource.

Key Point: Policies are evaluated continuously for compliance.

Policy Effects

Deny → blocks creation of non-compliant resources.
Audit → allows resource but logs non-compliance.
Append → adds required settings (e.g., tags).
DeployIfNotExists → automatically adds missing config.

Confusion Buster 🚨

Management Group vs Resource Group
- Mgmt Group = governance scope, sits above subscriptions.
- Resource Group = container for actual resources.
Policy vs RBAC
- Policy = what can/cannot be deployed (enforcement).
- RBAC = who has access (permissions).

Exam trap: If question says “apply encryption rules across all subscriptions” → Management Group.
If it says “prevent developers from creating expensive VM SKUs” → Azure Policy.

Simple Example

An enterprise:

Creates a Management Group named “Finance.”
Adds 3 subscriptions (Prod, Dev, Test).
Applies a Policy at the management group scope requiring all storage accounts to use encryption.
All subscriptions automatically inherit this rule.

Exam Tip

“Govern multiple subscriptions” → Management Group.
“Apply encryption rules only to one subscription” → Policy at subscription scope.
“Apply policy across all resource groups in a subscription” → Policy at subscription scope.
“Enforce a tag on every resource” → Policy (Append).

What to Expect in the Exam

Direct Q: “Which container organizes subscriptions for governance?” → Management Group.
Scenario: “Ensure all storage accounts in all company subscriptions use HTTPS.” → Policy at management group scope.
Trick Q: “Resource Groups can contain subscriptions.” (False — only resources).