Last Updated on March 23, 2024 by Michael Morten Sonne
Intoduction
Are you tired of spending valuable time manually removing Azure management groups and moving subscriptions to the root one by one? 🤔
Maybe if you have a big Landingzoe setup or or useing a lab tenant, managing multiple management groups in Azure can be cumbersome, especially when it comes to cleaning up unused or unnecessary ones. PowerShell scripts can automate this process for you, saving time and effort.
In this post, we’ll walk you through a simple PowerShell script designed to remove Azure management groups and move subscriptions to the root effortlessly 😎🤘
What is a management group in Azure
In Azure, a management group is a logical container that helps you manage access, policies, and compliance for multiple Azure subscriptions. Management groups provide a way to efficiently organize your Azure resources and apply governance controls at scale. Here are some key points about Azure management groups:
- Organizational Hierarchy: Management groups form a hierarchical structure that reflects the organizational structure of your company. You can create a hierarchy of management groups to represent different business units, departments, projects, or environments within your organization.
- Policy Inheritance: Policies assigned to a management group are inherited by all child resources within that management group hierarchy. This allows you to enforce consistent policies and controls across multiple subscriptions and resources.
- Access Control: Azure Role-Based Access Control (RBAC) can be applied at the management group level, allowing you to grant permissions to users, groups, or service principals at a higher level in the hierarchy. This simplifies access management and ensures that permissions are applied consistently across related resources.
- Resource Organization: You can move subscriptions into management groups to organize your Azure resources effectively. This helps you manage access, billing, and policies in a centralized manner, making it easier to govern and track usage across different parts of your organization.
- Governance and Compliance: Management groups enable you to enforce governance policies, compliance standards, and regulatory requirements across your Azure environment. By applying policies at the management group level, you can ensure that all resources within the hierarchy adhere to your organization’s standards and guidelines.
- Scalability and Flexibility: As your organization grows and evolves, you can easily adjust the management group hierarchy to accommodate changes in your organizational structure, projects, or resource ownership. This scalability and flexibility make management groups a powerful tool for managing complex Azure environments.
Overall, management groups play a crucial role in organizing, governing, and securing your Azure resources effectively. By leveraging management groups, organizations can achieve greater control, visibility, and compliance across their Azure environment, helping them to achieve their business objectives more efficiently.
Read more here: What is an Azure landing zone? – Cloud Adoption Framework | Microsoft Learn
Here are key points regarding management groups
- Scalability: A single directory can accommodate up to 10,000 management groups.
- Hierarchy Depth: A management group tree can consist of up to six levels of depth. This count excludes both the Root level and the subscription level.
- Parent-Child Relationship: Each management group and subscription can have only one parent. However, a management group can have multiple children.
- Hierarchical Structure: All subscriptions and management groups reside within a unified hierarchy within each directory. For further details, refer to the essential information about the Root management group.
Why Automation
Removing management groups in Azure manually can be a tedious and time-consuming task, particularly if you have a hierarchy of nested management groups. The Azure Portal (GUI) requires you to delete management groups one by one from the lowest level to the top, which can be inefficient and prone to errors. Automation streamlines this process, allowing you to remove multiple management groups quickly and efficiently.
Introducing the PowerShell Script
The PowerShell script provided below is designed to remove Azure management groups based on a specified prefix and move all associated subscriptions to the root management group (default place). Before executing the script, ensure that you have the necessary permissions to delete management groups and move subscriptions.
To see your current management groups in Azure, go to the Management Groups blade or via the direct link here: Management groups – Microsoft Azure
How to use the script
- Connect to Azure: Run Connect-AzAccount to authenticate and connect to your Azure account.
- Prefix: Modify the prefix argument with the prefix of the management groups you want to delete.
- Review Output: The script will display messages indicating the progress and completion of the removal process.
The script
See the script is hosted on my public repo here: https://github.com/michaelmsonne/public
Conclusion
With this PowerShell script, you can automate the tedious task of removing Azure management groups and moving associated subscriptions to the root. By streamlining this process, you can save time and ensure efficient management of your Azure resources. Feel free to customize the script further to suit your specific requirements and workflow. Happy automating!
Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍
Stay tuned for the new post about something cool! 🥳
References
Remove-AzManagementGroup (Az.Resources) | Microsoft Learn
New-AzManagementGroupSubscription (Az.Resources) | Microsoft Learn