Quickstart: Create a management group with the Azure CLI
Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls. For more information on management groups, see Organize your resources with Azure management groups.
The first management group created in the directory could take up to 15 minutes to complete. There are processes that run the first time to set up the management groups service within Azure for your directory. You receive a notification when the process is complete. For more information, see initial setup of management groups.
Prerequisites
If you don't have an Azure subscription, create a trial subscription account before you begin.
This quickstart requires that you run Azure CLI version 2.0.76 or later to install and use the CLI locally. To find the version, run
az --version. If you need to install or upgrade, see Install Azure CLI.Any Azure AD user in the tenant can create a management group without the management group write permission assigned to that user if hierarchy protection isn't enabled. This new management group becomes a child of the Root Management Group or the default management group and the creator is given an "Owner" role assignment. Management group service allows this ability so that role assignments aren't needed at the root level. No users have access to the Root Management Group when it's created. To avoid the hurdle of finding the Azure AD Global Admins to start using management groups, we allow the creation of the initial management groups at the root level.
Note
Before you can use Azure CLI in Microsoft Azure operated by 21Vianet, please run az cloud set -n AzureChinaCloud first to change the cloud environment. If you want to switch back to Azure Public Cloud, run az cloud set -n AzureCloud again.
Create in the Azure CLI
For Azure CLI, use the az account management-group create command to create a new management group. In this example, the management group name is Contoso.
az account management-group create --name 'Contoso'
The name is a unique identifier being created. This ID is used by other commands to reference this group and it can't be changed later.
If you want the management group to show a different name within the Azure portal, add the display-name parameter. For example, to create a management group with the GroupName of Contoso and the display name of "Contoso Group", use the following command:
az account management-group create --name 'Contoso' --display-name 'Contoso Group'
In the preceding examples, the new management group is created under the root management group. To specify a different management group as the parent, use the parent parameter and provide the name of the parent group.
az account management-group create --name 'ContosoSubGroup' --parent 'Contoso'
Clean up resources
To remove the management group created above, use the az account management-group delete command:
az account management-group delete --name 'Contoso'
Next steps
In this quickstart, you created a management group to organize your resource hierarchy. The management group can hold subscriptions or other management groups.
To learn more about management groups and how to manage your resource hierarchy, continue to: