Quickstart: Create a management group with Python

Management groups are containers that help you manage access, policy, and compliance across multiple subscriptions. Create these containers to build an effective and efficient hierarchy that can be used with Azure Policy and Azure Role Based Access Controls. For more information on management groups, see Organize your resources with Azure management groups.

The first management group created in the directory could take up to 15 minutes to complete. There are processes that run the first time to set up the management groups service within Azure for your directory. You receive a notification when the process is complete. For more information, see initial setup of management groups.

Prerequisites

• If you don't have an Azure subscription, create a trial subscription account before you begin.

• Any Microsoft Entra ID user in the tenant can create a management group without the management group write permission assigned to that user if hierarchy protection isn't enabled. This new management group becomes a child of the Root Management Group or the default management group and the creator is given an Owner role assignment. Management group service allows this ability so that role assignments aren't needed at the root level. When the Root Management Group is created, users don't have access to it. To start using management groups, the service allows the creation of the initial management groups at the root level. For more information, see Root management group for each directory.

Add the Resource Graph library

To enable Python to manage management groups, the library must be added. This library works wherever Python can be used, including bash on Windows 10 or locally installed.

1. Check that the latest Python is installed (at least 3.8). If it isn't yet installed, download it at Python.org.

2. Check that the latest Azure CLI is installed (at least 2.5.1). If it isn't yet installed, see Install the Azure CLI.

   Note

   Azure CLI is required to enable Python to use the CLI-based authentication in the following examples.

3. Authenticate through Azure CLI.

   az cloud set -n AzureChinaCloud
   az login
   

4. In your Python environment of choice, install the required libraries for management groups:

   # Add the management groups library for Python
   pip install azure-mgmt-managementgroups
   
   # Add the Resources library for Python
   pip install azure-mgmt-resource
   
   # Add the CLI Core library for Python for authentication (development only!)
   pip install azure-cli-core
   

   Note

   If Python is installed for all users, these commands must be run from an elevated console.

5. Validate that the libraries have been installed. azure-mgmt-managementgroups should be 0.2.0 or higher, azure-mgmt-resource should be 9.0.0 or higher, and azure-cli-core should be 2.5.0 or higher.

   # Check each installed library
   pip show azure-mgmt-managementgroups azure-mgmt-resource azure-cli-core
   

Create the management group

1. Create the Python script and save the following source as mgCreate.py:

   # Import management group classes
   from azure.mgmt.managementgroups import ManagementGroupsAPI
   
   # Import specific methods and models from other libraries
   from azure.common.credentials import get_azure_cli_credentials
   from azure.common.client_factory import get_client_from_cli_profile
   from azure.mgmt.resource import ResourceManagementClient, SubscriptionClient
   
   # Wrap all the work in a function
   def createmanagementgroup( strName ):
      # Get your credentials from Azure CLI (development only!) and get your subscription list
      subsClient = get_client_from_cli_profile(SubscriptionClient)
      subsRaw = []
      for sub in subsClient.subscriptions.list():
          subsRaw.append(sub.as_dict())
      subsList = []
      for sub in subsRaw:
          subsList.append(sub.get('subscription_id'))
   
      # Create management group client and set options
      mgClient = get_client_from_cli_profile(ManagementGroupsAPI)
      mg_request = {'name': strName, 'display_name': strName}
   
      # Create management group
      mg = mgClient.management_groups.create_or_update(group_id=strName,create_management_group_request=mg_request)
   
      # Show results
      print(mg)
   
   createmanagementgroup("MyNewMG")
   

2. Authenticate with Azure CLI with az login.

   az cloud set -n AzureChinaCloud
   az login
   

3. Enter the following command in the terminal:

   py mgCreate.py
   

The result of creating the management group is output to the console as an LROPoller object.

Clean up resources

If you wish to remove the installed libraries from your Python environment, you can do so by using the following command:

# Remove the installed libraries from the Python environment
pip uninstall azure-mgmt-managementgroups azure-mgmt-resource azure-cli-core

Next steps

In this quickstart, you created a management group to organize your resource hierarchy. The management group can hold subscriptions or other management groups.

To learn more about management groups and how to manage your resource hierarchy, continue to: