使用管理组管理资源Manage your resources with management groups

如果你的组织有多个订阅,则可能需要一种方法来高效地管理这些订阅的访问权限、策略和符合性。If your organization has many subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure 管理组提供订阅上的作用域级别。Azure management groups provide a level of scope above subscriptions. 可将订阅组织到名为“管理组”的容器中,并将管理条件应用到管理组。You organize subscriptions into containers called "management groups" and apply your governance conditions to the management groups. 管理组中的所有订阅都将自动继承应用于管理组的条件。All subscriptions within a management group automatically inherit the conditions applied to the management group.

不管使用什么类型的订阅,管理组都能提供大规模的企业级管理。Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have. 有关管理组的详细信息,请参阅使用 Azure 管理组整理资源To learn more about management groups, see Organize your resources with Azure management groups.

备注

本文介绍如何删除设备或服务中的个人数据,并且可为 GDPR 下的任务提供支持。This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. 如需关于 GDPR 的常规信息,请参阅服务信任门户的 GDPR 部分If you're looking for general info about GDPR, see the GDPR section of the Service Trust portal.

重要

Azure 资源管理器用户令牌和管理组缓存持续 30 分钟后才会被强制刷新。Azure Resource Manager user tokens and management group cache lasts for 30 minutes before they are forced to refresh. 执行任何操作(如移动管理组或订阅)后,最多可能需要 30 分钟才会显示该操作。After doing any action like moving a management group or subscription, it might take up to 30 minutes to show. 如果想更快看到更新,需要通过刷新浏览器、登录并注销来更新令牌,或者请求新令牌。To see the updates sooner you need to update your token by refreshing the browser, signing in and out, or requesting a new token.

更改管理组的名称Change the name of a management group

可以使用门户、PowerShell 或 Azure CLI 更改管理组的名称。You can change the name of the management group by using the portal, PowerShell, or Azure CLI.

在门户中更改名称Change the name in the portal

  1. 登录到 Azure 门户Log into the Azure portal.

  2. 选择“所有服务” > “管理组”。 Select All services > Management groups.

  3. 选择要重命名的管理组。Select the management group you would like to rename.

  4. 选择“详细信息”。Select details.

  5. 选择页面顶部的“重命名组”选项。Select the Rename group option at the top of the page.

    “管理组”页面上操作栏和“重命名组”按钮的屏幕截图。

  6. 菜单打开后,请输入要显示的新名称。When the menu opens, enter the new name you would like to have displayed.

    “重命名组”窗口和用于重命名管理组的选项的屏幕截图。

  7. 选择“保存”。Select Save.

在 PowerShell 中更改名称Change the name in PowerShell

若要更新显示名称,请使用 Update-AzManagementGroup。To update the display name use Update-AzManagementGroup. 例如,若要将管理组的显示名称从“Contoso IT”更改为“Contoso Group”,可运行以下命令:For example, to change a management groups display name from "Contoso IT" to "Contoso Group", you run the following command:

Update-AzManagementGroup -GroupName 'ContosoIt' -DisplayName 'Contoso Group'

在 Azure CLI 中更改名称Change the name in Azure CLI

在 Azure CLI 中使用 update 命令。For Azure CLI, use the update command.

az account management-group update --name 'Contoso' --display-name 'Contoso Group'

删除管理组Delete a management group

若要删除某个管理组,必须满足以下要求:To delete a management group, the following requirements must be met:

  1. 该管理组下面没有任何子管理组或订阅。There are no child management groups or subscriptions under the management group. 若要将订阅或管理组移到另一个管理组,请参阅在层次结构中移动管理组和订阅To move a subscription or management group to another management group, see Moving management groups and subscriptions in the hierarchy.

  2. 你需要拥有对管理组的写入权限(“所有者”、“参与者”或“管理组参与者”)。You need write permissions on the management group ("Owner", "Contributor", or "Management Group Contributor"). 若要查看自己拥有哪些权限,请选择管理组,然后选择“IAM”。To see what permissions you have, select the management group and then select IAM. 若要详细了解 Azure 角色,请参阅To learn more on Azure roles, see
    Azure 基于角色的访问控制 (Azure RBAC)Azure role-based access control (Azure RBAC).

在门户中删除Delete in the portal

  1. 登录到 Azure 门户Log into the Azure portal.

  2. 选择“所有服务” > “管理组”。 Select All services > Management groups.

  3. 选择要删除的管理组。Select the management group you would like to delete.

  4. 选择“详细信息”。Select details.

  5. 选择“删除”Select Delete

    突出显示了“删除”按钮的“管理组”页面的屏幕截图。

    提示

    如果该图标已禁用,将鼠标指针悬停在该图标上可显示原因。If the icon is disabled, hovering your mouse selector over the icon shows you the reason.

  6. 此时会打开一个窗口,让你确认是否要删除该管理组。There's a window that opens confirming you want to delete the management group.

    用于删除管理组的“删除组”确认对话框的屏幕截图。

  7. 请选择“是”。Select Yes.

在 PowerShell 中删除Delete in PowerShell

在 PowerShell 中使用 Remove-AzManagementGroup 命令删除管理组。Use the Remove-AzManagementGroup command within PowerShell to delete management groups.

Remove-AzManagementGroup -GroupName 'Contoso'

在 Azure CLI 中删除Delete in Azure CLI

在 Azure CLI 中,可以使用 az account management-group delete 命令。With Azure CLI, use the command az account management-group delete.

az account management-group delete --name 'Contoso'

查看管理组View management groups

可以查看你对其拥有直接管理角色或继承 Azure 角色的任何管理组。You can view any management group you have a direct or inherited Azure role on.

在门户中查看View in the portal

  1. 登录到 Azure 门户Log into the Azure portal.

  2. 选择“所有服务” > “管理组”。 Select All services > Management groups.

  3. 将加载管理组层次结构页。The management group hierarchy page will load. 可以在此页面中浏览你有权访问的所有管理组和订阅。This page is where you can explore all the management groups and subscriptions you have access to. 选择组名会将你带到层次结构的较低级别。Selecting the group name takes you to a lower level in the hierarchy. 导航的工作方式与文件资源管理器一样。The navigation works the same as a file explorer does.

  4. 若要查看管理组的详细信息,请选择管理组标题旁边的“(详细信息)”链接。To see the details of the management group, select the (details) link next to the title of the management group. 如果此链接不可用,则表示你无权查看该管理组。If this link isn't available, you don't have permissions to view that management group.

    显示子管理组和订阅的“管理组”页面的屏幕截图。

在 PowerShell 中查看View in PowerShell

使用 Get-AzManagementGroup 命令可检索所有组。You use the Get-AzManagementGroup command to retrieve all groups. 请参阅 Az.Resources 模块,查看管理组 GET PowerShell 命令的完整列表。See Az.Resources modules for the full list of management group GET PowerShell commands.

Get-AzManagementGroup

若要查看单个管理组的信息,请使用 -GroupName 参数For a single management group's information, use the -GroupName parameter

Get-AzManagementGroup -GroupName 'Contoso'

若要返回特定管理组及其下层次结构的所有级别,请使用 -Expand 和 -Recurse 参数。 To return a specific management group and all the levels of the hierarchy under it, use -Expand and -Recurse parameters.

PS C:\> $response = Get-AzManagementGroup -GroupName TestGroupParent -Expand -Recurse
PS C:\> $response

Id                : /providers/Microsoft.Management/managementGroups/TestGroupParent
Type              : /providers/Microsoft.Management/managementGroups
Name              : TestGroupParent
TenantId          : 00000000-0000-0000-0000-000000000000
DisplayName       : TestGroupParent
UpdatedTime       : 2/1/2018 11:15:46 AM
UpdatedBy         : 00000000-0000-0000-0000-000000000000
ParentId          : /providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000
ParentName        : 00000000-0000-0000-0000-000000000000
ParentDisplayName : 00000000-0000-0000-0000-000000000000
Children          : {TestGroup1DisplayName, TestGroup2DisplayName}

PS C:\> $response.Children[0]

Type        : /managementGroup
Id          : /providers/Microsoft.Management/managementGroups/TestGroup1
Name        : TestGroup1
DisplayName : TestGroup1DisplayName
Children    : {TestRecurseChild}

PS C:\> $response.Children[0].Children[0]

Type        : /managementGroup
Id          : /providers/Microsoft.Management/managementGroups/TestRecurseChild
Name        : TestRecurseChild
DisplayName : TestRecurseChild
Children    :

在 Azure CLI 中查看View in Azure CLI

使用 list 命令可以检索所有组。You use the list command to retrieve all groups.

az account management-group list

若要查看单个管理组的信息,请使用 show 命令For a single management group's information, use the show command

az account management-group show --name 'Contoso'

若要返回特定管理组及其下层次结构的所有级别,请使用 -Expand 和 -Recurse 参数。 To return a specific management group and all the levels of the hierarchy under it, use -Expand and -Recurse parameters.

az account management-group show --name 'Contoso' -e -r

移动管理组和订阅Moving management groups and subscriptions

创建管理组的原因之一是将订阅捆绑在一起。One reason to create a management group is to bundle subscriptions together. 只能将管理组和订阅设置为另一个管理组的子级。Only management groups and subscriptions can be made children of another management group. 移到管理组的订阅从父管理组继承所有用户访问权限和策略A subscription that moves to a management group inherits all user access and policies from the parent management group

将管理组或订阅移动为另一个管理组的子项时,三项规则的计算结果都需要为 true。When moving a management group or subscription to be a child of another management group, three rules need to be evaluated as true.

如果执行移动操作,你需要:If you're doing the move action, you need:

  • 在子订阅或管理组上的管理组写入权限和角色分配写入权限。Management group write and Role Assignment write permissions on the child subscription or management group.
    • 内置角色示例“所有者”Built-in role example Owner
  • 目标父管理组中的管理组写入访问权限。Management group write access on the target parent management group.
    • 内置角色示例:所有者参与者管理组参与者Built-in role example: Owner, Contributor, Management Group Contributor
  • 现有父管理组中的管理组写入访问权限。Management group write access on the existing parent management group.
    • 内置角色示例:所有者参与者管理组参与者Built-in role example: Owner, Contributor, Management Group Contributor

例外:如果目标或现有父管理组不是根管理组,则权限要求不适用。Exception: If the target or the existing parent management group is the Root management group, the permissions requirements don't apply. 由于根管理组是所有新管理组和订阅的默认登陆点,因此不需在其上具有相关权限即可移动某个项。Since the Root management group is the default landing spot for all new management groups and subscriptions, you don't need permissions on it to move an item.

如果订阅上的“所有者”角色继承自当前管理组,你的移动目标会受限。If the Owner role on the subscription is inherited from the current management group, your move targets are limited. 只能将订阅移到你在其中拥有“所有者”角色的另一管理组。You can only move the subscription to another management group where you have the Owner role. 不能将订阅移到你在其中仅是参与者的管理组,因为你会失去订阅的所有权。You can't move the subscription to a management group where you're only a contributor because you would lose ownership of the subscription. 如果你已被直接分配了订阅的“所有者”角色,则可将它移到你在其中是参与者的任何管理组。If you're directly assigned to the Owner role for the subscription, you can move it to any management group where you're a contributor.

若要查看自己在 Azure 门户中拥有哪些权限,请选择管理组,然后选择“IAM”。To see what permissions you have in the Azure portal, select the management group and then select IAM. 若要详细了解 Azure 角色,请参阅 Azure 基于角色的访问控制 (Azure RBAC)To learn more on Azure roles, see Azure role-based access control (Azure RBAC).

移动订阅Move subscriptions

在门户中将现有订阅添加到管理组Add an existing Subscription to a management group in the portal

  1. 登录到 Azure 门户Log into the Azure portal.

  2. 选择“所有服务” > “管理组”。 Select All services > Management groups.

  3. 选择要设为父级的管理组。Select the management group you're planning to be the parent.

  4. 在页面顶部,选择“添加订阅”。At the top of the page, select Add subscription.

  5. 在列表中选择具有正确 ID 的订阅。Select the subscription in the list with the correct ID.

    用于选择要添加到管理组的现有订阅的“添加订阅”选项的屏幕截图。

  6. 选择“保存”。Select "Save".

在门户中从管理组删除订阅Remove a subscription from a management group in the portal

  1. 登录到 Azure 门户Log into the Azure portal.

  2. 选择“所有服务” > “管理组”。 Select All services > Management groups.

  3. 选择要设为当前父级的管理组。Select the management group you're planning that is the current parent.

  4. 在列表中,选择要移动的订阅所在行末尾的椭圆。Select the ellipse at the end of the row for the subscription in the list you want to move.

    用于选择“移动”选项的订阅的备用菜单的屏幕截图。

  5. 选择“移动”。Select Move.

  6. 在打开的菜单中,选择“父管理组”。On the menu that opens, select the Parent management group.

    “移动”窗口和用于将订阅移到其他管理组的选项的屏幕截图。

  7. 选择“保存”。Select Save.

在 PowerShell 中移动订阅Move subscriptions in PowerShell

若要在 PowerShell 中移动订阅,请使用 New-AzManagementGroupSubscription 命令。To move a subscription in PowerShell, you use the New-AzManagementGroupSubscription command.

New-AzManagementGroupSubscription -GroupName 'Contoso' -SubscriptionId '12345678-1234-1234-1234-123456789012'

若要删除订阅与管理组之间的链接,请使用 Remove-AzManagementGroupSubscription 命令。To remove the link between and subscription and the management group use the Remove-AzManagementGroupSubscription command.

Remove-AzManagementGroupSubscription -GroupName 'Contoso' -SubscriptionId '12345678-1234-1234-1234-123456789012'

在 Azure CLI 中移动订阅Move subscriptions in Azure CLI

若要在 CLI 中移动订阅,请使用 add 命令。To move a subscription in CLI, you use the add command.

az account management-group subscription add --name 'Contoso' --subscription '12345678-1234-1234-1234-123456789012'

若要从管理组中删除订阅,请使用 subscription remove 命令。To remove the subscription from the management group, use the subscription remove command.

az account management-group subscription remove --name 'Contoso' --subscription '12345678-1234-1234-1234-123456789012'

移动管理组Move management groups

在门户中移动管理组Move management groups in the portal

  1. 登录到 Azure 门户Log into the Azure portal.

  2. 选择“所有服务” > “管理组”。 Select All services > Management groups.

  3. 选择要设为父级的管理组。Select the management group you're planning to be the parent.

  4. 在页面顶部,选择“添加管理组”。At the top of the page, select Add management group.

  5. 在打开的菜单中,选择要使用新管理组或现有管理组。In the menu that opens, select if you want a new or use an existing management group.

    • 选择新管理组将创建一个新管理组。Selecting new will create a new management group.
    • 选择现有管理组将显示所有管理组的下拉列表,这些管理组可移动到此管理组。Selecting an existing will present you with a drop-down of all the management groups you can move to this management group.

    用于创建新管理组的“添加管理组”选项的屏幕截图。

  6. 选择“保存”。Select Save.

在 PowerShell 中移动管理组Move management groups in PowerShell

在 PowerShell 中使用 Update-AzManagementGroup 命令将管理组移到不同的组下面。Use the Update-AzManagementGroup command in PowerShell to move a management group under a different group.

$parentGroup = Get-AzManagementGroup -GroupName ContosoIT
Update-AzManagementGroup -GroupName 'Contoso' -ParentId $parentGroup.id

在 Azure CLI 中移动管理组Move management groups in Azure CLI

在 Azure CLI 中使用 update 命令移动管理组。Use the update command to move a management group with Azure CLI.

az account management-group update --name 'Contoso' --parent ContosoIT

使用活动日志审核管理组Audit management groups using activity logs

Azure 活动日志支持管理组。Management groups are supported within Azure Activity Log. 可查询发生在与其他 Azure 资源位于相同中心位置的管理组上的所有事件。You can query all events that happen to a management group in the same central location as other Azure resources. 例如,可以看到对特定管理组所做的所有角色分配或策略分配更改。For example, you can see all Role Assignments or Policy Assignment changes made to a particular management group.

与所选管理组相关的活动日志和操作的屏幕截图。

如果要在 Azure 门户外针对管理组进行查询,管理组的目标范围将如下所示: "/providers/Microsoft.Management/managementGroups/{yourMgID}"When looking to query on Management Groups outside of the Azure portal, the target scope for management groups looks like "/providers/Microsoft.Management/managementGroups/{yourMgID}".

从其他资源提供程序引用管理组Referencing management groups from other Resource Providers

从其他资源提供程序的操作引用管理组时,请使用以下路径作为作用域。When referencing management groups from other Resource Provider's actions, use the following path as the scope. 使用 PowerShell、Azure CLI 和 REST API 时,将使用此路径。This path is used when using PowerShell, Azure CLI, and REST APIs.

/providers/Microsoft.Management/managementGroups/{yourMgID}

在 PowerShell 中向管理组分配新的角色分配时使用此路径的示例:An example of using this path is when assigning a new role assignment to a management group in PowerShell:

New-AzRoleAssignment -Scope "/providers/Microsoft.Management/managementGroups/Contoso"

在管理组处检索策略定义时使用相同的范围路径。The same scope path is used when retrieving a policy definition at a management group.

GET https://management.chinacloudapi.cn/providers/Microsoft.Management/managementgroups/MyManagementGroup/providers/Microsoft.Authorization/policyDefinitions/ResourceNaming?api-version=2019-09-01

后续步骤Next steps

若要了解有关管理组的详细信息,请参阅:To learn more about management groups, see: