This post was originally published on this site

Azure Governance Series – Governance Overview

First steps to do before starting with Management Groups:

  • group your Governance, Compliance, and Security requirements top-down and divide it in max. 6 hierarchical levels
  • gather the requirements about the organizational and operational responsibilities


Now some more details about these first steps and using the Management Groups to build your Governance in Azure.

As mentioned in the Governance Overview article you had to identify the governance, security and compliance requirements in the organization.

Hints for Requirements Engineering:

  • Internal cost management
  • Distributed responsibilities over companies/departments/teams
  • Separation of environments like dev/test and prod.
  • Multiple operation teams like global IT and company or department IT

discuss that with the CIO, CISO, Enterprise Architects and other key persons. Provide them the possibilities to build a secure and controlled environment in Azure and also all the possibilities how easily they can check if the environment is compliant to the requirements.

Possibilities in Azure:

  • Role-based Access Control
  • Azure Policies
  • Azure Blueprints
  • Azure Privilege Identity Management
  • Security Center
  • Azure Sentinal
  • Azure Advisor
  • Access Review with PIM

You need also to know who will take the organizational responsibility and who the operational responsibility for all the environment parts in Azure.

Responsibilities like:

  • Cost Management
  • Subscription Management
  • New cloud Services/Application onboarding
  • Service Lifecycle Management
  • Core Infrastructure like IAM, Connectivity, Network
  • Service Management Processes

It’s also important to clarify how the operation of the cloud environment will be organized, the environment in the cloud also need operational tasks, but not the same as On-premise but still needed.

Operational Tasks:

  • Core Infrastructure System Management (IAM, Connectivity, Network)
  • General System Management for IaaS (Monitoring, Backup, Disaster Recovery, optimization,
  • Security Management
  • Initial Deployment, Continuous Deployment

This information is needed to design the structure of the Management Groups. The structure of the management groups should be used to show the organizational and operational responsibilities.

Example structure:

The management groups are really useful when there are more than 1 Azure Subscriptions and the responsibilities are distributed over multiple departments or teams. In the case of distributing responsibilities, you can divide that into max. 6 hierarchical levels

Summary about the Management Groups:

  • 6 hierarchical level available, without root management group
  • Management groups are mandatory for using Azure Blueprints

High level to do’s for the Implementation of the Management Groups and using that to ensure Governance in Azure:

  1. Activate Management Groups over the Azure Portal
  2. Create your structure as designed before
  3. Assign the existing subscriptions to the right Management group
  4. Use RBAC to build up the resource security
  5. Create your Azure policies with the requirements you collected before and assign it to the right Management Group level. More about grouping the policies coming in following articles
  6. Create your Blueprints with the defined environment pattern and store it on the right level. That means when you store a Blueprint in a Management Group, it’ll be available for that Management group and all below. More about structuring the Blueprints and design coming in the following articles

Next steps after implementation of the initial structure for Management Groups:

  • Automated provisioning of Management Groups and subscriptions

Do not hesitate to share your feedback and experience here about structuring management groups.