default a subscription to a management group

%3CLINGO-SUB%20id%3D%22lingo-sub-1297001%22%20slang%3D%22en-US%22%3Edefault%20a%20subscription%20to%20a%20management%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1297001%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20could%20you%20enforce%20a%20new%20subscription%20to%20be%20assigned%20to%20an%20existing%20management%20group%2C%20other%20than%20the%20root%20management%20group%3F%20Could%20you%20use%20an%20Azure%20policy%20at%20the%20root%20group%20management%20to%20do%20it%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1297001%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20blueprints%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Management%20Groups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Policy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1298196%22%20slang%3D%22en-US%22%3ERe%3A%20default%20a%20subscription%20to%20a%20management%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1298196%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616484%22%20target%3D%22_blank%22%3E%40khaled1405%3C%2FA%3E%26nbsp%3B%2C%20this%20is%20isn't%20something%20you%20can't%20change%20currently%2C%20but%20I%20read%20somewhere%20this%20is%20in%20the%20product%20roadmap%20for%20soon%2C%20i.e.%2C%20being%20able%20to%20specify%20the%20default%20Management%20Group%20for%20new%20subscriptions.%26nbsp%3BI%20don't%20know%20the%20ETA%2C%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1298538%22%20slang%3D%22en-US%22%3ERe%3A%20default%20a%20subscription%20to%20a%20management%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1298538%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%20target%3D%22_blank%22%3E%40hspinto%3C%2FA%3E.%20Do%20you%20know%20who%20would%20be%20the%20best%20person%20to%20ask%20about%20the%20road%20map%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1298608%22%20slang%3D%22en-US%22%3ERe%3A%20default%20a%20subscription%20to%20a%20management%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1298608%22%20slang%3D%22en-US%22%3E%3CP%3EAnswered%20in%20private%20message.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1319345%22%20slang%3D%22en-US%22%3ERe%3A%20default%20a%20subscription%20to%20a%20management%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1319345%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616484%22%20target%3D%22_blank%22%3E%40khaled1405%3C%2FA%3E%2C%26nbsp%3BI%20wish%20to%20have%20that%20implemented%20by%20the%20policy.%26nbsp%3BFor%20now%2C%20the%20way%20to%20do%20that%20is%20to%20react%20to%20the%20subscription%20creation%20event%20or%20periodically%20move%20a%20subscription%20to%20one%20of%20MGs%20with%20a%20script%20(%20Azure%20Functions%2F%20Azure%20Automations%2F%20any%20other%20compute.%20)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20add%20writing%20about%20that%20to%20my%20backlog%20if%20you're%20interested%20in%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1321252%22%20slang%3D%22en-US%22%3ERe%3A%20default%20a%20subscription%20to%20a%20management%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1321252%22%20slang%3D%22en-US%22%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F628051%22%20target%3D%22_blank%22%3E%40kwiecek%3C%2FA%3E.%20I%20think%20the%20best%20approach%20until%20we%20get%20the%20native%20feature%20is%20to%20have%20an%20external%20workflow%20to%20request%20a%20subscription.%20That%20workflow%20will%20assign%20the%20subscription%20to%20the%20right%20management%20group%20and%20assign%20a%20custom%20RBAC%20on%20the%20subscription%20to%20the%20users.%20A%20blueprint%20could%20potentially%20make%20it%20more%20elegant.%3C%2FLINGO-BODY%3E
Microsoft

How could you enforce a new subscription to be assigned to an existing management group, other than the root management group? Could you use an Azure policy at the root group management to do it?  

5 Replies

@khaled1405 , this is isn't something you can't change currently, but I read somewhere this is in the product roadmap for soon, i.e., being able to specify the default Management Group for new subscriptions. I don't know the ETA, though.

Thanks @hspinto. Do you know who would be the best person to ask about the road map? 

Answered in private message.

@khaled1405, I wish to have that implemented by the policy. For now, the way to do that is to react to the subscription creation event or periodically move a subscription to one of MGs with a script ( Azure Functions/ Azure Automations/ any other compute. )

 

I can add writing about that to my backlog if you're interested in that.

Thanks @kwiecek. I think the best approach until we get the native feature is to have an external workflow to request a subscription. That workflow will assign the subscription to the right management group and assign a custom RBAC on the subscription to the users. A blueprint could potentially make it more elegant.