Microsoft CAF reasoning being using intermediary management root group over the default root managem

Copper Contributor



Hope someone can elaborate and provide some insights on the following. Looking at Cloud Adoptation Framework for Azure there's a recommnedation to create an intermediate root management group rather than using the default root management group.



I don’t really understand the benefits. For example:

"which purposely avoids the usage of the root group so that organizations can move existing Azure subscription into the hierarchy."

What does that even mean? Can’t I move subscription around different management groups anyway?

I’ve also found the following


Quoting from this post:

“The Management Group should be defined in such a way that there should be intermediate root management group between Tenant root and other management groups. Compliance & Policies should be applied at intermediate root MG and this will not alter the main root Management group at the top level.”


But alter in what why? What’s the difference altering the intermediate management group rather than the default one, since policies, RBAC would cascade in a waterfall fashion from top to all child management groups/subscriptions anyway? Regardless if it’s the default management group or an intermediate one.

Would really appreciate if someone could enlighten me on this!

2 Replies
Hi @adampra86. One reason for the intermediate root group would be so that you have the flexibility to define other intermediate root groups should you have a need. Let's say you acquire a company that has different policy than you do currently. You may need to bring their subscriptions and policies into the fold without clobbering their existing configuration and keep yours intact as well. This way you could have Company A intermediate root group with Policy and RBAC that flows down to child groups, and Company B with its own Policy and RBAC that flows down to child groups.