Hi Team, 
I looking for some guidance, document references or any other source that explain security best practices we can implement above subscription level.(eg Organization Level, Management Group Level)

Problem : If a company has many many subscriptions, it is unpractical to implement security measurements in resource group level or subscription level, 

I would like to know 
1. What would the Top level(eg Management Group) we can implement Security Measures ?

2. Any guidance, document references or any other source for it ?