Management Groups are only relevant if you want to apply Azure Policy or access controls across multiple Azure subscriptions. Within UW Azure, you must be using an enterprise agreement subscription or an enterprise dev/test subscription to qualify for your own Management Group. UW-IT Microsoft Infrastructure Delegated OU admins can request that a management group be created which matches their OU name. UW-IT will grant the Contributor role to this management group to enable self-service assignment of a customer subscription to that management group. In order to successfully assign an Azure subscription to a Management Group, a user must be
both an explicit owner on the subscription and a Contributor or better on the destination MG.
Your UW subscription will have a variety of roles automatically assigned to it based on its location in the Management Group hierarchy. At the Tenant Root level, Entra ID Global Administrators have the User Access Administrator role for Azure. This enables them to modify the access controls at any level in the Azure hierarchy. These individuals can enable critical capabilities across the entire Azure infrastructure and provide a safety net to re-enable access to an Azure subscription which no longer has an account in the owner role. The Microsoft Platforms unit has team members with these roles and can assist with if you find yourself in need of someone to fix your subscription's access controls. The Microsoft Platforms team also has the owner role assigned for several of the top-level Management Groups: Enterprise Agreement, MSDN, NIH Strides, and Sponsored. This reflects the role the Microsoft Platforms team plays in provisioning and providing basic support for subscriptions of these types. If you have a UW-IT managed subscription, the Microsoft Platforms team will also have the owner role to facilitate the higher level of support UW-IT provides to these customer subscriptions.