This section reflects legacy design only.
Within UW Azure, the top level of the management group structure is organized by types of subscriptions, primarily distinguished by offer identifiers. This provides the UW with the capability to set future Azure Policy by types of subscription, for example, setting a policy which would affect all Azure Student subscriptions. By default, new subscriptions are created under the 'Pending MG Assignment'. An automated process will evaluate subscriptions under this location for placement in one of the designated top-level MGs. See MG Structure Criteria for the criteria this process will use.
Azure Management Groups (MG) provide a governance structure above subscriptions to manage policy, access control, and compliance. Management groups exist to group subscriptions so you can apply similar access control or policy to the resources within those subscriptions.
Under Construction
The UW has a legacy set of Management Groups which are being phased out over time to align with a fresh landing zone that aligns with UW cloud strategy and the Microsoft Cloud Adoption Framework (CAF). What you find here is based on the Azure design circa 2024 with some details about the new landing zone approach. As time permits, this page will be updated with new details to reflect the fresh approach and emergence of new managed Azure services. We've tried to note sections which are legacy that will be phased out.
UW Azure Management Group topics
This section reflects the fresh approach to Azure.
Management Groups allow you to apply Azure Policy or access controls across multiple Azure subscriptions. Management Groups are not for organizational purposes--they reduce management overhead by allowing configuration (policy or access) to be applied at scale. There are other ways to achieve this outcome, including infrastructure as code approaches such as Terraform. Finding the right fit will require careful analysis.
Management Groups are available to centrally provided Azure service providers only. Access controls at the MG scope are managed centrally by an Azure Platform team.
Note: In order to successfully assign an Azure subscription to a Management Group, a user must be both an explicit owner on the subscription and a Contributor or better on the destination MG.
Management Groups allow you to apply Azure Policy or access controls across multiple Azure subscriptions. Management Groups are not for organizational purposes--they reduce management overhead by allowing configuration (policy or access) to be applied at scale. There are other ways to achieve this outcome, including infrastructure as code approaches such as Terraform. Finding the right fit will require careful analysis.
Management Groups are available to centrally provided Azure service providers only. Access controls at the MG scope are managed centrally by an Azure Platform team.
Note: In order to successfully assign an Azure subscription to a Management Group, a user must be both an explicit owner on the subscription and a Contributor or better on the destination MG.
This section reflects legacy design only. Some of the content here will continue, but with different MGs, but there is a new MG structure not yet represented here. The criteria for inclusion in those top-level MGs is noted below. It primarily focuses on the type of Microsoft offer associated with a subscription
- Tenant Root Group
- Pending MG Assignment - All new subscriptions are created here, then distributed to MGs
- Azure for Students - Includes subscriptions with the following criteria:
- Offer = MS-AZR-0170P
- Offer = MS-AZR-0144P
- Offer = 'empty' and Subscription Name=Azure for Students
- Offer = 'empty' and Subscription Name=Azure for Students Starter
- Offer = 'empty' and Subscription Name=Microsoft Azure for Students Starter
- Enterprise Agreement -
- Offer = Enterprise Agreement
- Offer = Enterprise Dev/Test
- Offer = MS-AZR-0017P
- Offer = MS-AZR-0148P
- MSDN - Includes subscriptions with the following criteria:
- Offer = MS-AZR-0063P
- Offer = MS-AZR-0062P
- Offer = MS-AZR-0059P
- Offer = 'empty' and Subscription Name = Visual Studio Enterprise
- Offer = 'empty' and Subscription Name = MSDN Platforms Subscription
- Offer = 'empty' and Subscription Name = Visual Studio Enterprise Subscription
- Offer = 'empty' and Subscription Name = Visual Studio Professional
- Offer = 'empty' and Subscription Name = Visual Studio Professional Subscription
- Sponsored - Includes subscriptions with the following criteria:
- Offer = MS-AZR-0036P
- Offer = MS-AZR-0017P
- Offer = MS-AZR-0143P
- Pay As You Go - Includes subscriptions with the following criteria:
- Offer = empty' and Subscription Name = Free Trial
This section reflects legacy design only, but includes helpful generic information about how policy and access controls propagate. There is a new MG structure not yet represented here.
Your UW subscription will have a variety of roles automatically assigned to it based on its location in the Management Group hierarchy. At the Tenant Root level, Entra ID Global Administrators have the User Access Administrator role for Azure. This enables them to modify the access controls at any level in the Azure hierarchy. These individuals can enable critical capabilities across the entire Azure infrastructure and provide a safety net to re-enable access to an Azure subscription which no longer has an account in the owner role. The Microsoft Platforms unit has team members with these roles and can assist with if you find yourself in need of someone to fix your subscription's access controls. The Microsoft Platforms team also has the owner role assigned for several of the top-level Management Groups: Enterprise Agreement, MSDN, NIH Strides, and Sponsored. This reflects the role the Microsoft Platforms team plays in provisioning and providing basic support for subscriptions of these types. If you have a UW-IT managed subscription, the Microsoft Platforms team will also have the owner role to facilitate the higher level of support UW-IT provides to these customer subscriptions.
Your UW subscription will have a variety of roles automatically assigned to it based on its location in the Management Group hierarchy. At the Tenant Root level, Entra ID Global Administrators have the User Access Administrator role for Azure. This enables them to modify the access controls at any level in the Azure hierarchy. These individuals can enable critical capabilities across the entire Azure infrastructure and provide a safety net to re-enable access to an Azure subscription which no longer has an account in the owner role. The Microsoft Platforms unit has team members with these roles and can assist with if you find yourself in need of someone to fix your subscription's access controls. The Microsoft Platforms team also has the owner role assigned for several of the top-level Management Groups: Enterprise Agreement, MSDN, NIH Strides, and Sponsored. This reflects the role the Microsoft Platforms team plays in provisioning and providing basic support for subscriptions of these types. If you have a UW-IT managed subscription, the Microsoft Platforms team will also have the owner role to facilitate the higher level of support UW-IT provides to these customer subscriptions.
