You dont have javascript enabled! Please enable it! Secure Azure Management Group Creation – Best Practices For Enhanced Security - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

Secure Azure Management Group Creation – Best Practices for Enhanced Security

6 Min. Read

Your resource hierarchy in Azure consists of resources, resource groups, subscriptions, management groups, and tenants. Root management group settings can impact all resources. It’s important to protect the resource hierarchy from negative changes. Management groups have hierarchy settings that allow the tenant administrator to control these behaviors.

By default, any user can create new management groups within a tenant. However, tenant admins can limit these permissions to specific users to maintain consistency and conformity in the management group hierarchy.

This article explains how to secure Azure management group creation using the Azure portal and PowerShell, ensuring your organization’s security and governance while maintaining operational flexibility.

Secure Azure Management Group

If your organization has multiple Azure subscriptions, you may need a more efficient way to manage access, policies, and compliance for those subscriptions. Management groups allow you to create a governance scope above individual subscriptions. You can organize your various subscriptions into management groups, and any governance conditions you apply will cascade down to all associated subscriptions through inheritance.

Management groups give you enterprise-grade management at scale, no matter what type of subscriptions you might have. However, all subscriptions within a single management group must trust the same Microsoft Entra ID tenant.

One way to restrict the regions available for creating virtual machines (VMs) is to apply policies to a management group. This policy will be enforced across all the nested management groups, subscriptions, and resources. Thus, VM creation will be allowed only in the authorized regions.

Azure Governance: Management Groups Hierarchy
Azure Governance: Management Groups Hierarchy

As mentioned, users can create new management groups within a tenant by default, as shown in the figure below. However, you can limit these permissions to specific users to maintain consistency and conformity in the management group hierarchy. If permissions for creating new management groups are enabled, a user also requires the “Microsoft.Management/managementGroups/write” operation on the root management group to create new child management groups.

Permission for creating new management groups
Permission for creating new management groups

Let’s look at how to secure Azure management group creation using the Azure portal and PowerShell.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create one here for free.

2) Azure RBAC permissions for hierarchy settings – Setting the required write permissions (authorization) for creating new management groups requires the following two resource provider operations on the Root Management Group | Access Control (IAM):

  • Microsoft.Management/managementgroups/settings/write: This operation only allows users to create or update management group hierarchy settings.
  • Microsoft.Management/managementgroups/settings/delete: This operation only allows users to delete management group hierarchy settings.

Please note that these operations don’t provide any other access to the management group hierarchy or its resources. They are available in the Azure built-in RBAC role Hierarchy Settings Administrator. You can also create a custom Azure RBAC role to lock down permissions for hierarchy settings further. For the purpose of this guide, we need only the “write” permissions to create and update management group hierarchy settings.

3) As shown in the figure below, you must also elevate your Azure account in Microsoft Entra ID as the User Access Administrator role to the Root Management Group.

Tenant Root Group | User Access Administrator
Tenant Root Group | User Access Administrator

4) Azure PowerShell is installed locally on your machine or using Cloud Shell.

To install Azure Accounts and Azure Resources PowerShell modules on your machine, you can run the following command:

# Install and update to the latest Az.Accounts/Az.Resources PowerShell modules
Install-Module -Name Az.Accounts, Az.Resources -AllowClobber -Force

# Check the Az PowerShell modules version installed
Get-Module -Name Az.Accounts, Az.Resources -ListAvailable | Select Name, Version

Assuming you have all the prerequisites in place, take the following steps:

Configure Require write permissions in the Azure portal

The first and the easiest option is to enable the required write permissions in the Azure portal.

To configure this setting in the Azure portal, follow these steps:

1) Launch the Azure portal, and search for and select ‘Management groups.’

2) Select Settings from the left menu on the Management Groups page.

3) On the Settings page, toggle the “Require permissions for creating new management groups” option to ON, as shown in the figure below.

Configure Require write permissions in the Azure portal
Configure Require write permissions in the Azure portal

If the “Require permissions for creating new management groups” toggle is disabled; it means that either the currently viewed management group is not the root management group or your security principal lacks the necessary permissions to modify the hierarchy settings.

Configure Require write permissions in PowerShell

The second option is to automate this process with PowerShell and enable the required write permissions to create new management groups.

You have several options for running the script: Azure Cloud ShellVisual Studio Code, or Windows Terminal. The Script works with PowerShell 5.1 or PowerShell 7 (core) with the Az module.

.EXAMPLE-1

.\Set-MgmtRequiredPermissions.ps1 -TenantId "TENANT-ID" -$requireAuthorization "True/False" -Verbose

This example will connect to your Azure environment using the specified tenant ID and set the required write permissions for creating new management groups. By default, the required authorization (write) permissions are set to ‘True‘; you can change it to ‘False‘ if needed.

Here is an example of the output once you run this tool:

Configure Require write permissions in PowerShell
Configure Require write permissions in PowerShell

This is version 1.0. If you have any feedback or changes that everyone should receive, please feel free to leave a comment below.

PowerShell Code

Below is the script to automatically configure required write permissions for creating new management groups in PowerShell and REST API. You need to run this script on demand, but you can also automate this process using the Azure DevOps pipeline as part of your Infrastructure as a Code (IaC) landing zone deployment.

<#
.SYNOPSIS
Protect the creation of new management groups.

.DESCRIPTION
By default, all Microsoft Entra ID security principals can create new management groups. 
This script will set the required write permissions (authorization) for creating new management groups using PowerShell and REST API.

.NOTES
File Name : Set-MgmtRequiredPermissions.ps1
Author    : Microsoft MVP/MCT - Charbel Nemnom
Version   : 1.0
Date      : 06-May-2024
Updated   : 07-May-2024
Requires  : PowerShell 6.2 or PowerShell 7.x.x (Core)
Module    : Az.Accounts/Az.Resources

.LINK
To provide feedback or for further assistance please visit:
https://charbelnemnom.com

.EXAMPLE
.\Set-MgmtRequiredPermissions.ps1 -TenantId <TENANT-ID> -$requireAuthorization <True/False> -Verbose
This example will connect to your Azure environment using the specified tenant ID and set the required write permissions for creating new management groups.
By default, the required authorization (write) permissions are set to 'True'; you can change it to 'False' if needed.
#>

param (
    [Parameter(Position = 0, Mandatory = $true, HelpMessage = 'Enter Tenant ID')]
    [string]$tenantId,
    [Parameter(Position = 1, Mandatory = $true, HelpMessage = 'Set the required authorization permissions')]    
    [ValidateSet('True', 'False')]
    [String]$requireAuthorization = 'True'
)

# Define the latest API Version to use for Azure Management Groups
$apiVersion = "?api-version=2020-05-01"

#! Install Az PowerShell Modules If Needed
function Install-Module-If-Needed {
    param([string]$ModuleName)

    if (Get-Module -ListAvailable -Name $ModuleName) {
        Write-Host "Module '$($ModuleName)' already exists, continue..." -ForegroundColor Green
    }
    else {
        Write-Host "Module '$($ModuleName)' does not exist, installing..." -ForegroundColor Yellow
        Install-Module $ModuleName -Force -AllowClobber -ErrorAction Stop
        Write-Host "Module '$($ModuleName)' installed." -ForegroundColor Green
    }
}

#! Install Az Accounts Module If Needed
Install-Module-If-Needed Az.Accounts

#! Install Az Resources Module If Needed
Install-Module-If-Needed Az.Resources

#! Check Azure Connection
Try {
    Write-Verbose "Connecting to Azure Cloud..."
    Connect-AzAccount -Tenant $tenantId -ErrorAction Stop | Out-Null
}
Catch {
    Write-Warning "Cannot connect to Azure Cloud. Please check your credentials. Exiting!"
    Break
}

#! Get Tenant Root Group
Write-Verbose "Getting Tenant Root Management Group..."
$rootMgmt = (Get-AzManagementGroup | Where-Object { $_.DisplayName -eq "Tenant Root Group" }).Id

#! Get Az Access Token
$token = Get-AzAccessToken #This will default to Azure Resource Manager endpoint
$authHeader = @{
    'Content-Type'  = 'application/json'
    'Authorization' = 'Bearer ' + $token.Token
}

switch ($requireAuthorization) {
    True {
        $body = @"
    {
        "properties": {
            "defaultManagementGroup": "$($rootMgmt)",
            "requireAuthorizationForGroupCreation": true
        }
    }
"@ 
    }
    False {
        $body = @"
    {
        "properties": {
            "defaultManagementGroup": "$($rootMgmt)",
            "requireAuthorizationForGroupCreation": false
        }
    }
"@ 
    }
}

#! Define management group URI settings
$uri = "https://management.azure.com/providers/Microsoft.Management/managementGroups/$($rootMgmt.split('/')[-1])/settings/default$apiVersion"

#! Setting the required authorization permissions
try {
    Write-Verbose "Setting the required authorization permissions for creating new management groups to: $($requireAuthorization)..."
    Invoke-RestMethod -Method PUT -Uri $uri -Headers $authHeader -Body $body | Out-Null
}
catch {
    Write-Error "An error occured while setting the required authorization permissions:" $_ -ErrorAction Stop
} 
finally {
    Write-Verbose "Successfully set the required authorization permissions for creating new management groups to: $($requireAuthorization)!"
}

Once you run the tool, you can verify that the required write permissions for creating new management groups are enabled under “Management groups | Settings” as shown in the figure below.

Enable required write permissions for creating new management groups in PowerShell
Enable required write permissions for creating new management groups in PowerShell

Once the write permissions for creating new management groups are enabled, you need to assign the Hierarchy Settings Administrator RBAC role or, more specifically, the Microsoft.Management/managementgroups/settings/write to the Root Management Group (IAM) for the desired Entra ID security group, where the authorized users are members to manage the hierarchy settings.

That’s it, there you have it!

In Conclusion

This article showed you how to use the Azure portal, PowerShell, and REST API to secure Azure management group creation and ensure robust security and governance!

Implementing the settings discussed in this article can ensure the security and integrity of your Azure resource hierarchy. Requiring authorization for management group creation and leveraging RBAC permissions can maintain consistency and governance within your organization. Whether through the Azure portal or PowerShell automation, securing management group creation is essential for maintaining operational flexibility while upholding security standards.

With these measures in place, you can confidently manage your Azure environment with peace of mind, knowing that your resource hierarchy is protected against unauthorized changes by non-authorized users.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Create Promptbooks in Microsoft Copilot for Security

Azure Key Vault vs HashiCorp Vault – Which is the Best Solution?

Next

Let us know what you think, or ask a question...