|
1 | 1 | --- |
2 | 2 | title: Organize your resources with management groups - Azure Governance |
3 | 3 | description: Learn about the management groups, how their permissions work, and how to use them. |
4 | | -ms.date: 01/03/2023 |
| 4 | +ms.date: 01/24/2023 |
5 | 5 | ms.topic: overview |
6 | 6 | author: timwarner-msft |
7 | 7 | ms.author: timwarner |
@@ -107,35 +107,6 @@ access and policies that other customers within the directory can't bypass. Anyt |
107 | 107 | root will apply to the entire hierarchy, which includes all management groups, subscriptions, |
108 | 108 | resource groups, and resources within that Azure AD tenant. |
109 | 109 |
|
110 | | -## Trouble seeing all subscriptions |
111 | | - |
112 | | -A few directories that started using management groups early in the preview before June 25, 2018 |
113 | | -could see an issue where not all the subscriptions were within the hierarchy. The process to have |
114 | | -all subscriptions in the hierarchy was put in place after a role or policy assignment was done on |
115 | | -the root management group in the directory. |
116 | | - |
117 | | -### How to resolve the issue |
118 | | - |
119 | | -There are two options you can do to resolve this issue. |
120 | | - |
121 | | -- Remove all role and policy assignments from the root management group |
122 | | - - By removing any policy and role assignments from the root management group, the service |
123 | | - backfills all subscriptions into the hierarchy the next overnight cycle. This process is so |
124 | | - there's no accidental access given or policy assignment to all of the tenants subscriptions. |
125 | | - - The best way to do this process without impacting your services is to apply the role or policy |
126 | | - assignments one level below the root management group. Then you can remove all assignments from |
127 | | - the root scope. |
128 | | -- Call the API directly to start the backfill process |
129 | | - - Any customer in the directory can call the _TenantBackfillStatusRequest_ or |
130 | | - _StartTenantBackfillRequest_ APIs. When the StartTenantBackfillRequest API is called, it kicks |
131 | | - off the initial setup process of moving all the subscriptions into the hierarchy. This process |
132 | | - also starts the enforcement of all new subscription to be a child of the root management group. |
133 | | - This process can be done without changing any assignments on the root level. By calling the API, |
134 | | - you're saying it's okay that any policy or access assignment on the root can be applied to all |
135 | | - subscriptions. |
136 | | - |
137 | | -If you have questions on this backfill process, contact: `[email protected]` |
138 | | - |
139 | 110 | ## Management group access |
140 | 111 |
|
141 | 112 | Azure management groups support |
|
0 commit comments