You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/governance/service-groups/overview.md
+24-31Lines changed: 24 additions & 31 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,8 @@
1
1
---
2
2
title: "Get started with Service Groups - Azure Governance"
3
3
description: "Learn how to use and manage resources with Service Groups."
4
-
author: rthorn17
5
-
ms.author: rithorn
4
+
author: kenieva
5
+
ms.author: kenieva
6
6
ms.service: azure-policy
7
7
ms.topic: overview
8
8
ms.date: 05/19/2025
@@ -12,7 +12,7 @@ ms.custom:
12
12
13
13
# What are Azure Service Groups?
14
14
15
-
Azure Service Groups offer a flexible way to organize and manage resources across subscriptions and resource groups, parallel to any existing Azure resource hierarchy. They're ideal for scenarios requiring cross-boundary grouping, minimal permissions, and aggregations of data across resources. These features empower teams to create tailored resource collections that align with operational, organizational, or persona-based needs. This article helps give you an overview of what Service Groups are, the scenarios to use them for, and provide guidance on how to get started.
15
+
Azure Service Groups offer a flexible way to organize and manage resources across subscriptions and resource groups, parallel to any existing Azure resource hierarchy. They're ideal for scenarios requiring cross-boundary grouping, minimal permissions, and aggregations of data across resources. These features empower teams to create tailored resource collections that align with operational, organizational, or persona-based needs. This article helps give you an overview of what Service Groups are, the scenarios to use them for, and important facts.
16
16
17
17
> [!IMPORTANT]
18
18
> Azure Service Groups is currently in PREVIEW.
@@ -22,46 +22,40 @@ Azure Service Groups offer a flexible way to organize and manage resources acros
22
22
23
23
## Key capabilities
24
24
-**Multiple Hierarchies**: Service Groups enable scenarios where the resources can be grouped in different views for multiple purposes.
25
-
-**Flexible Membership**: Service Groups allow resources from different subscriptions to be grouped together, providing a unified view and management capabilities. They also allow the grouping of subscriptions, resource groups, and resources.
25
+
-**Flexible Membership**: Service Groups allow resources from different subscriptions to be grouped together, providing a unified view and management capabilities. They also allow the grouping of subscriptions, resource groups, and resources. The same resources can be connected to many different service groups allowing different customer personas and scenarios to be created and used.
26
26
-**Low Privilege Management**: Service Groups are designed to operate with minimal permissions, ensuring that users can manage resources without needing excessive access rights.
27
27
28
28
29
-
### Multiple Hierarchies
30
-
The same resources can be connected to many different service groups allowing different customer personas and scenarios to be created and used. Customers can create many different views that support how they organize their resources.
29
+
### Example Scenarios
30
+
Customers can create many different views that support how they organize their resources.
31
+
32
+
* Aggregating Metrics
33
+
* Organizations with multiple applications and environments can use Service Groups to aggregate metrics across different environments. Member resources or resource containers could be from various environments within different management groups or subscriptions, can be linked to a single Service Group providing a unified view of metrics.
34
+
* Since Service Groups don't inherit permissions to the members, customers can apply least privileges to assign permissions on the Service Groups that allow viewing of metrics. This capability provides a solution where two users can be assigned access to the same Service Group, but only one is allowed to see certain resources.
35
+
36
+
* Creating Inventory
37
+
* Customers can connect resources to the Service Groups to get a consolidated view of all the resources of a particular type or function in the entire environment.
38
+
39
+
:::image type="content" source="./media/side-by-side.png" alt-text="Diagram showing the Management Group and Service Group Hierarchies within the Microsoft Entra Tenant" Lightbox="./media/side-by-side.png":::
31
40
32
-
#### Example Scenarios
33
41
* Varying Personas
34
42
* With Service Groups, organizations have the ability to manage multiple hierarchies over the same resources for different personas and their own individual views. Customers can use the same resources to be members of a Workload Service Group, a Department Service Group, and a Service Group with all Production resources.
35
43
36
44
:::image type="content" source="./media/multiple-service-group.png" alt-text="Diagram that shows multiple service group branches." Lightbox="./media/multiple-service-group.png":::
37
45
38
-
### Flexible Membership
39
-
Within the hierarchy of resources, there's a limitation of one parent resource container to many children. For example, a resource can only be a member of one resource group or a resource group can only be a member of one subscription. Service Groups introduce a new model that allows a resources or resource containers to have memberships with multiple different Service Groups. A member is any resource, resource group, or subscription that is connected to a Service Group through a new resource called "ServiceGroupMember" Relationship. The Service Group allows new scenarios where the same resources can be connected to many Service Groups Trees enabling new ways to view your data.
40
-
41
-
#### Example Scenarios
42
-
* Aggregating Health Metrics
43
-
* Organizations with multiple applications and environments can use Service Groups to aggregate health metrics across different environments. Member resources or resource containers could be from various environments within different management groups or subscriptions, can be linked to a single Service Group providing a unified view of health metrics.
44
-
* Creating Inventory of a specific resource type
45
-
* Customers can connect all Virtual Machines or CosmosDBs to the same Service Groups to get a consolidated view of all the resources of that type in the entire environment. This capability allows a customer like a Virtual Machine Administrator to view aggregated data on all their resources no matter what subscription they live in.
46
-
47
-
:::image type="content" source="./media/side-by-side.png" alt-text="Diagram showing the Management Group and Service Group Hierarchies within the Microsoft Entra Tenant" Lightbox="./media/side-by-side.png":::
48
-
49
-
* Aggregating monitoring metrics
50
-
* Since Service Groups don't inherit permissions to the members, customers can apply least privileges to assign permissions on the Service Groups that allow viewing of metrics. This capability provides a solution where two users can be assigned access to the same Service Group, but only one is allowed to see certain resources.
51
-
52
46
53
47
## How it works
54
-
Azure Service Groups are a parallel hierarchy that allows the grouping of resources that don't exist in the resource hierarchy with Resource Groups, Subscriptions, and Management Groups. The separation allows Service Groups to be connected many times to different resources and resource containers without impacting the existing structures.
48
+
Azure Service Groups are a parallel tenant level hierarchy that allows the grouping of resources. The separation from Management Groups, Subscriptions and Resource Groups allows Service Groups to be connected many times to different resources and resource containers without impacting the existing structures.
55
49
56
50
Information about Service Groups
57
-
* A Service Group is created within the Microsoft.Management Resource Provider, the same Resource Provider that owns Management Groups.
58
-
* Service Groups allow self nesting to create "levels" of groupings just as Management Groups do, but Service Groups can allow up to 10 levels of depth
51
+
* A Service Group is created within the Microsoft.Management Resource Provider.
52
+
* Service Groups allow self nesting to create up to 10 "levels" of grouping depth. Nesting is handled by the 'parent' property within the Service Group resource.
59
53
* Role assignments on the Service Group can be inherited to the **child Service Groups only**. There's **no inheritance** through the memberships to the resources or resource containers.
60
54
* There's a limit of 2000 service group members coming from within the same subscription. This means that within one subscription, resources, or resource groups, there can only be 2,000 memberships to Service Groups.
61
-
* Within the Preview window, there's a Limit of 10,000 Service Groups in a single tenant.
55
+
* Within the Preview window, there's a limit of 10,000 Service Groups in a single tenant.
62
56
* Service Groups and Service Group Member IDs support up to 250 characters. They can be alphanumeric and special characters: - _ ( ). ~
63
-
* Service Groups require a globally unique ID. Two Microsoft Entra tenants can't have a Service Group with identical IDs.
64
-
57
+
* Service Groups require a globally unique ID. Two Microsoft Entra tenants can't have a Service Group with identical IDs.
58
+
* Membership to Service Groups is handled by deploying a 'Microsoft.Relationship/ServiceGroupMember' to the desire member (a resource, resource group or subscription) while targeting the desired Service Group.
65
59
66
60
67
61
## Azure Resource Manager Groupings
@@ -90,18 +84,17 @@ This table shows a summary of the differences between the groups.
90
84
91
85
- A single tenant can support 10,000 service groups.
92
86
- A service group tree can support up to ten levels of depth.
93
-
This limit doesn't include the root level or the subscription level.
87
+
This limit doesn't include the root level.
94
88
- Each service group can have many children.
95
89
- A single service group name/ID can be up to 250 characters.
96
-
- There are no limits of number of members of service groups, there is a limit of 2,000 relationships (including ServiceGroupMember) within a subscription
90
+
- There are no limits of number of members of service groups, but there is a limit of 2,000 relationships (including ServiceGroupMember) within a subscription
97
91
98
92
### The Root Service Group
99
93
100
-
Service Groups is similar to Management Groups, in that there's only one root Service Group which is the top parent of all service groups in that tenant. Root Service Group's ID is same as its Tenant ID.
94
+
Service Groups, similarily to Management Groups, has a one root Service Group which is the top parent of all service groups in that tenant. Root Service Group's ID is same as its Tenant ID.
101
95
102
96
Service Groups creates the Root Service Group on the first request received within the Tenant and users can't create or update the root service group. _"/providers/microsoft.management/servicegroups/[tenantId]"_
103
97
104
-
105
98
Access to the root has to be given from a user with "microsoft.authorization/roleassignments/write" permissions at the tenant level. For example, the Tenant's Global Administrator can elevate their access on the tenant to have these permissions. [Details on elevating Tenant Global Administrator Accesses](../../role-based-access-control/elevate-access-global-admin.md)
0 commit comments