Azure Policy Rules do not support Management Groups

[s4parke]

Details of the scenario you tried and the problem that is occurring

When writing an Azure policy that includes applies to a management group, the policy fails.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "microsoft.management/managementgroups"
    },
    "then": {
      "effect": "audit"
    }
  }
}

Expected result (in Policy blade): Management group resources found
Actual result (in Policy blade): No resources found

For example, I want to create a policy to check for a DiagnosticSettings profile on each Management Group to stream Activity Logs to a Workspace. Or maybe I want to create an Activity Log Alert. It is possible to do this for Subscriptions with Azure Policy, but not for Management Groups. There is a built-in version of this policy for Subscriptions and it is possible to write custom policies for a Subscription resource type.

The only way to create, update, list, or view a Management Group's resource providers like DiagnosticSettings and Alerts appears to be via PowerShell or the REST API, which is a problem for organizations trying to use Azure Policy for governance and avoid shadow IT workarounds.

Verbose logs showing the problem

No management groups were audited, so there is nothing in the logs after the assignment.

Suggested solution to the issue

Management Group resources should be manageable like other Azure resources (for example Subscriptions) using Azure Policy.

[lienmar]

+1 need this

[rpetersson]

Any news on this? Need it aswell.

[pklaudat]

Hi all, any update about it?

[Atanas-Hristov]

+1

Any update on this topic?