az account management-group list --output jsonTenant root group
The tenant root group is the highest management group scope associated with a Microsoft Entra tenant.
Source: Microsoft Learn - Organize your resources with Azure management groups Reviewed 2026-05-27
- Exam trap
- Putting workload-specific policies at the tenant root group because it seems easier than designing child management groups.
- Production check
- Verify the tenant root group ID matches the tenant ID documented for the Azure estate.
Article details and learning context
- Aliases
- Tenant root group, tenant root group, Azure Tenant root group, root management group, root group
- Difficulty
- fundamentals
- CLI mappings
- 4
- Last verified
- 2026-05-27
- Review level
- field-manual-complete
- Article depth
- field-manual-complete
Understand the concept
In plain English
The tenant root group is the top of the Azure management group tree for a tenant. Every subscription and management group ultimately sits beneath it, even if teams rarely change it directly. It is not a normal management group you can move or delete. Because policies and role assignments placed there can flow through the whole organization, it should be handled like a corporate governance boundary. Most teams should design child management groups for day-to-day control and reserve the root group for truly global rules.
Why it matters
Tenant root group matters because it is the place where Azure governance can become universal. A policy assignment, deny rule, or role assignment at this level can affect every subscription in the tenant, including newly created ones. That is powerful for baseline security requirements, but dangerous when a rule is too broad or poorly tested. It also shapes how teams think about ownership: the root group is a platform governance boundary, not an application boundary. Clear rules for when to use it prevent accidental tenant-wide outages, surprise compliance failures, and inherited access that nobody remembers approving. That clarity prevents broad Azure changes from becoming hidden operational debt.
Official wording and source
The tenant root group is the top Azure management group for a Microsoft Entra tenant. Its default display name is Tenant root group, its ID matches the tenant ID, and all management groups and subscriptions roll up beneath it. for Tenant root group operations.
Technical context
The tenant root group belongs to Azure management groups and governance scope. Its ID is the Microsoft Entra tenant ID, and its default display name is Tenant root group. Azure customers can see it, but management requires explicit access; Global Administrators can elevate access and then assign Azure roles. All subscriptions and child management groups fold up to this root for global management. It is a control-plane hierarchy object used by Azure Policy, RBAC, management group queries, subscription organization, and inherited governance decisions.
Exam context
Compare with
Where it is used
Where you see it
- The management groups portal shows Tenant root group at the top of the hierarchy, with child management groups and subscriptions folding up beneath that tenant-level ancestor.
- Azure CLI management-group output shows the root group ID, display name, type, child relationships, and inherited hierarchy used for governance review. during Tenant root group operational review.
- Policy assignment, role assignment, compliance, and activity-log evidence may show scopes that begin at the tenant root group and affect many descendant subscriptions. during Tenant root group operational review.
Common situations
- Anchor an enterprise management group hierarchy so every subscription has a known governance ancestor.
- Apply a small set of universal policies that must affect every current and future subscription.
- Review inherited root-level role assignments during privileged access and compliance audits.
- Troubleshoot why a subscription receives a policy or role assignment nobody configured locally.
- Confirm new subscriptions are not left unmanaged outside the intended management group hierarchy.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Energy company cleans root-level policy sprawl Scenario, objectives, solution, measured impact, and takeaway.
An energy company discovered 31 root-level policy assignments accumulated over years of audits. New drilling analytics subscriptions failed deployments because inherited controls conflicted with approved regional architecture.
- Reduce root-level assignments to stable tenant-wide controls.
- Move workload-specific guardrails into child management groups.
- Cut policy-related deployment failures by at least half.
- Create an approval model for future root changes.
The platform team listed policy and role assignments at the tenant root group and mapped each one to affected subscriptions. Controls specific to data platforms, sandboxes, and regulated workloads were moved to child management groups with clearer ownership. Only identity baseline, allowed location guardrails, and mandatory tagging remained at root. Azure CLI output and policy compliance reports were stored with the migration record. A new review board required what-if evidence, excluded-scope analysis, and rollback notes before any root assignment could be added. The team also documented how Tenant root group would be checked during the next release and who owned the rollback decision.
- Root-level policy assignments fell from 31 to seven in two release cycles.
- Deployment failures caused by inherited policy dropped by 64%.
- New analytics subscription onboarding time fell from five days to one day.
- Every remaining root assignment had a named owner and review date.
The tenant root group is most valuable when it stays reserved for universal controls instead of becoming a cluttered policy dumping ground.
Scenario 02 Insurer finds inherited privileged access Scenario, objectives, solution, measured impact, and takeaway.
An insurance carrier prepared for a regulatory audit and found several administrators could modify subscriptions they did not support. The access path came from old tenant root group role assignments.
- Identify all privileged assignments inherited from the root group.
- Remove stale broad access without interrupting production operations.
- Reduce audit evidence preparation below one week.
- Replace permanent access with governed activation paths.
Security engineers used Azure CLI to show the tenant root group and list root-scoped role assignments. They compared principals with HR ownership, Privileged Identity Management records, and active platform responsibilities. Twelve assignments belonged to retired teams or emergency projects. The company removed stale assignments, moved two platform groups to time-bound activation, and documented break-glass accounts separately. Subscription owners received a report explaining which access was inherited and which controls remained at child management groups. The team also documented how Tenant root group would be checked during the next release and who owned the rollback decision.
- Stale root-level privileged assignments dropped from 12 to zero.
- Audit evidence preparation fell from 13 business days to four.
- No production tickets were linked to the access cleanup.
- Privileged access activations became visible in monthly security reporting.
Root group access reviews are essential because one forgotten assignment can silently grant control across the Azure estate.
Scenario 03 Software vendor fixes unmanaged subscriptions Scenario, objectives, solution, measured impact, and takeaway.
A B2B software vendor created many short-lived customer test subscriptions. Several were left directly under the tenant root group with no product-team policies, causing inconsistent logging and cost tags.
- Ensure new subscriptions move into the correct product management group within 30 minutes.
- Apply logging and tag policies without root-level clutter.
- Reduce manual subscription placement work for platform engineers.
- Detect subscriptions that remain at the root unexpectedly.
The platform team treated the tenant root group as a monitoring boundary rather than a policy catchall. CLI jobs listed subscriptions under the root group every hour and compared them with the subscription vending system. When a subscription appeared at root, automation moved it to the correct child management group based on product code and customer environment. Root-level policy stayed minimal, while product groups enforced diagnostics and cost tags. Alerts notified platform engineers only when placement automation failed or a subscription lacked required metadata.
- Unmanaged subscriptions at root fell from 18 per month to fewer than two.
- Average placement time dropped from 11 hours to 14 minutes.
- Cost-tag compliance for customer test subscriptions improved from 72% to 98%.
- Root-level policy count stayed unchanged during the subscription growth period.
The tenant root group can act as a safety net for subscription organization without carrying every workload-specific policy itself.
Azure CLI
Azure CLI is useful for tenant root group work because the portal can hide hierarchy assumptions behind a tree view. CLI makes the root group ID, display name, child management groups, and subscription placement explicit. As an Azure engineer, I want commands that list the hierarchy, show the root group, review role assignments, and export evidence before anyone proposes a root-level policy. CLI also works well in access reviews because it produces repeatable JSON instead of screenshots. For broad governance, repeatability and exact scope strings are not convenience; they are how you avoid tenant-wide mistakes. This keeps automation reviewable when ownership changes or incidents happen.
Useful for
- List management groups to identify the tenant root group and its immediate children for hierarchy evidence.
- Show the root management group to confirm ID, display name, and child relationships before governance changes.
- List role assignments at root scope during privileged access reviews or inherited-access investigations.
- Check policy assignments and compliance that inherit from the root group into subscriptions.
Before you run a command
- Confirm the active tenant and expected root group ID, which should match the Microsoft Entra tenant ID.
- Use read-only commands first, and require privileged approval before creating, updating, or assigning anything at root scope.
- Know whether you are reviewing visibility, RBAC, policy, hierarchy, or subscription placement; each has different permissions and risk.
- Use JSON output for audit evidence, because table output can hide parent-child details, role assignment scopes, and inherited properties.
What the output tells you
- The root group name and ID confirm the tenant-level ancestor being inspected and help avoid confusing it with a child management group.
- Child listings show which management groups and subscriptions inherit governance from the root and where placement problems may exist.
- Role assignment output shows principals, roles, scopes, and assignment IDs that may grant broad inherited access.
- Policy assignment and compliance output reveals which root-level controls are affecting descendants and whether enforcement is causing failures.
Mapped commands
Tenant root management group review commands
directaz account management-group show --name <tenant-id> --expand --recurse --output jsonaz role assignment list --scope /providers/Microsoft.Management/managementGroups/<tenant-id> --output jsonaz policy assignment list --scope /providers/Microsoft.Management/managementGroups/<tenant-id> --output jsonArchitecture context
Architecturally, the tenant root group is the ultimate governance ancestor for the Azure estate. I use it sparingly, usually for visibility, hierarchy anchoring, and only the most stable global controls. Most policy initiatives, role assignments, and budget ownership patterns belong lower in purpose-built platform, landing-zone, sandbox, or workload management groups. The architecture should define what is allowed at root, who can approve root changes, how new subscriptions flow into the hierarchy, and how exceptions are handled. A root-group diagram should show child management groups, inherited assignments, privileged roles, and monitoring of hierarchy changes. That ownership line should be visible in every platform review.
- Security
- Security impact is direct and broad. A role assignment at the tenant root group can grant access across all descendant management groups and subscriptions. A root-level policy can block insecure configurations everywhere, but it can also break legitimate workloads if poorly scoped. Access to manage the root group should be rare, time-bound, approved, and monitored. Global Administrator elevation should be treated as a privileged event, not a routine path. Review deny assignments, policy assignments, inherited roles, and exemptions carefully. Store evidence of root changes because they affect the security posture of the whole tenant. Record the approval path and verify the boundary after the change.
- Cost
- The tenant root group has no direct meter, but decisions made there can shape cost across every subscription. Root-level policy might require diagnostic settings, specific regions, tag inheritance, allowed SKUs, or security services that produce spend everywhere. That can be good governance when intentional and budgeted, or a surprise if pushed without FinOps review. Cost allocation also depends on hierarchy because management groups are often used for reporting and chargeback. Review root-level assignments for cost impact before rollout, and test how they affect new subscriptions. The cost risk is multiplied by inheritance. Review the financial impact before making the change permanent.
- Reliability
- Reliability risk comes from inheritance. A misconfigured root-level policy, lock-like control, or role assignment can create failures far away from the change owner, including in subscriptions created later. Reliable teams test policies at lower management groups before promoting them to root, use enforcement modes deliberately, and keep break-glass access documented. They also monitor hierarchy changes and subscription placement. Root changes should have rollback or compensating steps and clear blast-radius analysis. The root group is stable infrastructure; frequent emergency edits there usually mean the management group design below it is not mature enough. Post-change verification should prove inherited behavior still works as intended.
- Performance
- Tenant root group does not affect application request latency directly. Its performance impact is operational and governance-related. Broad policy or role changes can slow deployments if every subscription must evaluate new controls or if teams must resolve unexpected deny conditions. Poor root design also slows humans because every exception becomes a central-platform escalation. Performance improves when root-level controls are few, stable, and easy to reason about. Use child management groups for workload-specific rules so deployment pipelines encounter the right guardrails without excessive inherited checks, confusion, or emergency approval delays. Measure before and after so tuning claims stay testable. Compare results against the previous production baseline.
- Operations
- Operators inspect the tenant root group during hierarchy reviews, policy inheritance investigations, subscription onboarding, access reviews, and audit preparation. Typical tasks include listing management groups, showing the root group, checking child relationships, reviewing role assignments, and verifying policy assignments inherited by subscriptions. Runbooks should state who can request root changes, how Global Administrator elevation is approved, and where evidence is stored. Operators should avoid using root as a dumping ground for every governance rule. Healthy operations push most controls lower and keep the root group boring, documented, and closely monitored. Keep this evidence attached to the incident, release, or audit ticket.
Common mistakes
- Putting workload-specific policies at the tenant root group because it seems easier than designing child management groups.
- Assuming everyone who can view the root group is allowed to manage it or assign roles there.
- Forgetting that new subscriptions can inherit root-level policies immediately, before application teams are ready.
- Changing the root display name or assignments without documenting the root group ID, approval, and rollback path.