DEV Community

Olivier Miossec
Olivier Miossec

Posted on β€’ Edited on

9 3

About Azure, Management groups, Subscriptions, and PowerShell, or how to use recursion in PWSH

Using management groups is a way to organize your subscriptions into a hierarchy. You can create up to 6 levels of depth under the root level to manage RBAC authorization and Azure Policy. The hierarchy includes containers, management groups, and subscriptions.

In the management group hierarchy child objects, management group or subscription can only have one direct parent and a management group can have several child objects, other management groups, or subscriptions.

After creating the hierarchy and moving subscriptions under management groups how to pragmatically listing subscriptions under any management group container.

PowerShell offers a cmdlet to explore management group

Get-AzManagementGroup
Enter fullscreen mode Exit fullscreen mode

But if you run this cmdlet you will only get an object with the list of your management group without any link between them and no information about attached subscriptions.

For that we need to run the same cmdlet with two switches -expand to list all the children (subscriptions and management groups) and -recurse to recursively list all children. These two switches can only be used with the -groupID parameter. You need to provide a starting point, a management group ID, or the root management group ID (The root management group ID is equal to your tenant ID).

Get-AzManagementGroup -expand -recurse -groupID <ID>
Enter fullscreen mode Exit fullscreen mode

The cmdlet return a PSManagementGroup Object:

Id : /providers/Microsoft.Management/managementGroups/XXX
Type : /providers/Microsoft.Management/managementGroups
Name : XXX
TenantId : XXX
DisplayName : Tenant Root Group
UpdatedTime : 01/01/0001 00:00:00
UpdatedBy :
ParentId :
ParentName :
ParentDisplayName :
Children : {rootomc, group01, group02, First-MG}

You can find several string properties, like ID, the type, the name (the management group ID for management group), displayname, … you will also find a collection (IList) of PSManagementGroupChildInfo. Each member has an index, like in an array, and if you look at one member.

Type : /providers/Microsoft.Management/managementGroups
Id : /providers/Microsoft.Management/managementGroups/rootomc
Name : XXXXX
DisplayName : rootomc
Children : {xxxx}

You will find that PSManagementGroupChildInfo objects are similar to PSManagementGroup objects. You have a type, a name, displayname, ID, and a collection of PSManagementGroupChildInfo. Each element can be either a Management group (/providers/Microsoft.Management/managementGroups) or a subscription (/subscriptions).

So how to list subscriptions from one management group when knowing that data from the cmdlet produce such output? Recursion!
In short, recursion is a function calling itself.

The function needs only one parameter, the collection of PSManagementGroupChildInfo. Then it needs to parse the collection and look at each item type. If the type is a subscription add it to an array, if the type is another management group, call the same function with the child object.

function Expand-ManagementGroup 
{
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory)]
        [ValidateNotNullOrEmpty()]
        [object] 
        $ChildObject
    )
        $subscriptionList = @()
        ForEach($item in $ChildObject.GetEnumerator()) { 
            if ($item.type -eq "/subscriptions") {
                $subHash = @{
                    "name"      = $item.Name   
                    "subId"     = $item.DisplayName 
                }
                $subscriptionList += $subHash
            } 
            elseif ($item.type -eq "/providers/Microsoft.Management/managementGroups") {

                if ($null -ne $item.children) {
                    $subscriptionList += Expand-ManagementGroup -ChildObject $item.children
                }
            }         
        } 
        return $subscriptionList
}
Enter fullscreen mode Exit fullscreen mode

To use the function

Expand-ManagementGroup -ChildObject (Get-AzManagementGroup -GroupId c986548e-494d-4f3a-b716-42287a39531b -Expand -Recurse).Children 
Enter fullscreen mode Exit fullscreen mode

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (1)

Collapse
 
timosarkar profile image
Timo Sarkar β€’

Cool!! Just stumbled upon your dev.to profile and I have seen that you are Microsoft Azure MVP. So awesome!!!

Our company is currently diving into the space of Azure. However, many of us still have big problems on how to use Azure. Do you have good ressources and references for the general use of Azure, Azure Machines, Hostpools, Policies, ARM templates, Azure AD, Azure groups and more?

I would really appreciate your help!! You can reach me under sartimo10@gmail.com

Regards

Timo Sarkar

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

πŸ‘‹ Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay