TL:DR; Recursive Management Group removal script here.

Recently I was testing the ALZ-Bicep framework from Microsoft for Azure Landing Zones deployment. It  performs deployment of management, connectivity and identity resources with Bicep. Infrastructure as Code and Policy as Code. If you haven’t started using Management Groups yet though, this post might not be for you. Have a look here for instructions on how to get started, and you absolutely should!

Topology cleanup

During Landing Zones testing, several Management Group layers were created. Top level alz, landing zones, platform, connectivity, identity, management, sandbox, quarantine, ++. These are tiered, and one is inside of the other.

Management Groups with children can’t be deleted. They must be empty. You might know this, or you might not, it does not really matter. Anyway, this means that all children must be removed before you can clean your management group topology. When you have up to six layers and many different groups in those layers, you are in for some portal ClickOps fun, or a repetitive chain of PowerShell commands.

Enter PowerShell

Of course you can use PowerShell for the removal of management groups, but if you try to remove a management group with children, you get this error:

Children can be other management groups (for six layers), or subscriptions. Either way, you can’t unintentionally remove the children. I had a few layers of management groups to remove, and could of course use ClickOps. But what is the fun in that?

I found this post on StackOverflow, where someone had created a function for deleting management groups with children. Looks good enough, but I wanted to change it somewhat. Add some error handling. Add some verification. Change output. Handle default management group for subscriptions. You know, the usual over engineering! 😆

Default management group

Actually, it was a post by Tao Yang on a Bicep management group module that revealed this concept to me. You can read about it in Microsoft docs also. It can be enabled via REST API or in the portal.

This can be a nice feature if you don’t have control over subscription creation in the tenant, and need them to be initially registered in a “safe” group. Not sure it is very important to set it, as you would place a new subscription in your topology anyway. At least it is an option if you need it.

Anyway, if you try to delete the default management group, you get an error:

Running the script

So you can find the script here. You need to log in with an account that has write permissions on the management group you want to delete. Owner, Contributor, or Management Group Contributor is sufficient. Download the script to a local folder.

Run the script in dryrun mode:

#Replace this value with your own management group name or id $mgName = “MyManagementGroup”

.\remove-managementgroup.ps1 -mgName $mgName -dryrun $true

Might look something like this if there are subscriptions present:

Or it could look like this:

When actually removing, it looks like this:

In summary

Management Groups is a great way to structure your organization, and you should absolutely be using them. They enable a policy-driven governance strategy, and will give efficient power over large scale management of your resources. It is not often you would need a script like this, but half the fun is writing the PowerShell, eh? 🤓