Share via

Azure policy DeployIfNotExist with management group scope

Yasmin, Fitri 376 Reputation points
2026-04-15T09:44:18.0966667+00:00

I’m trying to understand whether it’s possible to use Azure Policy to automate role assignments at the management group level.

My goal is to create a policy that ensures a specific Azure AD group is always assigned the Reader role across all management groups. Naturally, I looked into using the DeployIfNotExists effect, but it seems that the deploymentScope property only supports resource group and subscription scopes.

I’d really appreciate any guidance, best practices, or confirmation on whether this scenario is supported.

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

0 comments

Answer accepted by question author

  1. Suchitra Suregaunkar 13,785 Reputation points Microsoft External Staff Moderator
    2026-04-15T18:23:04.02+00:00

    Hello Yasmin, Fitri

    Right now Azure Policy’s DeployIfNotExists effect only supports nested template deployments at the subscription or resource group scope—not at the management group level. That means you can’t directly author a single policy with DeployIfNotExists that will go out and automatically add an Azure AD group to the Reader role on each management group.

    Here are a few patterns you can use instead:

    Use an Azure Blueprint

    • Blueprints support RBAC artifacts at management‐group scope. You can define a Reader role assignment for your Azure AD group as part of a blueprint and assign that blueprint to your management group.
    • As new management groups are onboarded you just assign the same blueprint and the role assignment is enforced.

    Deploy an ARM or Bicep template at the management group scope

      - You can author a management‐group‐level ARM or Bicep deployment that has a `Microsoft.Authorization/roleAssignments` resource and target `targetScope = 'managementGroup'`.
  
     - You’d either run that once for each existing MG or trigger it via CI/CD whenever you create a new MG.
     
     Use a script or Azure Automation/Functions
     
        - Detect all child management groups and push out Reader assignments via Azure CLI/PowerShell (`az role assignment create --assignee <groupId> --role Reader --scope /providers/Microsoft.Management/managementGroups/<mg>`).
        
           - Schedule it or hook it into your MG-creation process.

    If you really need continuous “policy‐style” enforcement of those assignments at MG scope, Blueprint is the most turnkey path today.

    Please share us below details:

    • Are you OK with using Azure Blueprints for RBAC enforcement?

    • Do you need this to happen automatically whenever any new management group is created?

    • Are you comfortable running a CI/CD or automation runbook that targets management group scopes?

    Hope that helps!

    Reference docs

    Thanks,

    Suchitra.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-15T09:44:29.24+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Azure Policy deployIfNotExists cannot directly deploy role assignments at the management group scope. The deploymentScope property for deployIfNotExists only supports Subscription and ResourceGroup values:

    • deploymentScope: "Subscription" → triggers a subscription-level deployment
    • deploymentScope: "ResourceGroup" → triggers a resource-group-level deployment (default)

    There is no ManagementGroup option for deploymentScope, so a deployIfNotExists policy assignment cannot automatically create or enforce role assignments on management groups themselves.

    To manage RBAC at the management group level, use management-group–scope deployments (Bicep or ARM) instead of deployIfNotExists:

    • Define role assignments or policies in a Bicep/ARM template with targetScope = 'managementGroup'.
    • Deploy that template at the management group level to declaratively apply RBAC and policies across the hierarchy.

    Azure Policy can still be used for RBAC at subscription or resource-group scope via deployIfNotExists (by triggering deployments at those scopes), but enforcing a Reader assignment for an Azure AD group “on every management group” is not supported via deployIfNotExists today.

    A common pattern is:

    1. Use management-group–level Bicep/ARM deployments to define and assign policies and RBAC at the management group level.
    2. Within those policies, use deployIfNotExists only for subscription/resource-group–level resources where supported.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.