{"id":1370,"library":"azure-mgmt-managementgroups","title":"Azure Management Groups Management Client","description":"The `azure-mgmt-managementgroups` library provides a Microsoft Azure Management Groups Management Client for Python. It allows developers to programmatically manage Azure Management Groups, including creating, updating, deleting, and listing them. This library is part of the Azure SDK for Python, currently at version 1.1.0, and typically receives updates aligning with new Azure Management Groups API versions or SDK-wide improvements.","status":"active","version":"1.1.0","language":"en","source_language":"en","source_url":"https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/managementgroups/azure-mgmt-managementgroups","tags":["Azure","Management Groups","Cloud Management","SDK","ARM"],"install":[{"cmd":"pip install azure-mgmt-managementgroups azure-identity","lang":"bash","label":"Install package and authentication library"}],"dependencies":[{"reason":"Legacy base package for Azure SDK, often implicitly required.","package":"azure-common","optional":false},{"reason":"Foundation for modern Azure SDK clients.","package":"azure-core","optional":false},{"reason":"Core functionalities for Azure management plane SDKs.","package":"azure-mgmt-core","optional":false},{"reason":"HTTP client library used by Azure SDKs.","package":"msrest","optional":false},{"reason":"Azure-specific extensions for msrest.","package":"msrestazure","optional":false},{"reason":"Required for modern Azure SDK authentication (e.g., DefaultAzureCredential).","package":"azure-identity","optional":false}],"imports":[{"symbol":"ManagementGroupsAPI","correct":"from azure.mgmt.managementgroups import ManagementGroupsAPI"},{"note":"Standard way to authenticate in Azure SDK for Python","symbol":"DefaultAzureCredential","correct":"from azure.identity import DefaultAzureCredential"}],"quickstart":{"code":"import os\nfrom azure.identity import DefaultAzureCredential\nfrom azure.mgmt.managementgroups import ManagementGroupsAPI\n\n# This client is for managing Management Groups, which exist above subscriptions.\n# No subscription ID is typically needed for client instantiation.\n\n# Authenticate using DefaultAzureCredential. It will try various methods\n# like environment variables, managed identity, Azure CLI, Visual Studio Code.\ncredential = DefaultAzureCredential()\n\n# Create a ManagementGroupsAPI client\nclient = ManagementGroupsAPI(credential)\n\nprint('Listing all Management Groups:')\nfor mg in client.management_groups.list():\n    print(f'- ID: {mg.id}, Name: {mg.name}, Display Name: {mg.display_name}')\n","lang":"python","description":"This quickstart demonstrates how to authenticate with Azure using `DefaultAzureCredential` and list all existing Management Groups. This client operates at the tenant level, so it typically does not require a subscription ID."},"warnings":[{"fix":"Ensure `azure-identity` is installed (`pip install azure-identity`) and use `DefaultAzureCredential` or other credential types from `azure.identity` for client authentication.","message":"Authentication for Azure management clients primarily uses `azure-identity` and `DefaultAzureCredential`. Direct use of connection strings or SAS tokens is not applicable for ARM (Azure Resource Manager) operations, unlike some Azure data plane services (e.g., Storage Blobs).","severity":"gotcha","affected_versions":"All versions"},{"fix":"Always iterate over the results of `list()` methods, or convert them to a list explicitly if all items are needed at once: `list(client.management_groups.list())`.","message":"List operations (e.g., `client.management_groups.list()`) return a paginated iterable. To access all results, you must iterate through the returned object. It does not return a simple list directly.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Upgrade to the latest `azure-mgmt-managementgroups` library. Follow the modern quickstart patterns using `DefaultAzureCredential` and pass only the credential to the client constructor. For management groups, a subscription ID is generally not required for the client constructor.","message":"Older Azure SDK versions (pre-v2020) used different client construction and authentication patterns, often requiring explicit `ServiceClientCredentials` and a subscription ID passed to the client constructor, even for tenant-level operations. The current library (`1.x`) uses `azure-core` and `azure-identity` for a unified experience.","severity":"breaking","affected_versions":"<1.0.0 (historical), transitioning from older SDKs"},{"fix":"Ensure the identity used for authentication has the necessary Azure RBAC roles (e.g., 'Management Group Contributor' or 'Owner') at the appropriate scope for the desired operation. Check the Azure Activity Log for permission denied errors.","message":"Management Group operations, such as creating or moving groups, often require specific permissions at the tenant root scope or higher in the management group hierarchy. Insufficient permissions will result in `CloudError` or `HttpResponseError`.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}