Azure Management Groups Management Client

1.1.0 · active · verified Thu Apr 09

The `azure-mgmt-managementgroups` library provides a Microsoft Azure Management Groups Management Client for Python. It allows developers to programmatically manage Azure Management Groups, including creating, updating, deleting, and listing them. This library is part of the Azure SDK for Python, currently at version 1.1.0, and typically receives updates aligning with new Azure Management Groups API versions or SDK-wide improvements.

Warnings

gotcha Authentication for Azure management clients primarily uses `azure-identity` and `DefaultAzureCredential`. Direct use of connection strings or SAS tokens is not applicable for ARM (Azure Resource Manager) operations, unlike some Azure data plane services (e.g., Storage Blobs).
Fix: Ensure `azure-identity` is installed (`pip install azure-identity`) and use `DefaultAzureCredential` or other credential types from `azure.identity` for client authentication.
gotcha List operations (e.g., `client.management_groups.list()`) return a paginated iterable. To access all results, you must iterate through the returned object. It does not return a simple list directly.
Fix: Always iterate over the results of `list()` methods, or convert them to a list explicitly if all items are needed at once: `list(client.management_groups.list())`.
breaking Older Azure SDK versions (pre-v2020) used different client construction and authentication patterns, often requiring explicit `ServiceClientCredentials` and a subscription ID passed to the client constructor, even for tenant-level operations. The current library (`1.x`) uses `azure-core` and `azure-identity` for a unified experience.
Fix: Upgrade to the latest `azure-mgmt-managementgroups` library. Follow the modern quickstart patterns using `DefaultAzureCredential` and pass only the credential to the client constructor. For management groups, a subscription ID is generally not required for the client constructor.
gotcha Management Group operations, such as creating or moving groups, often require specific permissions at the tenant root scope or higher in the management group hierarchy. Insufficient permissions will result in `CloudError` or `HttpResponseError`.
Fix: Ensure the identity used for authentication has the necessary Azure RBAC roles (e.g., 'Management Group Contributor' or 'Owner') at the appropriate scope for the desired operation. Check the Azure Activity Log for permission denied errors.

Install

pip install azure-mgmt-managementgroups azure-identity Install package and authentication library

Imports

ManagementGroupsAPI

from azure.mgmt.managementgroups import ManagementGroupsAPI

DefaultAzureCredential
```
from azure.identity import DefaultAzureCredential
```
Standard way to authenticate in Azure SDK for Python

Quickstart

This quickstart demonstrates how to authenticate with Azure using `DefaultAzureCredential` and list all existing Management Groups. This client operates at the tenant level, so it typically does not require a subscription ID.

import os
from azure.identity import DefaultAzureCredential
from azure.mgmt.managementgroups import ManagementGroupsAPI

# This client is for managing Management Groups, which exist above subscriptions.
# No subscription ID is typically needed for client instantiation.

# Authenticate using DefaultAzureCredential. It will try various methods
# like environment variables, managed identity, Azure CLI, Visual Studio Code.
credential = DefaultAzureCredential()

# Create a ManagementGroupsAPI client
client = ManagementGroupsAPI(credential)

print('Listing all Management Groups:')
for mg in client.management_groups.list():
    print(f'- ID: {mg.id}, Name: {mg.name}, Display Name: {mg.display_name}')

view raw JSON →