Document migration from original to new hierarchical configuration for management groups

[skeeler]

Additional documentation covering migration scenarios from original to new hierarchical management group configuration:

• Include the CLI + jq command for customers who want to migrate to mg heirarchy

[SenthuranSivananthan]

The management group structure we will use can be retrieved through Azure CLI using the following command.

# Replace this value with your environment.  This id is the same as Azure Active Directory ID.
TENANT_GROUP_ID='343ddfdb-bef5-46d9-99cf-ed67d5948783'

az account management-group show --name $TENANT_GROUP_ID -e -r | jq 'recurse(.children[]?) |= del(select(.type == "/subscriptions")) | del(..|nulls) | recurse(.children[]?) |= {"id":.name, "name":.displayName, "children": (.children // [] )}'

Approach

• Use Azure CLI to retrieve the management group structure recursively from Tenant Root Group. This structure will include subscriptions as well.
• Use jq to
  • Remove all objects that are of type: /subscription
  • Removing the subscription objects leaves null in place in arrays so we then delete the nulls
  • Recurse through the final json and select name, id and children (if children is null, then mark it as empty array [])

Output

{
  "id": "343ddfdb-bef5-46d9-99cf-ed67d5948783",
  "name": "Tenant Root Group",
  "children": [
    {
      "id": "pubsec",
      "name": "Azure Landing Zones for Canadian Public Sector",
      "children": [
        {
          "id": "pubsecSandbox",
          "name": "Sandbox",
          "children": []
        },
        {
          "id": "pubsecPlatform",
          "name": "Platform",
          "children": [
            {
              "id": "pubsecPlatformIdentity",
              "name": "Identity",
              "children": []
            },
            {
              "id": "pubsecPlatformManagement",
              "name": "Management",
              "children": []
            },
            {
              "id": "pubsecPlatformConnectivity",
              "name": "Connectivity",
              "children": []
            }
          ]
        },
        {
          "id": "pubsecLandingZones",
          "name": "Landing Zones",
          "children": [
            {
              "id": "pubsecLandingZonesQA",
              "name": "QA",
              "children": []
            },
            {
              "id": "pubsecLandingZonesDevTest",
              "name": "Dev/Test",
              "children": []
            },
            {
              "id": "pubsecLandingZonesProd",
              "name": "Production",
              "children": []
            }
          ]
        }
      ]
    }
  ]
}