Overview of Azure Service Groups (public preview)
Source: Dev.to
Overview
In an Azure tenant, management groups are used to organize subscriptions, define access controls, and apply policies. When resources for a single workload are deployed across multiple subscriptions, management becomes more complex. Azure Service Groups address this by allowing you to group resources without moving them.
A Service Group is a logical container that groups resources across subscriptions and resource groups while leaving each resource in its original subscription. It can be managed from within the management‑group hierarchy and stores metadata used to identify workloads, track state, and manage processes.
Use Cases
- Networking team – Group gateways, load balancers, and other network services that span several subscriptions. Assign the Service Group Reader role so team members can view the group and its child resources.
- Inventory & monitoring – Get an inventory of resources in the group, a list of issues, application maps, availability tests (when Application Insights is linked), and monitoring recommendations for VMs and AKS.
Naming and Hierarchy
- Each Service Group requires a unique global name (up to 250 characters), similar to a storage account name.
- Service Groups form a hierarchy: you can create a Service Group at the top level (under the Tenant Root Service Group) or as a child of another Service Group.
Creating a Service Group with Bicep
You can create a Service Group and associate resources using the Azure Portal or the Azure REST API. Currently there is no dedicated PowerShell cmdlet or Azure CLI command.
param serviceGroupId string
param parentServiceGroupId string
param serviceGroupName string
param storageAccountName string
resource serviceGroup 'Microsoft.Management/serviceGroups@2024-02-01-preview' = {
scope: tenant()
name: serviceGroupId
properties: {
displayName: serviceGroupName
parent: {
resourceId: '/providers/Microsoft.Management/serviceGroups/${parentServiceGroupId}'
}
}
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2025-06-01' existing = {
name: storageAccountName
}
resource rel1 'Microsoft.Relationships/serviceGroupMember@2023-09-01-preview' = {
scope: storageAccount
name: 'childResource1'
properties: {
targetId: serviceGroup.id
}
}- The
serviceGroupresource creates the Service Group at the tenant level. - The
rel1resource links an existing storage account to the Service Group usingMicrosoft.Relationships/serviceGroupMember.
Creating a Service Group with an ARM Template
If you need to specify the scope using a resource ID, an ARM template can be used:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountName": { "type": "string" },
"storageAccountRG": { "type": "string" },
"storageAccountSubID":{ "type": "string" },
"targetServiceGroupResourceID": { "type": "string" }
},
"resources": [
{
"type": "Microsoft.Relationships/serviceGroupMember",
"apiVersion": "2023-09-01-preview",
"name": "[concat('rel-', parameters('storageAccountName'))]",
"scope": "[resourceId(parameters('storageAccountSubID'), parameters('storageAccountRG'), 'Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
"properties": {
"targetId": "[parameters('targetServiceGroupResourceID')]"
}
}
],
"outputs": {}
}Preview Notice
Service Groups are currently in public preview. APIs and tooling may change before general availability, but the feature is worth evaluating for medium or large Azure tenants.