Management Groups Visualization
An interactive view of your Azure management group hierarchy with the direct RBAC assignments at each management group and subscription. Open it from the Resource Explorer header to navigate the tree, inspect role assignments grouped by security impact, and walk a single node back through every scan it appeared in.
On This Page
Prerequisites
A scan must exist
The Management Groups button is only useful once you have run at least one scan and are viewing it in Resource Explorer. The view always reflects the scan currently selected there.
For management groups and subscriptions to appear, the StratoLens managed identity needs Reader(or equivalent) at each scope you want to see. Nodes the identity can't read simply don't appear in the tree, there is no separate "permission denied" message inside the view.
Opening the View
From any scan loaded in Resource Explorer, click the Management Groups button (folder-tree icon) in the page header, to the right of the Resource Explorer title. The view opens as a modal dialog titled Management Groups.
Close it by clicking outside the modal, pressing Esc, or clicking the × control on the modal header.
The view reflects the scan you're viewing
The hierarchy shown is the scan currently selected in Resource Explorer, not live Azure. To look at a different point in time, close the view, change the scan in the Resource Explorer snapshot picker, and reopen.
Navigating the Hierarchy
The modal is a two-column layout. The left column, labeled Hierarchy, holds the management-group tree. The right column shows details for the selected node. Both columns scroll independently.
The tree is rendered as Azure reports it: a single Tenant Root Group at the top, nested management groups beneath it, and subscriptions appearing as terminal leaf nodes under whichever management group owns them. A subscription appears under exactly one management group, the parent it belonged to at the time of the scan.
Each row shows:
- Chevron
- Expand or collapse a branch. Hidden on rows with no children.
- Azure icon
- Different icons distinguish a management group from a subscription.
- Display name
- The management group or subscription name as Azure reports it.
- RBAC count badge
- A bracketed number, e.g.
[7], showing the count of direct role assignments on that node. Hidden when the count is zero.
The badge counts direct assignments only
Assignments inherited from a parent management group are not counted on the child, they are counted on the parent where they are actually defined. If the badge looks lower than what the Azure portal shows, this is why.
Reading RBAC Assignments
Click anywhere on a tree row to select that management group or subscription. The selected row is highlighted, and the right pane (RBAC Assignments) updates to show that node's direct role assignments. The pane header shows the Azure icon, the display name, the entity type (Management Group or Subscription), and the total count of direct assignments.
Assignments are grouped into four categories by role name, with empty groups hidden:
Critical Roles
High-privilege roles such as Owner, User Access Administrator, and other roles whose name contains "Administrator".
Management Roles
Operational roles such as Contributor, Manager, and Operator.
Read Roles
Read-only roles such as Reader, Viewer, and Monitoring roles.
Other Roles
Anything that doesn't match the categories above. Custom or service-specific roles typically land here.
Each assignment row shows the principal type icon (user, group, or service principal, with a tooltip naming the type), the principal's display name, the role name, and the assignment scope. The pane lists only assignments whose scope is exactly the selected node, to see inherited assignments, select the parent management group where they were defined.
If a node has no direct assignments, the pane shows "No direct RBAC assignments for this management group" (or "...for this subscription").
Viewing a Node's History
With a node selected, click Show History in the top-right of the right pane. The pane switches to a timeline of every scan in which this management group or subscription appeared, so you can walk it back scan by scan and see exactly what changed and when.
Click Back to Current to return to the RBAC view for the same node. Selecting a different node in the tree always returns the right pane to its RBAC view, you have to click Show History again on the new node.
Use history to investigate a single entity over time
Show History is the fastest way to answer questions like "when did this subscription move under a different management group?" or "when was Owner added on this scope?" without leaving the view.
Behavior & Defaults
- Default expansion
- All nodes are expanded the first time the view opens. Collapse any branch with its chevron.
- Selection on reopen
- Closing the view resets the selection. Reopening starts with no node selected and the right pane in its placeholder state.
- Scope
- Always the scan currently selected in Resource Explorer. There is no separate scan picker inside the view.
- Subscription RBAC
- Included automatically. Subscriptions appear as leaf nodes with their own direct role assignments, no separate view needed.
- Partial-access tenants
- If the managed identity has read access only to a sub-tree of management groups (not the Tenant Root), the view shows whatever it can see, with the topmost accessible management groups as the root. There may be more than one root in this case.
Troubleshooting
"No management groups found"
What to do
The scan being viewed didn't collect any management groups. The most common cause is that the managed identity has no Reader role at the Tenant Root Group or at any management group. Grant Reader at the appropriate scope and run a new scan. Older scans run before the permission was granted will not backfill retroactively.
My tree starts at a management group, not the Tenant Root Group
What to do
Expected when the managed identity doesn't have read access at the Tenant Root level. The view shows the topmost management group(s) the identity can read. To see the full hierarchy, grant Reader at the Tenant Root Group and run a new scan.
A subscription is missing from the tree
What to do
The subscription either wasn't accessible to the managed identity at scan time, or it had been moved or deleted before the scan ran. Confirm the subscription exists in Azure and that the identity has Reader on it, then run a new scan.
"Show History" shows "No history found"
What to do
The selected entity only appears in one scan, the current one, so there is nothing earlier or later to compare. This is expected for fresh installs and for newly-created management groups or subscriptions.
Related Features
The Management Groups view is one entry point to your Azure organizational data. These pages cover related areas:
- Resource Explorer & Scans — choose which scan the hierarchy reflects.
- Change Tracking — diff two scans to see what moved between management groups (separate Changes-mode view).
- Feature overview (marketing) — high-level summary of the visualization feature.