diff --git a/modules/services/service-principal/organizational.tf b/modules/services/service-principal/organizational.tf
index 5e683aa..dd6e3dd 100644
--- a/modules/services/service-principal/organizational.tf
+++ b/modules/services/service-principal/organizational.tf
@@ -2,13 +2,14 @@
 # Fetch the management groups for customer tenant and onboard subscriptions under them
 #---------------------------------------------------------------------------------------------
 data "azurerm_management_group" "root_management_group" {
-  count  = var.is_organizational ? 1 : 0
+  count  = var.is_organizational && length(var.management_group_ids) == 0 ? 1 : 0
   display_name = "Tenant Root Group"
 }
 
 locals {
   # when empty, this will be the root management group whose default display name is "Tenant root group"
-  management_groups = var.is_organizational && length(var.management_group_ids) == 0 ? [data.azurerm_management_group.root_management_group[0].id] : toset(var.management_group_ids)
+  management_groups = var.is_organizational && length(var.management_group_ids) == 0 ? [data.azurerm_management_group.root_management_group[0].id] : toset(
+    [for m in var.management_group_ids : format("%s/%s", "/providers/Microsoft.Management/managementGroups",m)])
 }
 
 #---------------------------------------------------------------------------------------------
@@ -42,4 +43,4 @@ resource "azurerm_role_assignment" "sysdig_vm_user_for_tenant" {
   scope                = each.key
   role_definition_name = "Virtual Machine User Login"
   principal_id         = azuread_service_principal.sysdig_sp.object_id
-}
\ No newline at end of file
+}