Azure Landing Zone Review Checklist – Management group and subscription organization
Resource management is one of the key components you don’t want anyone getting into your environment and messing around while If you have only a few subscriptions, it’s fairly easy to manage them independently. But what if you have many subscriptions? Then you can create a management group hierarchy to help manage your subscriptions and resources. This will provide you the comfort of landing any workload. in the Azure environment without any worries of mismanagement.
Enforce reasonably flat management group hierarchy with no more than three to four levels, ideally | Medium | Do you have more than a maximum of 4 levels within your Management Group Structure? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
Enforce or appended resource tags through Azure Policy | Medium | Are you enforcing tags with Azure Policy? | Resource naming and tagging decision guide – Cloud Adoption Framework | Microsoft Docs |
Enforce a sandbox management group to allow users to immediately experiment with Azure | Medium | Do you have a sandbox environment for Azure workload experimentation? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
Enforce a platform management group under the root management group to support common platform policy and Azure role assignment | Medium | Are you suing the Root Management Group for the assignment of Azure rights to support the common platform? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
Enforce a dedicated connectivity subscription in the Platform management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and other networking resources. | Medium | Do you have a dedicated subscription for networking components within the Platform Management Group? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
Enforce no subscriptions are placed under the root management group | Medium | Do you have any subscriptions directly under the Root Management Group? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings | Medium | Are you using RBAC to control access to the Management Group Structure? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
Enforce management groups under the root-level management group to represent the types of workloads, based on their security, compliance, connectivity, and feature needs. | Medium | Do your management group and management group structure match the type of workload, security, compliance to future needs of the workload? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review, policy compliance and remediate when necessary. | High | Do you have a process in place to make resource owners aware of their responsibilities with regards to access review, budgets, and compliance review and remediate as needed? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
Enforce that all subscription owners and IT core team are aware of subscription support limitations | Medium | Have you made the subscriptions owners and IT Team aware of the Azure Subscription limits? | Azure subscription limits and quotas – Azure Resource Manager | Microsoft Docs |
Enforce the use of reserved instances to prioritize reserved capacity in required regions. Then the workload will have the required capacity even when there’s a high demand for that resource in a specific region. | High | Have you looked at Azure Reserved Instances to prioritize capacity in your regions; even when these specific resources are in high demand in your region? | What are Azure Reservations? | Microsoft Docs |
Enforce a dashboard, workbook, or manual process to monitor used capacity levels | High | Do you have capacity monitoring solutions for Azure Workloads? | Plan for capacity – Azure Architecture Center | Microsoft Docs |
Ensure required services and features are available within the chosen deployment regions | Medium | Have you confirmed that the required Azure services are in your target region(s)? | Azure Products by Region | Microsoft Azure |
Enforce a process for cost management | High | Do you have a cost management process in place? | Overview of Azure Cost Management + Billing | Microsoft Docs |
If AD on Windows Server, establish a dedicated identity subscription in the Platform management group to host Windows Server Active Directory domain controllers | Medium | Do you have a dedicated subscription with the Platform Management Group for Active Directory, If using AD on Windows Server? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
Ensure tags are used for billing and cost management | Medium | Are you enforcing tags with Azure Policy, specifically for Cost Management? | Resource naming and tagging decision guide – Cloud Adoption Framework | Microsoft Docs |