Azure Landing Zone Review Checklist – Management group and subscription organization

0

Resource management is one of the key components you don’t want anyone getting into your environment and messing around while If you have only a few subscriptions, it’s fairly easy to manage them independently. But what if you have many subscriptions? Then you can create a management group hierarchy to help manage your subscriptions and resources. This will provide you the comfort of landing any workload. in the Azure environment without any worries of mismanagement.

Enforce reasonably flat management group hierarchy with no more than three to four levels, ideallyMediumDo you have more than a maximum of 4 levels within your Management Group Structure?Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs
Enforce or appended resource tags through Azure PolicyMediumAre you enforcing tags with Azure Policy?Resource naming and tagging decision guide – Cloud Adoption Framework | Microsoft Docs
Enforce a sandbox management group to allow users to immediately experiment with AzureMediumDo you have a sandbox environment for Azure workload experimentation?Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs
Enforce a platform management group under the root management group to support common platform policy and Azure role assignmentMediumAre you suing the Root Management Group for the assignment of Azure rights to support the common platform?Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs
Enforce a dedicated connectivity subscription in the Platform management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and other networking resources.MediumDo you have a dedicated subscription for networking components within the Platform Management Group?Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs
Enforce no subscriptions are placed under the root management groupMediumDo you have any subscriptions directly under the Root Management Group?Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs
Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settingsMediumAre you using RBAC to control access to the Management Group Structure?Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs
Enforce management groups under the root-level management group to represent the types of workloads, based on their security, compliance, connectivity, and feature needs.MediumDo your management group and management group structure match the type of workload, security, compliance to future needs of the workload?Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs
Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review, policy compliance and remediate when necessary.HighDo you have a process in place to make resource owners aware of their responsibilities with regards to access review, budgets, and compliance review and remediate as needed?Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs
Enforce that all subscription owners and IT core team are aware of subscription support limitationsMediumHave you made the subscriptions owners and IT Team aware of the Azure Subscription limits?Azure subscription limits and quotas – Azure Resource Manager | Microsoft Docs
Enforce the use of reserved instances to prioritize reserved capacity in required regions. Then the workload will have the required capacity even when there’s a high demand for that resource in a specific region.HighHave you looked at Azure Reserved Instances to prioritize capacity in your regions; even when these specific resources are in high demand in your region?What are Azure Reservations? | Microsoft Docs
Enforce a dashboard, workbook, or manual process to monitor used capacity levelsHighDo you have capacity monitoring solutions for Azure Workloads?Plan for capacity – Azure Architecture Center | Microsoft Docs
Ensure required services and features are available within the chosen deployment regionsMediumHave you confirmed that the required Azure services are in your target region(s)?Azure Products by Region | Microsoft Azure
Enforce a process for cost managementHighDo you have a cost management process in place?Overview of Azure Cost Management + Billing | Microsoft Docs
If AD on Windows Server, establish a dedicated identity subscription in the Platform management group to host Windows Server Active Directory domain controllersMediumDo you have a dedicated subscription with the Platform Management Group for Active Directory, If using AD on Windows Server?Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs
Ensure tags are used for billing and cost managementMediumAre you enforcing tags with Azure Policy, specifically for Cost Management?Resource naming and tagging decision guide – Cloud Adoption Framework | Microsoft Docs

Leave a Reply

Your email address will not be published. Required fields are marked *