Azure Landing Zone Review Checklist – Management group and subscription organization
Resource management is one of the key components you don’t want anyone getting into your environment and messing around while If you have only a few subscriptions, it’s fairly easy to manage them independently. But what if you have many subscriptions? Then you can create a management group hierarchy to help manage your subscriptions and resources. This will provide you the comfort of landing any workload. in the Azure environment without any worries of mismanagement.
| Enforce reasonably flat management group hierarchy with no more than three to four levels, ideally | Medium | Do you have more than a maximum of 4 levels within your Management Group Structure? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
| Enforce or appended resource tags through Azure Policy | Medium | Are you enforcing tags with Azure Policy? | Resource naming and tagging decision guide – Cloud Adoption Framework | Microsoft Docs |
| Enforce a sandbox management group to allow users to immediately experiment with Azure | Medium | Do you have a sandbox environment for Azure workload experimentation? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
| Enforce a platform management group under the root management group to support common platform policy and Azure role assignment | Medium | Are you suing the Root Management Group for the assignment of Azure rights to support the common platform? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
| Enforce a dedicated connectivity subscription in the Platform management group to host an Azure Virtual WAN hub, private Domain Name System (DNS), ExpressRoute circuit, and other networking resources. | Medium | Do you have a dedicated subscription for networking components within the Platform Management Group? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
| Enforce no subscriptions are placed under the root management group | Medium | Do you have any subscriptions directly under the Root Management Group? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
| Enforce that only privileged users can operate management groups in the tenant by enabling Azure RBAC authorization in the management group hierarchy settings | Medium | Are you using RBAC to control access to the Management Group Structure? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
| Enforce management groups under the root-level management group to represent the types of workloads, based on their security, compliance, connectivity, and feature needs. | Medium | Do your management group and management group structure match the type of workload, security, compliance to future needs of the workload? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
| Enforce a process to make resource owners aware of their roles and responsibilities, access review, budget review, policy compliance and remediate when necessary. | High | Do you have a process in place to make resource owners aware of their responsibilities with regards to access review, budgets, and compliance review and remediate as needed? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
| Enforce that all subscription owners and IT core team are aware of subscription support limitations | Medium | Have you made the subscriptions owners and IT Team aware of the Azure Subscription limits? | Azure subscription limits and quotas – Azure Resource Manager | Microsoft Docs |
| Enforce the use of reserved instances to prioritize reserved capacity in required regions. Then the workload will have the required capacity even when there’s a high demand for that resource in a specific region. | High | Have you looked at Azure Reserved Instances to prioritize capacity in your regions; even when these specific resources are in high demand in your region? | What are Azure Reservations? | Microsoft Docs |
| Enforce a dashboard, workbook, or manual process to monitor used capacity levels | High | Do you have capacity monitoring solutions for Azure Workloads? | Plan for capacity – Azure Architecture Center | Microsoft Docs |
| Ensure required services and features are available within the chosen deployment regions | Medium | Have you confirmed that the required Azure services are in your target region(s)? | Azure Products by Region | Microsoft Azure |
| Enforce a process for cost management | High | Do you have a cost management process in place? | Overview of Azure Cost Management + Billing | Microsoft Docs |
| If AD on Windows Server, establish a dedicated identity subscription in the Platform management group to host Windows Server Active Directory domain controllers | Medium | Do you have a dedicated subscription with the Platform Management Group for Active Directory, If using AD on Windows Server? | Organize your resources with management groups – Azure Governance – Azure governance | Microsoft Docs |
| Ensure tags are used for billing and cost management | Medium | Are you enforcing tags with Azure Policy, specifically for Cost Management? | Resource naming and tagging decision guide – Cloud Adoption Framework | Microsoft Docs |
