Azure Landing zone setup

7th June 2025 Leave a comment

Two deliverables to build an Azure Landing Zone:

  1. The foundational element: creation of management groups, subscriptions, policies etc.
  2. A repeating element that can be used in future again and again for deploying new Applications within the Landing Zone structure.

For the repeating element use Azure DevOps pipelines to script the entire deployment to make it also reusable in future. For the foundational element you can decide to either use the Azure DevOps pipelines or use the Microsoft provided accelerator.  Preferable to script out everything given that every infrastructure is different and would require some tailoring.

The approach:

  1. Creation of management groups & landing zone structure that have the policies in ‘enforcement’ mode, these are for use later. For example if a policy has a Deny-assignment, then the specific policy will deny any resources to be created that match the policy description. This would be the final location of the subscriptions.
  2. The creation of management groups that have audit-only policies, and are thus not enforced. This would be convenient as a migration in-between step when migrating from the the existing as-is infrastructure towards the new management groups with enforced-policies enabled. This would allow you to spot any non-compliance and avoid any service interruptions when migrating towards the new management groups.

The Cloud Adoption framework from Microsoft will be used, together with the ALZ-Bicep templates that Microsoft provides.

Prerequisites

Before you can get started you would require:

  • Microsoft Entra Tenant
  • Minimum of 1 subscription (Required for the Log Analytics workspace, described below in step 4.)
  • Owner permissions of the root management group
Elevated access

Required on the root management group. To grant access, follow these steps:

In case you don’t have Owner permissions, or are working as an external vendor working on a client infrastructure, you can use this snippet:

  1. Create a root level management group.
  2. Open a cloud terminal from the portal, preferably powershell.
  3. Run the following commands:
Get-AzADUser -SignedIn #use the user principle name as assignee.
az role assignment create --assignee "{user}" --role "Owner" --scope "/" # {user} should be replaced with the user principle e.g. user_vendordomain.com#EXT#@vendordomain.onmicrosoft.com

4. This will elevate your access on the root subscription to owner and allow you to run the ALZ scripts.

Conceptual Architecture
Microsoft provided Conceptual Architecture (source: Microsoft)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.