5 - Management Groups, Policy and Management Resources Only

A Platform landing zone deployment without any connectivity resources.

• Example Platform landing zone configuration file: management_only/management.tfvars

• Estimated Costs - Approximate monthly infrastructure costs
• Resources - What gets deployed in this scenario

Note

Estimated fixed infrastructure costs based on Azure Retail Prices for the westus region in USD as of 2026-04-02. Consumption-based costs (data processing, log ingestion, DNS queries, etc.) are not included and will vary based on usage. DDoS Protection Plan pricing is sourced from the Azure DDoS Protection pricing page. You can generate your own estimates for any region and currency using the Get-ScenarioCostEstimates.ps1 script.

The following resources are deployed by default in this scenario:

• Management Groups
• Policy Definitions
• Policy Set Definitions
• Policy Assignments (not those related to connectivity)
• Policy Assignment Role Assignments

• Log Analytics Workspace
• Log Analytics Data Collection Rules for AMA
• User Assigned Managed Identity for AMA
• Automation Account

Tip

Identity and Security subscriptions are recommended but optional. If you do not yet have dedicated subscriptions for identity and security workloads, you can comment out or remove the identity and security subscription placement blocks in the configuration file and add them later.

• Management subscription - placed under the management management group
• Identity subscription - placed under the identity management group (recommended)
• Security subscription - placed under the security management group (recommended)