2 - Customize Management Group Names and IDs

You may want to customize the management groups names and IDs.

If you update the management group IDs, you also need to update the platform-landing-zone.tfvars file to match the management group IDs you changed. If you don’t do this, you will get errors or unexpected behavior when you deploy the platform landing zone.

There are 2 high level steps required to customize the management group names and IDs:

1. (Optional) Update the platform landing zone configuration file platform-landing-zone.tfvars to reflect any changes to management group IDs
   • (Optional) Update the management_group_settings > subscription_placement block setting to match any management group IDs you changed.
   • (Optional) Update the policy_assignments_to_modify block setting to match any management group IDs you changed.

Follow these steps to customize the management group names and IDs:

1. Locate the lib folder in your config directory. This folder was created in the initial steps of phase 2. The lib folder structure should look like this:

   ┣ 📂lib
   ┃ ┣ 📜alz_library_metadata.json
   ┃ ┣ 📂architecture_definitions
   ┃ ┃ ┗ 📜alz_custom.alz_architecture_definition.yaml
   ┃ ┗ 📂archetype_overrides
   ┃   ┃ 📜connectivity_custom.alz_archetype_override.yaml
   ┃   ┃ 📜corp_custom.alz_archetype_override.yaml
   ┃   ┃ 📜decommissioned_custom.alz_archetype_override.yaml
   ┃   ┃ 📜identity_custom.alz_archetype_override.yaml
   ┃   ┃ 📜management_custom.alz_archetype_override.yaml
   ┃   ┃ 📜landing_zones_custom.alz_archetype_override.yaml
   ┃   ┃ 📜platform_custom.alz_archetype_override.yaml
   ┃   ┃ 📜root_custom.alz_archetype_override.yaml
   ┃   ┗ 📜sandboxes_custom.alz_archetype_override.yaml
   

2. The alz_custom.alz_architecture_definition.json file contains the management group hierarchy.

3. Edit the alz_custom.alz_architecture_definition.json file to update the management group names and IDs.

   For example to prefix all the management group display names with Contoso and update the management group IDs to have the contoso- prefix they can update the file to look like this:

   When updating the management group id, you also need to update any child management groups that refer to it by the parent_id

   The alz_custom.alz_architecture_definition.yaml file would look like this after making the changes in this example:

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72

   name: alz_custom management_groups: - id: contoso-alz display_name: Contoso archetypes: - root_custom exists: false parent_id: null - id: contoso-platform display_name: Contoso Platform archetypes: - platform_custom exists: false parent_id: contoso-alz - id: contoso-landingzones display_name: Contoso Landing Zones archetypes: - landing_zones_custom exists: false parent_id: contoso-alz - id: contoso-corp display_name: Contoso Corp archetypes: - corp_custom exists: false parent_id: contoso-landingzones - id: contoso-online display_name: Contoso Online archetypes: - online_custom exists: false parent_id: contoso-landingzones - id: contoso-sandbox display_name: Contoso Sandbox archetypes: - sandbox_custom exists: false parent_id: contoso-alz - id: contoso-management display_name: Contoso Management archetypes: - management_custom exists: false parent_id: contoso-platform - id: contoso-connectivity display_name: Contoso Connectivity archetypes: - connectivity_custom exists: false parent_id: contoso-platform - id: contoso-identity display_name: Contoso Identity archetypes: - identity_custom exists: false parent_id: contoso-platform - id: contoso-decommissioned display_name: Contoso Decommissioned archetypes: - decommissioned_custom exists: false parent_id: contoso-alz

4. If you updated the connectivity, management or identity management group IDs, then you’ll also need to update the management_group_settings > subscription_placement block setting in the platform-landing-zone.tfvars file to match the management group IDs you changed them to.

   For example:

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

   management_group_settings = { subscription_placement = { identity = { subscription_id = "$${subscription_id_identity}" management_group_name = "contoso-identity" } connectivity = { subscription_id = "$${subscription_id_connectivity}" management_group_name = "contoso-connectivity" } management = { subscription_id = "$${subscription_id_management}" management_group_name = "contoso-management" } } }

5. If you also updated the alz management group ID, then you need to update the policy_assignments_to_modify block setting in the platform-landing-zone.tfvars file to match the management group ID you changed.

   If you have made any other changes to the policy_assignments_to_modify block setting, for example if you have updated policy assignment enforcement mode, then you may need to update the policy_assignments_to_modify block setting for other management groups too.

   For example:

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

   policy_assignments_to_modify = { contoso-alz = { policy_assignments = { Deploy-MDFC-Config-H224 = { parameters = { ascExportResourceGroupName = "$${asc_export_resource_group_name}" ascExportResourceGroupLocation = "$${starter_location_01}" emailSecurityContact = "$${defender_email_security_contact}" enableAscForServers = "DeployIfNotExists" enableAscForServersVulnerabilityAssessments = "DeployIfNotExists" enableAscForSql = "DeployIfNotExists" enableAscForAppServices = "DeployIfNotExists" enableAscForStorage = "DeployIfNotExists" enableAscForContainers = "DeployIfNotExists" enableAscForKeyVault = "DeployIfNotExists" enableAscForSqlOnVm = "DeployIfNotExists" enableAscForArm = "DeployIfNotExists" enableAscForOssDb = "DeployIfNotExists" enableAscForCosmosDbs = "DeployIfNotExists" enableAscForCspm = "DeployIfNotExists" } } } } }

6. Make sure to save the file after making the changes.