Bootstrap

Before we begin our Azure Landing Zones journey proper, we need some pre-requisites in place.

We recommend setting up 3 subscriptions for Azure landing zones. These are management, identity and connectivity.

• Management: This is used to deploy the bootstrap and management resources, such as log analytics and automation accounts.
• Connectivity: This is used to deploy the hub networking resources, such as virtual networks and firewalls.
• Identity: (Optional) This is used to deploy the identity resources, such as Azure AD and Azure AD Domain Services. You will not need this if you do not have any AD-DS or Entra Domain Services requirements.

You can read more about the management, identity and connectivity subscriptions in the Landing Zone docs.

To create the subscriptions you will need access to a billing agreement. The following links detail the permissions required for each type of agreement:

• Enterprise Agreement (EA)
• Microsoft Customer Agreement (MCA)

Once you have the access required, create the three subscriptions following your desired naming convention.

Take note of the subscription id of each subscription as we will need them later.

You need either an Azure User Account or Service Principal with the following permissions to run the bootstrap:

• Owner on your chosen parent management group for the Azure landing zone. This could be Tenant Root Group or a new management group you create under there if preferred.
  • Owner is required as this account will be granting permissions for the identities that run the management group deployment. Those identities will be granted least privilege permissions.
• Owner on each of your Azure landing zone subscriptions.

Now choose your next step!

The Accelerator allows you to quickly get started with IaC and DevOps best practices for Azure Landing Zones. It supports both Terraform and Bicep:

• Accelerator

You can also opt to use Bicep and Terraform directly:

• Bicep
• Terraform