It is now time to turn the lights ON 💡
At this point you have necessary platform setup and configured to support one or many Landing Zone(s) with required definitions (Roles, Policies and PolicySet) and assignments (Roles and Policies).
Provisioning Landing Zone(s) will mean either creating new subscription or moving existing subscription to desired management group and platform will do the rest. In large environments with 10s and 100s of Landing Zones, platform team can also delegate Landing Zone(s) to respective business units and/or application portfolio owners while being confident of security, compliance and monitoring. Furthermore, platform team may also delegate necessary access permissions 1) IAM roles to create new subscription and 2) place subscription in the appropriate management groups for business units and/or application portfolio owners to provide self-service access to create their own Landing Zone(s).
Depending upon reference implementations deployed, navigate to appropriate management group under "Landing Zones" management group and create or move existing subscription. This can be done via Azure Portal or PowerShell/CLI.
Business units and/or application portfolio owners can use their preferred tool chain - ARM, PowerShell, Terraform, Portal, CLI etc. for subsequent resource deployments within their Landing Zone(s).
- In Azure portal, navigate to Subscriptions
- Click 'Add', and complete the required steps in order to create a new subscription.
- When the subscription has been created, go to Management Groups and move the subscription into the Landing zones > Corp or Online management group
- Assign RBAC permissions for the application team/user(s) who will be deploying resources to the newly created subscription
- In Azure portal, navigate to Management Groups
- Locate the subscription you want to move, and move it to the Landing zones > Corp or Online management group
- Assign RBAC permissions for the application team/user(s) who will be deploying resources to the subscription
The following deployment experiences can be leveraged to create multiple landing zones (subscriptions) and target individual management groups (e.g., 'online', 'corp' etc.).
To deploy the ARM templates below to create new subscriptions, you must have Management Group Contributor or Owner permission on the Management Group where you will invoke the deployment and the targeted Management Groups for the new subscriptions, as well as subscription write permissions on the billing account.
| Agreement types | ARM Template | Description |
|---|---|---|
| Enterprise Agreement (EA) |  |
Create N subscriptions into multiple management groups |
| Enterprise Agreement (EA) | |
Create subscription with RBAC for SPN |