It is now time to turn the lights ON 💡
At this point you have the necessary platform setup configured to support one or many Landing Zone(s) with the required definitions (Roles, Policies and PolicySet) and assignments (Roles and Policies).
Provisioning Landing Zone(s) will mean either creating a new subscription or moving an existing subscription to the desired Management Group and the platform will do the rest. In large environments with 10s and 100s of Landing Zones, the platform team can also delegate Landing Zone(s) to the respective business units and/or application portfolio owners while being confident that security, compliance and monitoring requirements are being met. Furthermore, the platform team may also delegate the necessary access permissions such as:
- IAM roles to create new subscriptions
- Place subscriptions in the appropriate Management Groups for business units and/or application portfolio owners to provide self-service access to create their own Landing Zone(s).
Depending upon the reference implementation that's deployed, navigate to the appropriate Management Group under the "Landing Zones" Management Group and create or move an existing subscription. This can be done via the Azure Portal or PowerShell/CLI.
Business units and/or application portfolio owners can use their preferred tool chain - ARM, PowerShell, Terraform, Portal, CLI etc. for subsequent resource deployments within their respective Landing Zone(s).
- In the Azure portal, navigate to Subscriptions
- Click 'Add', and complete the required steps in order to create a new subscription.
- When the subscription has been created, go to Management Groups and move the subscription into the Landing zones > Corp or Online Management Group
- Assign RBAC permissions for the application team/user(s) who will be deploying resources in to the newly created subscription
- In the Azure portal, navigate to Management Groups
- Locate the subscription you want to move, and move it in to the Landing zones > Corp or Online Management Group
- Assign RBAC permissions for the application team/user(s) who will be deploying resources in to the subscription
The following deployment experiences can be leveraged to create multiple landing zones (subscriptions) and target individual Management Groups (e.g., 'online', 'corp' etc.).
To use the ARM templates below to create new subscriptions, you must have Management Group Contributor or Owner permissions on the Management Group where you will invoke the deployment and also on the targeted Management Groups for the new subscriptions, as well as subscription write permissions on the billing account.
| Agreement types | ARM Template | Description |
|---|---|---|
| Enterprise Agreement (EA) |  |
Create 'N' number of subscriptions into multiple Management Groups |
| Enterprise Agreement (EA) | |
Create a subscription with RBAC for SPN |