Azure Baristas

Background information for the Azure Baristas scenario.

Company background & information

  • Global coffee brand (roastery, wholesale, distribution, retail)
  • HQ in London. Regional HQs in New York, Dubai, Frankfurt & Singapore
  • Warehouses, distribution centres & coffee shops in all these locations
  • 100s of other coffee shops in each continent, each lead by their regional HQ
  • No operations in China currently
  • Strict data sovereignty requirements for all operations in Germany
  • Due to COVID-19 looking to migrate all IT workloads to Microsoft Azure
  • Currently a typical VMware vSphere estate in each of the regional HQs either in the offices or in co-lo DCs in the same countries, all have a DR DC in the same country too.
  • Around 10,000 VMs worldwide
  • Due to COVID-19 – heavy investment in online shop/website as main revenue stream for business
    • Developed by teams across the globe – local teams focus on regional specific features/offers/promos
    • Another development team is developing a separate payment service which is subject to PCI-DSS which will be used by the online shop/website
  • Global MPLS connecting all sites with regional DC hubs acting as internet breakout points. No local breakouts at each site
  • Already utilising Microsoft 365 services (EOL, SharePoint, Teams etc.)

Technical details

  • Have a global EA with Microsoft for Microsoft 365 services, Azure consumption & Windows Server/Client licensing (all have active Software Assurance)
  • Microsoft 365 Licenses: Office 365 E5 & EM+S E3 for all users
  • Azure EA Prepayment (aka Commit): $10 million over 3 years
  • Azure Subscriptions: 3 subscriptions in total that developers have been using to test and play in. Can be deleted if required.
  • Azure AD Tenant:
    • Synced with on-premise AD DS Domain: azbaristas.local via Azure AD Connect, Password Hash Sync Enabled & SSO
  • Centralised Network team that manages all networking globally with strong skills in the Citrix networking space (ADC, NetScaler etc.)
  • All IT staff are trained and certified in Microsoft Azure and have basic to intermediate experience with ARM Templates, Git, GitHub/Azure DevOps.
  • A CCoE has been formed between 3 members of each IT team from each regional HQ – total of 12 members – now at ‘Ready’ phase of CAF


  • Need to be able to report costs for each continent & country easily
  • Want to replace MPLS solution with cloud-based SD-WAN approach
    • Also allowing local internet breakout from all sites to improve SaaS application performance and load on global WAN.
  • Require ability to deny certain Azure Resources/Services
    • The CCoE are concerned with users deploying HDInsight clusters within Azure
  • Require separated Production, Staging & Development environments for security and cost separation/reporting
    • The CCoE do not want development or staging environments and associated VNETs to be able to communicate with production
    • All production VMs must be backed up, however selected VMs in dev/test environments may need backing up also
  • Require built-in platform regulatory compliance security checks and reporting for all production environments (PCI-DSS, ISO27001, CIS etc.)
    • ISO27001 & CIS for all environments except Sandbox subscriptions
    • PCI-DSS for the payment system
  • Require unrestricted area for developers to innovate on new solutions/services
    • Not allowed any connectivity into corporate networks
  • Require a more granular approach to admin access to environments within Azure
    • The CCoE are concerned as currently there are to many domain admins and enterprise admins within their estate
  • Real customer data is not allowed to exist in unrestricted developer environments, it must be anonymised
  • All Subnets must be protected with NSGs and cannot be disabled
  • All Resources, Resource Groups & Subscriptions must be tagged with the following Tags (at a minimum):
    • Cost-Centre, Environment, IT-Owner-Contact, Service-Application
  • Azure Activity Logs for all Subscriptions & Diagnostic settings for all Azure Resources should be enabled automatically and sent to a Log Analytics Workspace
  • No M-Series or LS-Series VMs can be deployed
    • Except for the SAP environments
  • TDE & Auditing should be enforced on all Azure SQL DBs/Servers
  • Azure Monitor VM Insights should be enabled on all Production VMs and any required agents automatically installed
  • No Public IP Addresses are allowed in the environment except for Core networking, Sandboxes & Online applications.

Stretch Goals

  • Create a custom policy and assign to a scope within Azure via AzOps (GitHub Actions)
  • For the ‘Cost-Centre’ tag it should only accept values starting with the following: “AZBACC-”
    • Each value should only be 10 characters in length
  • How would an Azure MSP/Support Partner gain access to the Azure Baristas Azure environment?
  • How can we block Azure Sentinel from being deployed but not stopping Log Analytics Workspaces from being deployed?
  • Need to be able to prevent incorrect licensing options being selected for VMs – AHUB must be enabled on Production only VMs (stretch goal)

Help us improve

Azure Citadel is a community site built on GitHub, please contribute and send a pull request

 Make a change