Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner
    • Lighthouse and Partner Admin Link
      • Microsoft Cloud Partner Program
      • Combining Lighthouse and PAL
      • Minimal Lighthouse definition
      • Using service principals
      • Privileged Identity Management
    • Useful Links
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Azure Landing Zones
  3. Prereqs

Table of Contents

  • Subscriptions
  • Setup
  • Tenant level permissions
  • Checks
  • Cleanup
  • Pre-reading
  • Next steps

Prereqs

Attending an Azure Landing Zones partner hack? Get these done before it starts and then check you have the right access.

Subscriptions

IMPORTANT: You will need three subscriptions (absolute minimum of two) to deploy an Azure Landing Zone. All subscriptions need to be in the same tenant.

Minimum RBAC permissions required at root scope (i.e. above Tenant Root Group):

  • User Access Administrator
  • Contributor

There is a set of checks to ensure that you have required permissions. Complete these before the hack.

Setup

You will need to have a GitHub ID for the hack, and your laptop should be setup with the right tooling.

You should complete the setup in advance of the hack.

Open up a new tab for the page

Required:

  • GitHub ID
  • Linux environment
  • Binaries (git and jq)
  • Azure CLI
  • Visual Studio Code
    • Remote Development pack for WSL
    • Additional extensions
  • Terraform (optional)

You can skip the Packer install if you wish.

Tenant level permissions

This hack will require someone in the team to have high levels of access as we will be working with security groups, management groups and RBAC and policy assignments. You will need someone in you team to have Global Admin in your Azure AD tenant

Follow the instructions to elevate the Global Admin to

  1. enable User Access Administrator at the tenant root
  2. add Owner role to allow the tenant scope template to work

Instructions:

  • Configure Azure permissions for ARM tenant deployments

Please test that you have the correct AAD and subscription permissions in advance of the hack.

If you get any error messages (e.g. Insufficient privileges to complete the operation) then speak to the Global Admin and/or Owner to request that your access permissions are increased.

Alternatively you may need to create a separate tenant and generate a few Microsoft IDs and trial subscriptions.

The root (/) permissions can removed after the initial deployment as long as the security principal has the appropriate management group and subscription level permissions for lifecycle management.

Checks

Run through the following tests to check your permissions.

  1. Login to the right context

    az login
az account show

    Use az account set --subscription <subscription_id> if you need to switch.

  2. Set default location and grab subscription scope

    export AZURE_DEFAULTS_LOCATION=uksouth
subscriptionScope=/subscriptions/$(az account show --query id --output tsv)

    The location will only be defaulted for the current session. Use az configure --defaults location=uksouth to persist the default.

  3. Security groups?

    az ad group create --display-name eshack-deleteme --mail-nickname junk
groupObjectId=$(az ad group show --group eshack-deleteme --query objectId --output tsv)

    If you cannot create objects in AAD then it is possible to work around it. Or request others to create AAD objects for you.

  4. Management groups?

    az account management-group create --name eshack-deleteme
mgScope="/providers/Microsoft.Management/managementGroups/eshack-deleteme"

  5. Resources?

    az group create --name eshack-deleteme

  6. Role assignments?

    az role assignment create --role Reader --assignee $groupObjectId --scope $mgScope
az role assignment create --role Reader --assignee $groupObjectId

  7. Policy assignments?

    az policy assignment create --name eshack-deleteme --policy 0a914e76-4921-4c19-b460-a2d36003525a --scope $mgScope
az policy assignment create --name eshack-deleteme --policy 0a914e76-4921-4c19-b460-a2d36003525a

Cleanup

The following code block will tidy everything up from the checks.

az group delete --name eshack-deleteme --yes
az policy assignment delete --name eshack-deleteme --scope $mgScope
az policy assignment delete --name eshack-deleteme
az role assignment delete --role Reader --assignee $groupObjectId --scope $mgScope
az role assignment delete --role Reader --assignee $groupObjectId
az ad group delete --group eshack-deleteme
az account management-group delete --name eshack-deleteme

Pre-reading

If you are attending an Azure Landing Zones partner hack and need a basic overview of using git, or a grounding in the basic concepts in Azure Landing Zones, then use these links:

Page Description
Git 101 Basics Grounding on Git with Scott Hanselman
Git Pull Requests Explained Pull requests or PRs in Git
Azure Landing Zones Learning Path Microsoft Learn modules for Azure Landing Zones

Next steps

OK, if you have reached here with no errors then you should be good to go!

Previous Prereqs Day 1