Attending an Azure Landing Zones partner hack? Get these done before it starts and then check you have the right access.


IMPORTANT: You will need three subscriptions (absolute minimum of two) to deploy an Azure Landing Zone. All subscriptions need to be in the same tenant.

Minimum RBAC permissions required at root scope (i.e. above Tenant Root Group):

  • User Access Administrator
  • Contributor

There is a set of checks to ensure that you have required permissions. Complete these before the hack.


You will need to have a GitHub ID for the hack, and your laptop should be setup with the right tooling.

You should complete the setup in advance of the hack.

Open up a new tab for the page


  • GitHub ID
  • Linux environment
  • Binaries (git and jq)
  • Azure CLI
  • Visual Studio Code
    • Remote Development pack for WSL
    • Additional extensions
  • Terraform (optional)

You can skip the Packer install if you wish.

Tenant level permissions

This hack will require someone in the team to have high levels of access as we will be working with security groups, management groups and RBAC and policy assignments. You will need someone in you team to have Global Admin in your Azure AD tenant

Follow the instructions to elevate the Global Admin to

  1. enable User Access Administrator at the tenant root
  2. add Owner role to allow the tenant scope template to work


Please test that you have the correct AAD and subscription permissions in advance of the hack.

If you get any error messages (e.g. Insufficient privileges to complete the operation) then speak to the Global Admin and/or Owner to request that your access permissions are increased.

Alternatively you may need to create a separate tenant and generate a few Microsoft IDs and trial subscriptions.

The root (/) permissions can removed after the initial deployment as long as the security principal has the appropriate management group and subscription level permissions for lifecycle management.


Run through the following tests to check your permissions.

  1. Login to the right context

    az login
    az account show

    Use az account set --subscription <subscription_id> if you need to switch.

  2. Set default location and grab subscription scope

    export AZURE_DEFAULTS_LOCATION=uksouth
    subscriptionScope=/subscriptions/$(az account show --query id --output tsv)

    The location will only be defaulted for the current session. Use az configure --defaults location=uksouth to persist the default.

  3. Security groups?

    az ad group create --display-name eshack-deleteme --mail-nickname junk
    groupObjectId=$(az ad group show --group eshack-deleteme --query objectId --output tsv)

    If you cannot create objects in AAD then it is possible to work around it. Or request others to create AAD objects for you.

  4. Management groups?

    az account management-group create --name eshack-deleteme
  5. Resources?

    az group create --name eshack-deleteme
  6. Role assignments?

    az role assignment create --role Reader --assignee $groupObjectId --scope $mgScope
    az role assignment create --role Reader --assignee $groupObjectId
  7. Policy assignments?

    az policy assignment create --name eshack-deleteme --policy 0a914e76-4921-4c19-b460-a2d36003525a --scope $mgScope
    az policy assignment create --name eshack-deleteme --policy 0a914e76-4921-4c19-b460-a2d36003525a


The following code block will tidy everything up from the checks.

az group delete --name eshack-deleteme --yes
az policy assignment delete --name eshack-deleteme --scope $mgScope
az policy assignment delete --name eshack-deleteme
az role assignment delete --role Reader --assignee $groupObjectId --scope $mgScope
az role assignment delete --role Reader --assignee $groupObjectId
az ad group delete --group eshack-deleteme
az account management-group delete --name eshack-deleteme


If you are attending an Azure Landing Zones partner hack and need a basic overview of using git, or a grounding in the basic concepts in Azure Landing Zones, then use these links:

Page Description
Git 101 Basics Grounding on Git with Scott Hanselman
Git Pull Requests Explained Pull requests or PRs in Git
Azure Landing Zones Learning Path Microsoft Learn modules for Azure Landing Zones

Next steps

OK, if you have reached here with no errors then you should be good to go!

Help us improve

Azure Citadel is a community site built on GitHub, please contribute and send a pull request

 Make a change