Audit with Sandbox

[mw8er]

At times people would like to develop things for a subscription, which resided e.g. underneath corp. However, the policies keep them for getting their things done.

To circumvent that you could have

• all policy assignment with effect deny on the landing zones management group should have a matching policy assignemnet with
• all management groups underneath landing zone, would have a matching management group underneath sandbox
• as before, the policy assignment with effect deny underneath landing zone would have the effect audit underneath the management group sandbox.

This way landing zone and sandbox would be well separated. And you would be able to verify which policies you are violating for your final landing zone .

[jtracey93]

Hey @mw8er,

We are actually working on documenting an approach very similar and making it available in our implementations that @brsteph has been putting some thought into.

Is this aligned to your suggestions?

[mw8er]

100% aligned