Feature Request - add a new default Management Group

[lloydlimmsft]

When CAF ESLZ is deployed, all newly created subscriptions automatically appear under the root management group.

Recommend the creation of another management group (Call it "Unassigned" or "New Subscriptions"). Then change the default to make all newly created subscriptions appear in this management group.

Also add a policy in this management group "Allowed Resource Types" - just allow one type like "policy Assignments". This ensures that a newly created subscription cannot create any resources in Azure until it has been placed in the correct management group in the hierarchy

[krnese]

Thanks for submitting the issue.

If you deploy ESLZ into a new tenant, or a tenant that hasn't enabled Management Group yet, the deployment will effectively enable it and the default "Tenant Root Group" is being created first, and ESLZ will create its intermediate root group below followed by the rest of the ESLZ hierarchy. What's happening in parallel, is that each subscription that exist in the tenant - that is not moved by the ESLZ deployment will appear under the new "Tenant Root Group".

Also, default in each tenant is to place all new subscriptions under the "Tenant Root Group", unless a different management group is being specified during creation. There's a setting for this on the "Tenant Root Group" that organizations can configure, and we have recommended the following in the design area for "Management Groups and Subscription organization" in CAF:

Since a tenant may have already specified the default management group for new subscriptions, and may have a subscription provisioning process in place before deploying ESLZ, we are currently not configuring this during the deployment as it could disrupt existing processes.

Would it be sufficient if we provided this as an option, and let you select between "Corp", "Online", and "Sandbox" for default placement for new subscriptions, unless specified during the subscription create process?

[jtracey93]

Also just to pass in my thoughts here.

Terraform will need careful consideration, if to be used, here when setting default management groups that fall inside on the "managed" resources by Terraform. As when a new subscription appears in a new default management group and it hasn't been added to the Terraform configuration files, it will try to remove it from the management group it's placed in, if its a management group that is managed by terraform; as it's not part of it desired state.

We have an issue, covering this, on the Terraform ESLZ module repo here that is worth a review: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/24

[jtracey93]

Also a few customers I have worked with have created a "Provisioning" Management Group beneath "Landing Zones" for their default management group, so it gets the majority of the policies and they very much treated it as a temporary location and they should be moved from it to the correct management group ASAP

[lloydlimmsft]

Yes, that is great.

Thank you, Lloyd Lim. Call me at +6493625625<tel:+6493625625>. It rings my mobile and desk phone simultaneously.

From: Kristian Nese @.> Sent: Thursday, October 21, 2021 6:29 PM To: Azure/Enterprise-Scale @.> Cc: Lloyd Lim @.>; Author @.> Subject: Re: [Azure/Enterprise-Scale] Feature Request - add a new default Management Group (Issue #832)

Thanks for submitting the issue.

If you deploy ESLZ into a new tenant, or a tenant that hasn't enabled Management Group yet, the deployment will effectively enable it and the default "Tenant Root Group" is being created first, and ESLZ will create its intermediate root group below followed by the rest of the ESLZ hierarchy. What's happening in parallel, is that each subscription that exist in the tenant - that is not moved by the ESLZ deployment will appear under the new "Tenant Root Group".

Also, default in each tenant is to place all new subscriptions under the "Tenant Root Group", unless a different management group is being specified during creation. There's a setting for this on the "Tenant Root Group" that organizations can configure, and we have recommended the following in the design area for "Management Groups and Subscription organization"https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcloud-adoption-framework%2Fready%2Fenterprise-scale%2Fmanagement-group-and-subscription-organization&data=04%7C01%7CLloyd.Lim%40microsoft.com%7C275b6fc40744407da1f408d994539ea8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637703909172653409%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=iTvL1AmDZo3fZAlHbkMEml4sEzpcLaS3bWDbHq4M96I%3D&reserved=0 in CAF:

[image]https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F12991708%2F138215866-40c452d4-16a8-4d39-88d5-bd17a92ae213.png&data=04%7C01%7CLloyd.Lim%40microsoft.com%7C275b6fc40744407da1f408d994539ea8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637703909172663379%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dlJiFFgfqr7TmnL5ENjN9al8d4FTwCD7M3C8T565gN8%3D&reserved=0

Since a tenant may have already specified the default management group for new subscriptions, and may have a subscription provisioning process in place before deploying ESLZ, we are currently not configuring this during the deployment as it could disrupt existing processes.

Would it be sufficient if we provided this as an option, and let you select between "Corp", "Online", and "Sandbox" for default placement for new subscriptions, unless specified during the subscription create process?

- You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2FEnterprise-Scale%2Fissues%2F832%23issuecomment-948270399&data=04%7C01%7CLloyd.Lim%40microsoft.com%7C275b6fc40744407da1f408d994539ea8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637703909172673341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tFbda7SE5cZOUBqhVVrLzZFj%2Bl109i2kGp%2Ftwac5ujQ%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAR7TMHZMHDTXDY4TGTVENLTUH6QH5ANCNFSM5GMWOFUQ&data=04%7C01%7CLloyd.Lim%40microsoft.com%7C275b6fc40744407da1f408d994539ea8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637703909172673341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=E9%2BezVU5RqnUfA4Ct2NT7o6rqKWPd%2FZevlALZHE%2Box0%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7CLloyd.Lim%40microsoft.com%7C275b6fc40744407da1f408d994539ea8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637703909172683297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=iJBSMaqS%2B75P%2FXa4lchB7J0TBL0j0w4YLd2lTwp5kZY%3D&reserved=0 or Androidhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7CLloyd.Lim%40microsoft.com%7C275b6fc40744407da1f408d994539ea8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637703909172683297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=C0SXIKxH3LcxXkqGkikSwQfUcW%2BNWHXTNG3POlEo97Q%3D&reserved=0.

[jtracey93]

Trigger ADO Sync 1

[jtracey93]

Trigger ADO Sync 2

[Springstone]

@jtracey93 can we close this? Seems like subscription vending et al addresses this.

[jtracey93]

it does, but this is the option to specify a default MG for all new subscriptions so think its still valid