In enterprise, identity team needs to provision initial identity (bootstrap) accounts. This should be a process completed by identify team, separately from the enterprise landing zones team.
AAD team:
Provision the identity bootstrap account, this could be done automatically or manually:
Runs the action using script (prerequisites steps of the bootstrap process), this sets an AKV account that will contain the credentials used in bootstrap step1.
Runs the manual procedure as follow. In order to avoid credentials to be circulated in clear text, the identity teams uploads the credentials manually into a specifically provisioned AKV.
Enterprise landing zone team:
Runs the boostrap within their context, automation uses the account credentials from AKV (from prereqs)
If enterprise landing zone team has permissions, it can also launch the full process (prereqs, plus all bootstrap steps).
Scenario
In enterprise, identity team needs to provision initial identity (bootstrap) accounts. This should be a process completed by identify team, separately from the enterprise landing zones team.
AAD team: Provision the identity bootstrap account, this could be done automatically or manually:
Enterprise landing zone team: