My department has managed its own Azure tenant and subscriptions for about four years, running various workloads like VMs, storage, SQL Managed Instance, and Synapse. Due to a recent reorganization, our central IT team is requiring us to migrate to new subscriptions under a different tenant with a new enterprise agreement. The process is bound to be lengthy and manual since we've been informed that we can't just re-link our current subscriptions to the new tenant. I'm fine with this, as it means we can move forward without carrying over any unnecessary elements. When we first adopted Azure, we had to act quickly which limited our understanding of best practices and configurations. Now we see this as a chance to start fresh and really get it right this time.
In this new setup, there's a significant emphasis on security, and we're working on integrating Defender for Cloud, among other things. We're also planning on utilizing Azure Update Manager. I've dabbled a bit with Azure Policy, but I know there's so much more we need to explore there. I'm looking for advice on the top 3 to 5 areas to focus on implementing from the beginning, before we start migrating or creating any resources. While the tenant admins will handle subscription creation and manage Entra and the networking aspects, we'll be the owners of these new subscriptions. Any tips would be greatly appreciated!
5 Answers
Consider setting up management groups from the start. The Well Architected Framework is your friend here, especially for applying policies at the management group level. Look into the Enterprise Scale project for best practices on policy implementation.
Definitely make sure to implement tagging strategies as early as possible! It's super helpful for organizing resources and cost management.
Just to clarify, are you officially decommissioning your old subscriptions? If your old and new setups are running concurrently for a while, definitely plan a landing zone using established topologies. We use a hub-and-spoke model because it keeps things straightforward.
Yes, we’ll phase out the old subs after everything is migrated. Does the landing zone still apply even if I'm not the tenant owner?
Now isn't just a great time for a fresh start, but also for diving into IaC! Both Terraform and Bicep are solid choices.
I've played around with Bicep and generally like it, but getting the templates just right can be tricky. I'm also struggling with the deployment process—it feels a bit cumbersome. Am I missing something on how to streamline that?
If your organization is sizable, creating a landing zone is key. Regardless of size, establishing everything through Infrastructure as Code (IaC) is essential, and version control/CI/CD should be part of your process from day one.
Good point! Even though we're small, it sounds like a landing zone is worth having.
Thanks for the tip! Do you rely on policy enforcement for tagging, or does your team manually remember to do it?