Azure Foundations: The Governance Baseline

Most Azure environments rot. They start with good intentions in the portal ("ClickOps") and end up as a tangled web of unmanaged resources. A governance baseline prevents this decay by establishing the non-negotiable rules of the road before the first application lands.

Structure precedes scale. Define the hierarchy before you deploy the workload.

The Governance Baseline

You don't need a 50-page whitepaper to start. You need a checklist of non-negotiables. If you can't check these five boxes, you are building on sand.

• Management Group Hierarchy (Archetypes). Don't just use the Tenant Root Group. Deploy a standard hierarchy separating Platform (Identity, Connectivity, Management) from Landing Zones (Corp, Online). This separation allows you to apply Policy as Code inheritance correctly.
• Subscription Democratization (Vending). Stop sharing subscriptions. Use a subscription vending process to give every workload its own security and billing boundary. This isolates blast radius, simplifies cost attribution, and prevents the "noisy neighbor" problem.
• Identity (PIM & Break-glass). No permanent owners. Use Privileged Identity Management (PIM) for Just-In-Time access to critical roles. Establish a break-glass account (emergency access) that is excluded from Conditional Access and monitored heavily.
• Networking (Hub-Spoke). Hub and Spoke is the standard. Whether you build it yourself or use Virtual WAN, centralize your egress and firewalling. Don't let spokes talk to the internet directly without oversight.
• Cost Management (Budgets as Code). Budgets shouldn't be an afterthought. Every subscription vending event should deploy a default budget alert configured as code. If you can't see the spend, you can't control it.

Minimum BarPolicy as Code is the only documentation that matters. If it's not in Azure Policy, it's just a suggestion. Documentation rots; policy enforces.