In my last post on Industrial Scale RBAC, I alluded to the fact that in an enterprise context you'll likely need some special processes and tools for onboarding new projects into Azure. In this post, I'm going to break this down. As with my last post, the advice in this one isn't likely to be applicable in small organisations or where a team has a subscription to themselves. But in a large enterprise with many teams working on different projects while sharing subscriptions, things start to get interesting.

To see why, let's pay a visit to everyone's favourite multinational, Contoso. After following the guidance in the Azure Enterprise Scaffold, Contoso's central cloud team has already set up their foundational Azure environment, by setting up subscriptions for production and non-production work, VNETs and subnets, connectivity to their on-premises networks, defining naming standards and writing polices on what can be deployed in which regions. They also have defined a chargeback regime, whereby each cost centre needs to pay for the resources used by their projects.

What they don't have yet is any actual workloads running in Azure. This is not due to lack of demand—in fact there are a whole bunch of teams itching to deploy resources to the cloud. But the cloud team is fearful that once they start granting access to the Azure subscription it will become a free-for-all, where loads of resources are deployed with little regard to their careful planning, and no way of knowing which resources are owned by which team and used for what purpose.

What we need here is some governance! Contoso's central cloud team needs to know when new projects are being established, ensure that the right people have access to the resources, and have a way of tracking which resources are owned by which team and cost centre for chargeback purposes. They also need to be able to enforce additional rules such as restricting resources to certain locations or preventing people from creating things that should be centrally managed (like VNET gateways or Key Vaults). The Contoso project teams probably don't care much about any of these things, but they know that unless the central cloud team is happy they aren't going to get access to the platform.

The solution here is to define a process that uses Azure Resource Groups, RBAC and Resource Policy to onboard new projects in a predictable and compliant manner. At the centre of the solution is the idea that Resource Groups are created and configured centrally, after which project teams are free to deploy what they want, subject to the constraints baked into the resource group.

