Skip to content
Generic Service
strategy

Azure Foundations: The Governance Baseline

The boring but essential checklist that prevents Azure environments from rotting into ClickOps chaos.

· 2 min read
Azure Foundations: The Governance Baseline

Most Azure environments rot. They start with good intentions in the portal ("ClickOps") and end up as a tangled web of unmanaged resources. A governance baseline prevents this decay by establishing the non-negotiable rules of the road before the first application lands.

Azure Management Group and Subscription hierarchy diagram.

Structure precedes scale. Define the hierarchy before you deploy the workload.

The Governance Baseline

You don’t need a 50-page whitepaper to start. You need a checklist of non-negotiables. If you can’t check these five boxes, you are building on sand.

  • Management Group Hierarchy (Archetypes). Don’t just use the Tenant Root Group. Deploy a standard hierarchy separating Platform (Identity, Connectivity, Management) from Landing Zones (Corp, Online). This separation allows you to apply Policy as Code inheritance correctly—enforcing strict rules on the platform and specific guardrails on the workloads.

  • Subscription Democratization (Vending). Stop sharing subscriptions. Use a subscription vending process to give every workload its own security and billing boundary. This isolates blast radius, simplifies cost attribution, and prevents the “noisy neighbor” problem where one bad deployment takes down the shared dev environment.

  • Identity (PIM & Break-glass). No permanent owners. Use Privileged Identity Management (PIM) for Just-In-Time access to critical roles. Establish a break-glass account (emergency access) that is excluded from Conditional Access and monitored heavily. If your identity provider goes down, you still need keys to the castle.

  • Networking (Hub-Spoke). Hub and Spoke is the standard. Whether you build it yourself or use Virtual WAN, centralize your egress and firewalling. Don’t let spokes talk to the internet directly without oversight. This centralization is critical for traffic inspection and consistent security posture.

  • Cost Management (Budgets as Code). Budgets shouldn’t be an afterthought. Every subscription vending event should deploy a default budget alert configured as code. If you can’t see the spend, you can’t control it.

Minimum Bar

Policy as Code is the only documentation that matters.
If it's not in Azure Policy, it's just a suggestion. Documentation rots; policy enforces.

Related notes

All notes →

strategy

Decision Note: Deferring a Major Version Upgrade

2026-01-14

strategy

Deep Roots: Before the Cluster, There Was Dial-Up

2026-01-24

strategy

Moving from vSphere to Azure: The Pre-Flight Check

2026-01-20

Next Step

If this problem feels familiar, start with the Health Check.

It measures drift and recovery evidence, then returns a scored report with a focused remediation plan.

Start with Health Check View sample report