Checklist

Azure Foundations: The Governance Baseline

Jan 17, 2026 · 5 min read

Most Azure environments rot. They start with good intentions in the portal ("ClickOps") and end up as a tangled web of unmanaged resources. A governance baseline prevents this decay by establishing the non-negotiable rules of the road before the first application lands.

The Governance Baseline

You don't need a 50-page whitepaper to start. You need a checklist of non-negotiables. If you can't check these five boxes, you are building on sand.

• Management Group Hierarchy (Archetypes). Don't just use the Tenant Root Group. Deploy a standard hierarchy separating Platform (Identity, Connectivity, Management) from Landing Zones (Corp, Online). This separation allows you to apply Policy as Code inheritance correctly—enforcing strict rules on the platform and specific guardrails on the workloads.
• Subscription Democratization (Vending). Stop sharing subscriptions. Use a subscription vending process to give every workload its own security and billing boundary. This isolates blast radius, simplifies cost attribution, and prevents the "noisy neighbor" problem where one bad deployment takes down the shared dev environment.
• Identity (PIM & Break-glass). No permanent owners. Use Privileged Identity Management (PIM) for Just-In-Time access to critical roles. Establish a break-glass account (emergency access) that is excluded from Conditional Access and monitored heavily. If your identity provider goes down, you still need keys to the castle.
• Networking (Hub-Spoke). Hub and Spoke is the standard. Whether you build it yourself or use Virtual WAN, centralize your egress and firewalling. Don't let spokes talk to the internet directly without oversight. This centralization is critical for traffic inspection and consistent security posture.
• Cost Management (Budgets as Code). Budgets shouldn't be an afterthought. Every subscription vending event should deploy a default budget alert configured as code. If you can't see the spend, you can't control it.