Skip to content

Azure Tenant

This page outlines the foundational components of an Azure tenant, including identity control via Microsoft Entra ID, hybrid integration with on-prem AD, and the structure of management groups for platform, application, and DevTest workloads. It explains how governance, security, and shared services are centralized and enforced across landing zones to support scalable, policy-driven cloud operations

Azure Tenant

(1) Enterprise Agreement + Billing Profile

This sits at the tenant level, not inside any subscription. It governs licensing, billing, and cost management across all subscriptions in the tenant.

(2) Microsoft Entra ID (Tenant)

This is the identity control plane for the entire tenant. It provides authentication, authorization, Conditional Access, RBAC, and more. All subscriptions and resources in the tenant are governed by this Entra ID instance.

(3) Microsoft Entra Connect → On‑Prem AD DS

Entra Connect syncs identities from on‑premises Active Directory into Microsoft Entra ID. This enables hybrid identity, so users can authenticate with the same credentials across cloud and on‑prem systems. The sync traffic must traverse the public internet, even if ExpressRoute is present.

(4) Tenant Root Group

This is the top-level container for all management groups and subscriptions in your Azure tenant. Policies applied here (e.g., deny public IP, enforce tagging, require diagnostic settings) cascade down unless explicitly excluded. You typically apply baseline governance here — things like allowed regions, SKU restrictions, and mandatory security controls.

(5) Platform Landing Zone Management Group

The Platform Management Group is where shared infrastructure lives — supporting all workloads across the Azure environment. It centralizes services for networking, identity, management, and security, ensuring consistency, visibility, and control.

Networking components like Virtual WAN, ExpressRoute, and Azure Firewall are hosted here to manage routing, inspection, and hybrid connectivity. DNS zones and resolvers provide name resolution across landing zones, while Route Server supports dynamic routing.

Identity services such as AD DS (if needed), Bastion, and Key Vaults are deployed to secure access and manage secrets. Diagnostic settings ensure logs are captured for audit and analysis.

Operational tools like Azure Monitor, Log Analytics, Automation, and Backup Center are consolidated here to track performance, enforce updates, and manage recovery. Budgets, cost alerts, and Resource Graph Explorer help maintain financial and resource governance.

Security services including Microsoft Sentinel, Defender for Cloud, and centralized Key Vaults provide threat detection, posture management, and automated response — forming the backbone of enterprise protection.

(6) Application Landing Zone Management Group

Application landing zones are where business workloads live — segmented by exposure type and governed by policies that reflect their risk profile. These zones are organized under dedicated Management Groups, each tailored to the needs of internal or public-facing applications.

The Corp Workloads Management Group hosts subscriptions for internal-facing systems like APIs, databases, and line-of-business applications. Resources are deployed into VNets that connect to the central vWAN hub, ensuring all traffic flows through shared inspection and routing layers. Policies enforce private endpoints, deny public IPs, and require diagnostics to be sent to centralized monitoring. Backup and tagging standards are applied consistently to support governance and recovery.

The Internet-Facing Workloads Management Group supports public-facing applications such as web portals, reverse proxies, and WAF-protected front ends. These workloads may use scoped public IPs and ingress services like Azure Front Door or Application Gateway. Policies ensure traffic is inspected via WAF or firewall before reaching internal services, and enforce DDoS protection, diagnostics, and tagging for visibility and control.

Together, these landing zones provide a structured, secure foundation for deploying applications at scale — with clear boundaries, shared services, and policy-driven guardrails that adapt to workload exposure.

(7) DevTest Management Group

A separate subscription for experimentation, testing, or training. Often excluded from strict policies but still monitored.