How to Deploy Azure Landing Zone for Nonprofits

At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here  to learn more. 

Kairos IMS - Impact Management System

Deploying an Azure Landing Zone for nonprofits is a strategic move to enhance cloud infrastructure management, ensuring scalability, security, and compliance. This guide will walk you through the essential steps to deploy an Azure Landing Zone tailored for nonprofit organizations.

Understanding Azure Landing Zone for Nonprofits

The Azure Landing Zone for Nonprofits is a preconfigured, scalable foundation designed to manage cloud infrastructure efficiently. It provides a blueprint for setting up core Azure services such as networking, management, identity, and security. This setup ensures that cloud resources are managed and governed securely from the start, allowing nonprofits to focus on their mission-critical services.

Key Components of Azure Landing Zone

1. Management Group Structures: Organize subscriptions and management groups for the platform. This helps in maintaining a clear hierarchy and governance structure.
2. Policy Enforcement: Implement policies to ensure compliance and security across the cloud environment.
3. Logging and Monitoring: Enable Azure Monitor and Log Analytics to keep track of resource usage and performance.
4. Network Connectivity: Configure hub and spoke networking topology for efficient and secure connectivity.
5. Security Features: Integrate Microsoft Defender for Cloud, backup and disaster recovery services, and Azure Key Vault for secrets management.

Benefits of Deploying Azure Landing Zone for Nonprofits

• Scalability: Easily scale your cloud infrastructure to meet growing demands.
• Security: Implement robust security measures to protect sensitive data.
• Compliance: Ensure compliance with industry standards and regulations.
• Operational Efficiency: Streamline cloud management and operations, allowing your team to focus on delivering impactful services.

 

Example: This image is a network diagram showing a hub and spoke deployment for identity management and connectivity subscription

 

 

This diagram shows the relationship between Microsoft Entra ID roles and Azure RBAC roles:

 

 

 

To deploy Azure Landing Zone for Nonprofits on Microsoft Azure, you need:

• Dedicated Azure subscriptions: You need two different Azure subscriptions. Different platform components must have multiple dedicated subscriptions. This requirement ensures easier management, higher security, and enables a standalone compliance process.
• A global admin in Microsoft Entra ID: A user with global admin rights in the Microsoft Entra ID environment where you plan to deploy the landing zones must initiate the deployment.
• Elevation of privileges:
• Elevate the global admin privileges to grant the User Access Administrator role at the tenant root scope (/).
• Perform an explicit role assignment (Azure RBAC) at the tenant root scope using Azure CLI or PowerShell.

Elevate access for deployment

To manage resources across the tenant, temporarily elevate your access as a global admin. After deployment, remove the elevated access.

1. Sign into the Azure portal as the global admin.
2. Navigate to Microsoft Entra ID > Properties.

Under Access management for Azure resources, set the toggle to Yes.

 

 

 

Deploy Azure Landing Zone

Make sure you prepare the input values before following the deployment steps.

1. Go to deploy Azure Landing Zone for Nonprofits.
2. On the Deployment location tab, select the Azure region where you want to deploy the resources. Choose the region that aligns with compliance requirements and the geographic location of your users. Select Next.
3. On the Management Group and Subscription Organization tab, you organize subscriptions and management groups for the platform. In the Management Group prefix field, provide a unique prefix for the management group structure (maximum 10 characters). For example, NPO. Select Next.
4. On the Management and Connectivity tab, configure core platform services such as identity, management, and connectivity.

1. Under Management subscriptionin the Subscription dropdown, select a subscription for core management resources.
2. Under Azure Monitor, select Yesfor Deploy Log Analytics workspace and enable monitoring for your platform and resources. Select the number of days you want for Log Analytics Data Retention (days).
3. Configure the hub and spoke networking topology.

Example hub network configuration:

• Virtual Network Name: ntwrk01

• Virtual Network Address Prefix: 10.0.0.0/16

• Subnet Name: subnet01

• Subnet Address Prefix: 10.0.1.0/24

• VPN Gateway Subnet: 10.0.2.0/27

• Recovery Services Vault Name: recoveryKeyVault01

• Key Vault Name: keyVault01

1. Select Next.

1. On the Management and Connectivity tab, configure spoke networks, backup and recovery, and workload landing zones.

1. Under Landing Zone subscriptionin the Subscription dropdown, select a subscription. Make sure this subscription is different from the one selected in step 4a.
2. Complete the spoke network settings.

• Spoke network: Provide the network name and address prefix for workload-specific spoke VNets.

• Backup and recovery: Configure a Recovery Services vault for backup and disaster recovery.

• Key Vault: Set up Azure Key Vault for secrets management.

Example spoke network configuration:

• Virtual network name: spokeVNet01

• Virtual network address prefix: 10.1.0.0/16

• Subnet name: subnet01

• Subnet address prefix: 10.1.1.0/24

• Key Vault Name: keyVault02

• Recovery Services vault name: recoveryKeyVault02

1. Select Review + Create, and then select Create.

Post-deployment tasks

• Policy and governance: Review and refine the policies applied across management groups.
• Monitoring: Ensure log analytics and monitoring systems are properly configured for your environment.
• Networking: Verify the hub and spoke topology is correctly established and VPN gateways are configured.

Troubleshoot

This section outlines common errors and issues during the deployment or operation of the Azure Landing Zone for Nonprofits and provides steps to resolve them.

Conflict: Failed to add subscription to management group

This error occurs because there's a conflict when trying to add a subscription to a management group.

Make sure the subscription selected in the landing zone is different from the one used for the management and connectivity configurations. This separation ensures optimal resource management and security compliance across different operational environments.

Conflict: The vault name is already in use. Vault names are globally unique, so it's possible that the name is already taken

This error message indicates that the deployment failed due to a conflict with the vault name. The specific error code is VaultAlreadyExists, which means the vault name is already in use.

Causes for this issue include:

• Vault name conflict: The vault name is already in use by another Key Vault.
• Recoverable state: If the vault with the name was recently deleted, it might still be in a recoverable state and not yet purged.

To resolve this issue, you can:

• Select a different name: Select a different, unique name for the key vault that isn't in use.
• Purge the vault: If you're sure the vault name isn't taken and it was recently deleted, you need to purge the vault before reusing the name. You can follow the instructions in the provided link to purge the vault: Purge a key vault.

Conclusion

Deploying an Azure Landing Zone for nonprofits provides a secure, scalable, and efficient foundation for managing cloud resources. By following the steps outlined in this guide, nonprofit organizations can leverage Azure's capabilities to enhance their digital presence and improve service delivery.

For more detailed instructions and support, refer to the official Microsoft Learn guide on Deploying Azure Landing Zone for Nonprofits

 

Happy deploying!

References

 Deploy Azure Landing Zone for Nonprofits - Microsoft Cloud for Nonprofit | Microsoft Learn