What are the recommended guardrails for...

Hi,

A few guardrails tend to work well across most Azure environments, especially when multiple teams share the same platform.

✔️ 1. Start with a clear landing‑zone structure

Use Management Groups to separate:

• platform
• shared services
• workloads
• sandboxes

This gives you a clean place to apply policies and RBAC.

✔️ 2. Enforce governance with Azure Policy

Typical baseline policies include:

• allowed locations
• allowed SKUs
• mandatory tags
• diagnostic settings to Log Analytics
• resource locks for critical assets
• network rules (no public IPs unless approved)

✔️ 3. Use RBAC with least privilege

Define roles per persona:

• platform admins
• workload owners
• developers
• automation accounts

Avoid using Owner except for platform teams.

✔️ 4. Control cost and sprawl

Set:

• budgets + alerts
• quotas
• lifecycle policies for unused resources
• automation to clean up abandoned assets

✔️ 5. Standardize deployment

Use:

• Bicep/Terraform modules
• Azure DevOps/GitHub Actions
• environment‑based pipelines
• policy‑driven validation before deployment

This keeps teams aligned and prevents configuration drift.

If you can share your current structure (MGs, subscriptions, teams), I can suggest a more tailored baseline.