Management Group & Policies
SMB Ready Foundation deploys governance at the management group scope — ensuring policies apply to all resources in the subscription, even those created outside of this deployment.
Architecture
Section titled “Architecture”Tenant Root Group└── smb-rf (SMB Ready Foundation) ├── Azure Policy assignments (MG + subscription scope) └── Subscription: customer-subscription ├── rg-hub-smb-swc ├── rg-spoke-prod-swc ├── rg-monitor-smb-swc ├── rg-backup-smb-swc ├── rg-security-smb-swc └── rg-migrate-smb-swcOne-Time Setup
Section titled “One-Time Setup”-
Grant management group permissions (requires Global Administrator)
Terminal window cd scriptspwsh ./Setup-ManagementGroupPermissions.ps1This elevates your account to create management groups at the tenant root level. Only needed once per customer tenant.
-
Create the management group
Terminal window az account management-group create --name smb-rf --display-name "SMB Ready Foundation" -
Associate the customer subscription
Terminal window SUBSCRIPTION_ID=$(az account show --query id -o tsv)az account management-group subscription add --name smb-rf --subscription $SUBSCRIPTION_ID
How Policies Are Deployed
Section titled “How Policies Are Deployed”The pre-provision hook (hooks/pre-provision.ps1) deploys policies in two steps:
- Step 5a: Deploys
deploy-mg.bicepto the parent management group — creates thesmb-rfMG and associates the subscription (idempotent) - Step 5b: Deploys
modules/policy-assignments-mg.bicepto thesmb-rfMG — creates MG-scoped policy assignments (additional policies are deployed at subscription scope bymain.bicep)
Both steps run a what-if preview before deploying.
Policy Categories
Section titled “Policy Categories”| Category | Count | Enforcement | Purpose |
|---|---|---|---|
| Compute | 6 | 2 Deny + 4 Audit | VM SKU restrictions, no public IPs, managed disks, classic VMs, updates, endpoint protection |
| Network | 5 | 1 Deny + 4 Audit | NSG on subnets, restrict ports, disable IP forwarding, flow logs |
| Storage | 5 | 3 Deny + 2 Audit | HTTPS-only, no public blob, TLS 1.2, restrict network access |
| Identity | 4 | 4 Audit | SQL Azure AD auth, SQL public access, MFA for owners, blocked accounts |
| Tagging | 2 | 2 Deny | Require Environment and Owner tags |
| Key Vault | 7 | 7 Audit | Soft delete, purge protection, RBAC, secrets/keys expiration, resource logs |
| Monitoring | 1 | 1 Audit | Diagnostic settings required for key resource types |
| Backup | 2 | 2 Audit | VMs should be backed up, storage geo-redundancy |
| Governance | 1 | 1 Deny | Allowed resource locations |
Total: 9 Deny + 24 Audit + 1 DeployIfNotExists policy assignments
The MG-scoped policies are listed above. Additional policies are deployed at subscription scope by main.bicep: auto-backup enrollment (DINE), VM backup required (Audit), storage geo-redundancy (Audit), and allowed locations (Deny).
For the complete policy catalog with policy definition IDs, see Policy Catalog.
Persistence Across Deployments
Section titled “Persistence Across Deployments”Management group resources (the MG itself and its MG-scoped policies) persist across azd up re-deployments. They are not torn down between scenario changes. This is by design:
- Policies apply to the subscription regardless of which scenario is deployed
- Re-deploying policies is idempotent (ARM update-in-place)
- Only resource groups and budget are torn down between scenarios
To fully remove policies, use the cleanup script:
cd infra/bicep/smb-ready-foundationpwsh scripts/Remove-SmbReadyFoundation.ps1 -Force -RemoveManagementGroup