Partner Onboarding

This guide helps Microsoft partners operationalize SMB Ready Foundation for multi-customer deployments.

Onboarding Checklist

1. Prepare the customer tenant

   Create the smb-rf management group under the customer’s tenant root. This is a one-time operation per customer that requires Global Admin or equivalent privileges.

   az account management-group create --name smb-rf \
     --display-name "SMB Ready Foundation"

   Tip

   If the customer’s organization restricts management group creation, run the Setup-ManagementGroupPermissions.ps1 script first — it requires Global Admin consent.

2. Clone and configure per customer

   Each customer gets their own Azure subscription associated with the smb-rf management group. Use a naming convention for azd environments:

   cd infra/bicep/smb-ready-foundation   # or infra/terraform/smb-ready-foundation
   azd env new contoso-prod
   azd env set SCENARIO baseline
   azd env set OWNER "partner@contoso.com"
   azd env set AZURE_LOCATION swedencentral

3. Deploy

   azd up

   Typical deployment times:

   • baseline: 5–10 minutes
   • firewall: 15–20 minutes
   • vpn: 25–35 minutes
   • full: 40–55 minutes

4. Verify

   # 6 resource groups
   az group list --query "[?starts_with(name,'rg-')].name" -o tsv
   
   # Check MG policies
   az policy assignment list \
     --scope "/providers/Microsoft.Management/managementGroups/smb-rf" \
     --query "length(@)"

5. Hand off to customer

   Post-deployment, customers configure their workloads (VMs, data services) within the spoke VNet. The governance policies automatically enforce security baselines.

Per-Customer Configuration

The only required parameter is OWNER. Everything else has sensible defaults:

Parameter	Default	Override When
SCENARIO	baseline	Customer needs firewall or VPN
OWNER	— (required)	Always set per customer
AZURE_LOCATION	swedencentral	Customer has region preference
HUB_VNET_ADDRESS_SPACE	10.0.0.0/23	Address conflict with existing infra
SPOKE_VNET_ADDRESS_SPACE	10.0.2.0/23	Address conflict with existing infra
ON_PREMISES_ADDRESS_SPACE	—	VPN or full scenarios only
LOG_ANALYTICS_DAILY_CAP_GB	0.5	High-volume workloads

Scaling Tips

• Template per scenario: Create one azd environment template per scenario (e.g., baseline-template, firewall-template) and clone for each customer.
• CIDR planning: Assign unique address spaces per customer to avoid conflicts if you later peer subscriptions.
• Tagging: The Owner tag on every resource ties back to the customer for cost attribution.
• Budget alerts: The $500/month budget alert goes to the subscription owner — ensure this is the partner operations mailbox.

Cleanup

When offboarding a customer:

cd infra/bicep/smb-ready-foundation

# Preview
pwsh scripts/Remove-SmbReadyFoundation.ps1 -WhatIf

# Remove resources + policies (keep MG)
pwsh scripts/Remove-SmbReadyFoundation.ps1 -Force

# Remove everything including MG
pwsh scripts/Remove-SmbReadyFoundation.ps1 -Force -RemoveManagementGroup

Caution

Removing the management group unlinks all subscriptions. Only do this when decommissioning the entire partner deployment.

Next Steps

Step-by-Step Walkthrough Detailed deployment guide for your first customer