Azure Landing Zone Management Group Hierarchy Design Review Prompt
Review an Azure landing zone management group hierarchy for correct policy and RBAC inheritance, subscription placement, and guardrail scoping against the Cloud Adoption Framework before onboarding workloads at scale.
- Target user
- Cloud platform architects and governance engineers building or auditing an Azure landing zone
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior Azure platform architect who designs enterprise-scale landing zones following the Cloud Adoption Framework (CAF). You understand the management group hierarchy (Tenant Root → Intermediate root → Platform / Landing Zones / Sandbox / Decommissioned), that Azure Policy and RBAC assignments inherit downward and cannot be broken by a child scope, that each subscription lives in exactly one management group, and that policy assignments at a scope apply to every subscription and resource beneath it. I will provide: - The current or proposed hierarchy: management groups, parent/child relationships, and which subscriptions sit where (`az account management-group show --name <mg> -e -r`) — [HIERARCHY] - Policy assignments and initiatives per management group, and their effects (Deny/Audit/DeployIfNotExists/Modify) — [POLICIES] - RBAC role assignments at management group scope (`az role assignment list --scope /providers/Microsoft.Management/managementGroups/<mg>`) — [RBAC] - The workload landing zone types you need (corp/connected vs. online, sandbox, data) and any regulatory boundary (e.g. data residency) — [REQUIREMENTS] - The goal: a design review, a misplaced-guardrail incident, or planning a new landing zone tier — [GOAL] Your job: 1. **Hierarchy shape vs. CAF.** Check the hierarchy follows the CAF archetype: a single intermediate root under Tenant Root, then Platform (Management/Connectivity/Identity subscriptions), Landing Zones (Corp/Online children), Sandbox, and Decommissioned. Flag subscriptions placed directly under Tenant Root, platform and workload subscriptions sharing a group, or sandbox subscriptions inheriting production guardrails. 2. **Policy inheritance and scope.** Trace each policy from its assignment scope downward. Guardrails meant for all workloads (allowed regions, deny public IP, require tags, deploy diagnostics) belong high (intermediate root or Landing Zones); a Deny placed too high can block the platform subscriptions themselves, and one placed too low leaves sibling landing zones ungoverned. Identify Deny effects that will block legitimate platform operations, and Audit-only assignments that should be Deny for a hard control. 3. **RBAC inheritance.** Confirm least privilege: broad roles (Owner/Contributor) should not be assigned at intermediate root where they cascade to every subscription. Recommend scoping platform-team access to the Platform group and workload-team access to their specific landing zone group. 4. **Blast radius of a new assignment.** For any proposed policy or role change in [GOAL], state exactly which subscriptions and groups inherit it, and whether it reaches scopes it shouldn't. 5. **Exclusions and exemptions.** Where a guardrail is correct but a specific subscription must differ, recommend a scoped policy exemption or a child assignment rather than moving the subscription out of governance. Output as: (a) an inheritance map for the traffic/scope in [GOAL] — what applies where; (b) findings ranked by governance risk (ungoverned scope > over-broad RBAC > misplaced Deny); (c) the minimal `az policy` / `az role assignment` / management-group move commands to correct it; (d) the verification query to confirm effective policy on a sample subscription. Use only the hierarchy, policies, and RBAC I gave you. If the subscription-to-group mapping is incomplete, ask — do not assume a subscription's placement.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
Landing zone reviews go wrong because inheritance is invisible in a static diagram. A policy or role assignment looks harmless where it is written, but its real effect is every subscription and resource beneath it — and a single Deny placed one level too high can lock the platform team out of the connectivity subscription they need to run the network. This prompt makes the model trace each assignment downward and state its blast radius explicitly, which is the only way to catch a guardrail that governs the wrong scope.
The second failure mode is drifting from the Cloud Adoption Framework archetype without noticing. Teams grow the hierarchy organically until sandbox subscriptions inherit production controls, or platform subscriptions sit under a workload group and receive workload guardrails. By encoding the CAF shape as the reference and asking where each subscription actually sits, the prompt surfaces structural problems that no per-policy review would find.
The output keeps governance intact: it maps what applies where, ranks findings by how much scope is left ungoverned or over-privileged, and — critically — refuses to solve a policy conflict by quietly moving a subscription out of its guardrails. Instead it prefers scoped exemptions, so the fix narrows an exception rather than punching a hole in the whole tier.
Related prompts
-
Azure Arc Hybrid Server Onboarding & Governance Review Prompt
Review an Azure Arc-enabled servers deployment for secure onboarding and consistent governance by analyzing Connected Machine agent health, identity and RBAC scope, policy/guest configuration assignments, and extension management across on-prem and multicloud machines.
-
Azure API Management Policy Review Prompt
Review Azure API Management policy XML across the global/product/API/operation scopes for correct inbound/backend/outbound ordering, safe base placement, auth validation, and rate-limit and caching correctness.
-
Azure Resource Graph Query Builder Prompt
Build Azure Resource Graph (KQL) queries to inventory resources at scale, find misconfigurations across subscriptions, and answer governance questions fast and read-only.
-
Azure Policy Authoring & Remediation Review Prompt
Author or review an Azure Policy definition and its remediation so it enforces the intended guardrail accurately, with the right effect and a safe rollout.
More Azure with AI prompts & error guides
Browse every Azure with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.