Azure Landing Zone: What is the purpose of the Azure AD Groups created in Level-0?

Question

Currently, I am working on establishing enterprise-scale landing zones for Cloud Adoption Framework in Azure.

I was going through Cloud Adoption Framework and implemented Level#0. I could see few Azure AD Groups like mentioned below

however I don't find any relevant details or description. The CAF documentation is very limited and it covers only the high level steps without any explanation

While I can assume the need for these groups, I am looking help in understanding the purpose of the Azure AD Groups.

score 0 · Answer 1 · answered May 02 '23 at 06:57

Short answer: delegation of duties

There is 1 superuser for caf. Needed to make the initial groups and service principals. After this, the superuser is not needed and for safety reasons, not to be used. The credentials made during the level0 deployment are used to create resources for later levels. Ensuring that the creator of a level doesn't have access to the resources created in this level by another credential.

Azure Landing Zone: What is the purpose of the Azure AD Groups created in Level-0?

1 Answers1

Linked