Azure Governance that scales: guardrails for fast and safe delivery

For large organizations, Azure success depends on solid governance, clear requirements, planned initiatives, and business priorities. Start with a clear hierarchy to apply rules consistently across the organization, not just to individual projects.

First, I set up core elements: management groups, subscriptions, resource groups, and then resources. This structure is practical and important for scaling access and compliance controls. Management groups matter if you have multiple subscriptions and want a uniform baseline. I keep them shallow, three to four levels, since more are hard to manage. Azure allows up to six (excluding the tenant root and subscription level). Assignments at higher levels cascade down, so hierarchy matters.

I use subscriptions as boundaries for billing and scaling. Splitting development, testing, and production into separate subscriptions isolates costs and risks. A dedicated subscription for shared network services, such as ExpressRoute or Virtual WAN, simplifies tracking. Subscription-specific quotas mean some workloads need their own subscription for scaling. Because virtual networks don’t cross subscriptions, network design dictates subscription boundaries.

Group resources by lifecycle to improve operations and minimize risk. Resource group metadata resides in a specific region, even if its resources span multiple regions. Use resource locks to prevent accidental deletion of critical components.

Tags are simple and powerful for tracking costs and clarifying operations. I focus on tags such as environment, cost, department, owner, and, sometimes, data classification. Tags on resource groups don’t automatically apply to resources, causing gaps without enforcement.

Azure Policy is a key guardrail. I configure policies and initiatives (policy groups) at appropriate scopes, often at the management group level for baselines. Policy inheritance enforces rules throughout the structure.

Access control is the key. Azure RBAC assigns permissions by role and checks each request. I use least privilege, assign roles to groups, and set roles at the broadest feasible scope to avoid clutter. RBAC manages actions, Policy controls resources, and configuration. Combined, they address most governance needs.

To ensure repeatability before workloads arrive, I use landing zones, ready-made setups deployed as code that include management groups, subscriptions, baseline policies, and core features. Teams onboard quickly, without building governance each time. The Azure landing zone accelerator is a portal tool to help existing organizations baseline in the same Microsoft Entra tenant.

Good Azure governance isn’t bureaucracy. It lets teams move quickly with guardrails for costs, security, and compliance. Main point: governance accelerates teams without losing alignment or oversight. Using these principles helps organizations protect revenue, innovate, and deliver features faster to compete.

Why Database Modernization Matters for AI

When companies transition to the cloud, they typically begin with applications and virtual machines, which is often the easier part of the process. The actual complexity arises later when databases are moved. To save time and effort, cloud adoption is more of a cloud migration in an IaaS manner, fulfilling current, but not future needs. Even organisations that are already in the cloud find that their databases, although “migrated,” are not genuinely modernised. This disparity becomes particularly evident when they begin to explore AI technologies. Understanding Modernisation Beyond Migration Database modernisation is distinct from merely relocating an outdated database to Azure. It's about making your data layer ready for future needs, like automation, real-time analytics, and AI capabilities. AI needs high throughput, which can be achieved using native DB cloud capabilities. When your database runs in a traditional setup (even hosted in the cloud), in that case, you will enc...

How to audit an Azure Cosmos DB

In this post, we will talk about how we can audit an Azure Cosmos DB database. Before jumping into the problem let us define the business requirement: As an Administrator I want to be able to audit all changes that were done to specific collection inside my Azure Cosmos DB. The requirement is simple, but can be a little tricky to implement fully. First of all when you are using Azure Cosmos DB or any other storage solution there are 99% odds that you’ll have more than one system that writes data to it. This means that you have or not have control on the systems that are doing any create/update/delete operations. Solution 1: Diagnostic Logs Cosmos DB allows us activate diagnostics logs and stream the output a storage account for achieving to other systems like Event Hub or Log Analytics. This would allow us to have information related to who, when, what, response code and how the access operation to our Cosmos DB was done. Beside this there is a field that specifies what was th...

[Post Event] Azure AI Connect, March 2025

On March 13th, I had the opportunity to speak at Azure AI Connect about modern AI architectures. My session focused on the importance of modernizing cloud systems to efficiently handle the increasing payload generated by AI.

Cloud as a Story - Vunvulea Radu

Search This Blog