About This Architecture

Azure Management Group hierarchy organizing DLS tenant infrastructure across three distinct management groups: client-facing, internal, and sandbox. The Tenant Root Group cascades through mg-dls into specialized branches, each containing dedicated subscriptions for workload isolation. Internal infrastructure subscription spans six resource groups covering network, identity, compute, data, backup, and monitoring concerns. This hierarchical structure enables fine-grained RBAC policies, cost allocation, and compliance controls across client and internal workloads while maintaining sandbox isolation for testing. Fork and customize this diagram on Diagrams.so to model your own Azure governance strategy, then export as .drawio or .svg for documentation and team collaboration.

People also ask

How should I structure Azure Management Groups and subscriptions for a multi-tenant environment with client-facing and internal workloads?

This diagram shows a three-branch Management Group hierarchy under mg-dls: client-facing subscriptions for external workloads, internal infrastructure subscriptions with six specialized resource groups (network, identity, compute, data, backup, monitoring), and sandbox subscriptions for testing. This structure enforces least-privilege access, isolates blast radius, and simplifies cost tracking and