Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
After you plan and prepare for deployment, use the Azure portal deployment experience to deploy Azure landing zone for Nonprofits.
The Azure portal flow is the recommended deployment option for most users. It guides you through the supported foundation or expanded platform inputs, checks required values and subscription-level permissions where the form can evaluate them, and shows what was deployed, skipped, or still needs follow-up.
Before you begin
Before you start the deployment, make sure that you complete the prerequisites and have the required input values ready.
- Sign in to the Azure portal with the identity that has the required deployment permissions.
- Confirm that you're in the correct Microsoft Entra tenant.
- Prepare the subscription IDs, service owner email, monitoring notification emails, and optional group object IDs.
- Review cost-sensitive choices, including budget creation, Microsoft Defender for Cloud, private endpoint access, and future connectivity services.
For more information, see Plan and prepare to deploy Azure landing zone for Nonprofits.
Choose a portal deployment path
Use one of the following Azure portal deployment links:
| Deployment path | Use when | Deployment link |
|---|---|---|
| Foundation | You need a compact baseline in one existing subscription. | Deploy foundation |
| Expanded platform | You need existing management and connectivity subscriptions, a dedicated hub network, and stronger platform separation. | Deploy expanded platform |
Deploy foundation
Use foundation when you want to deploy the platform baseline into one existing subscription. Foundation doesn't create or modify a management-group hierarchy.
Select Deploy foundation.
In the Azure portal, confirm that you're signed in to the correct tenant.
On Core settings, enter the foundation deployment values.
Field Guidance Foundation subscription Select the existing subscription that receives the foundation baseline. Primary Azure region Select the region for the deployment record and default foundation resources. Deployment prefix Enter a stable prefix of 3-12 lowercase letters, numbers, or hyphens. Service owner Enter an email address or shared mailbox for platform ownership tags. On Foundation setup, review the required and optional baseline settings.
Section Guidance Monthly subscription budget Enter a monthly amount to create a budget with 80% and 100% notifications. Use 0to skip automatic budget creation.Monitoring notification emails Enter one or more shared operational email addresses for service health and planned maintenance notifications. Organization platform admins group object ID Optional during deployment. If left blank, configure customer-owned admin access after deployment before handover. Microsoft Defender for Cloud plans Keep existing Defender settings unchanged, or explicitly add paid Defender coverage for Key Vault and storage when approved. Networking options Optionally deploy the simple foundation network baseline. Key Vault private endpoint access requires this network baseline. Platform Key Vault deletion protection Leave purge protection off for removable evaluation deployments, or enable it before storing platform secrets that must survive accidental deletion. Partner operations access Optional. Provide a Microsoft Entra group object ID only when partner operators need delegated access. On Review deployment plan, confirm the selected profile, target subscription, budget behavior, monitoring recipients, access choices, security choices, and networking choices.
Select Review + create.
When Azure validation succeeds, select Create.
Wait for the deployment to complete, then review the deployment result and follow-up actions.
Deploy expanded platform
Use expanded platform when your organization approves management and connectivity subscriptions and is ready to operate a dedicated hub network. Expanded platform runs as a tenant-scope deployment and deploys resources into the selected platform subscriptions.
Select Deploy expanded platform.
In the Azure portal, confirm that you're signed in to the correct tenant.
On Review Expanded Platform readiness, confirm that the management and connectivity subscriptions already exist, are approved for this deployment, and are accessible to the deployment identity. Review the tenant-scope and optional management-group permission requirements before continuing.
On Core settings, enter the platform deployment values.
Field Guidance Deployment prefix Enter a stable prefix of 3-12 lowercase letters, numbers, or hyphens. Service owner Enter an email address or shared mailbox for platform ownership tags. Management subscription Select the existing subscription that hosts shared management services, including Log Analytics, Key Vault, governance, monitoring, security baseline resources, access assignments, and the optional budget. Connectivity subscription Select the existing subscription that hosts the dedicated hub network and connectivity governance baseline. Primary Azure region Select the approved operating region for shared platform resources. Platform management group ID Optional. Provide an existing Platform management group ID only when governance should also be assigned at that scope. Monitoring notification emails Enter one or more shared operational email addresses for service health and planned maintenance notifications. Monthly management subscription budget Enter a monthly amount to create a budget with 80% and 100% notifications. Use 0to skip automatic budget creation.If the same subscription is selected for management and connectivity, confirm that this compact evaluation layout is intentional and approved.
On Advanced platform options, review access, governance, security, and networking choices.
Section Guidance Organization platform admins group object ID Optional during deployment. If left blank, configure customer-owned admin access after deployment before handover. Partner operations access Optional. Provide a Microsoft Entra group object ID only when partner operators need delegated access. Additional allowed regions Optional. The primary region is always allowed. Add other approved regions for disaster recovery, compliance, or service availability. Defender baseline Keep existing Defender settings unchanged, or explicitly add paid Defender coverage for Key Vault and Storage when approved. GatewaySubnet reservation Optional. Reserve the subnet for future hybrid connectivity. This deployment doesn't create a VPN gateway, ExpressRoute gateway, Azure Virtual WAN, public IP, or connection object. Private endpoint for Key Vault Optional. Enable when private-only Key Vault access is required and DNS/network operations are ready to support it. Key Vault purge protection Enabled by default for steady-state platform environments. Disable only for evaluation deployments that must be removed immediately after testing. On Review deployment plan, confirm the tenant-scope deployment, selected subscriptions, primary region, governance scope, monitoring recipients, budget behavior, and optional security and networking choices.
Select Review + create.
When Azure validation succeeds, select Create.
Wait for the deployment to complete, then review the deployment result and follow-up actions.
Review deployment results
When deployment completes, review the result summary in the Azure portal. The result tells you what was created, what was skipped or deferred, and what still requires action.
Review these areas before treating the environment as ready for operations.
| Result area | What to review |
|---|---|
| Deployment summary | Confirm the selected profile, target subscriptions, included baseline components, and explicitly selected options. |
| Skipped or deferred items | Review items such as skipped budget creation, missing organization admin access, missing partner access, or optional networking that wasn't selected. |
| Handover readiness | If organization platform administrator access isn't configured, deployment can succeed but operational ownership isn't complete. |
| Alert-response readiness | Confirm that monitoring notification routing is configured and that the recipients are durable shared operational contacts. |
| Governance status | Review policy and regional-control behavior for the selected path. Foundation doesn't enforce allowed locations; Expanded platform applies allowed-locations governance to the selected platform subscriptions. |
| Security status | Review Key Vault access mode, purge protection state, and Defender for Cloud plan changes. |
| Networking status | Review whether foundation networking, expanded platform hub networking, Key Vault private endpoint access, or GatewaySubnet reservation was selected. |
| Warnings and follow-up actions | Complete the listed actions before handover or steady-state operations. |
A successful deployment doesn't always mean the environment is ready for handover. Complete the follow-up actions before relying on the environment for steady-state operations.