Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
After you deploy Azure landing zone for Nonprofits, review the deployment result and complete the follow-up tasks before treating the environment as ready for steady-state operations.
A successful deployment means that the selected foundation or expanded platform baseline is created. It doesn't always mean that operational ownership, alert response, budget monitoring, security decisions, or transition tasks are complete.
Review the deployment result
In the deployment result, review the summary, skipped or deferred items, warnings, and follow-up actions.
Use the following areas as the post-deployment checklist.
| Area | What to confirm |
|---|---|
| Deployment summary | Confirm the selected profile, target subscription or subscriptions, included baseline components, and explicitly selected options. |
| Handover readiness | Confirm that organization platform administrator access is configured. If it isn't configured, complete it before handing over operations. |
| Alert-response readiness | Confirm that monitoring notification routing is configured and uses durable shared recipients. |
| Budget status | Confirm whether the optional budget is created. If it isn't created automatically, create it manually or document that the organization chose not to use an automatic budget. |
| Governance status | Review policy and tagging behavior for the selected deployment path. |
| Security status | Review Key Vault access mode, purge protection, and Microsoft Defender for Cloud plan changes. |
| Networking status | Review foundation networking, expanded platform hub networking, private Key Vault access, and GatewaySubnet reservation choices. |
| Warnings and follow-up actions | Assign owners and due dates for any remaining actions before steady-state operations. |
Complete access handover
Customer-owned operational access is required before handover is complete.
If the organization platform administrators group isn't supplied during deployment, assign the appropriate customer-owned Microsoft Entra group and verify Owner access on the foundation subscription or platform subscriptions.
If partner operations access is required, assign it to a Microsoft Entra group rather than to individual users. Use delegated partner access only when the organization approves the operating model and the partner still needs access after deployment.
Remove any temporary elevated access that you used only for deployment. For more information, see Elevate access to manage all Azure subscriptions and management groups.
Verify monitoring and alert response
The baseline creates a shared Log Analytics workspace and routes supported platform diagnostics to it. The deployment can also create service health and planned maintenance alert routing when monitoring notification recipients are supplied.
Before treating the environment as alert-response ready:
- Confirm that monitoring notification emails use durable shared mailboxes or distribution lists.
- Confirm that Service Health and Planned Maintenance alerts route to the expected recipients.
- Confirm that platform teams know who responds to alerts and where incidents are tracked.
- Review diagnostic data volume and retention expectations to avoid unexpected monitoring costs.
monitoring notification recipients aren't supplied, configure alert routing before relying on the environment for operations.
Review budgets and cost ownership
If a monthly budget amount greater than 0 and budget contact emails are provided, the deployment attempts to create a budget with 80% and 100% notifications.
If budget creation is skipped or doesn't complete automatically, review the reason in the deployment result. Common follow-up actions are:
- Create the budget manually in the Azure portal.
- Confirm that the budget amount uses the target subscription's billing currency.
- Add durable finance or operations recipients for budget notifications.
- Grant Cost Management Contributor, Contributor, or Owner on the target budget subscription before rerunning budget creation.
- Wait for Cost Management budget features to become available on a new subscription.
For more information, see Create and manage budgets.
Review governance and policy behavior
Foundation and expanded platform have different governance behavior.
| Deployment path | Post-deployment governance review |
|---|---|
| Foundation | Foundation applies required platform tags to landing-zone-managed resource groups. It doesn't enforce allowed locations and doesn't create or modify a management-group hierarchy. |
| Expanded Platform | Expanded Platform applies allowed-locations governance and required platform tags to the selected platform subscriptions. If an existing platform management group ID is supplied, review the additional governance assignment at that scope. |
Review the Azure Policy compliance after deployment, especially if the selected subscriptions already contained resources. The deployment doesn't move, delete, or reconfigure existing resources outside landing-zone-managed resource groups.
Review security choices
Review the security choices selected during deployment and decide whether any follow-up change is needed before workloads use the platform.
| Security area | What to review |
|---|---|
| Key Vault access | Confirm whether Key Vault uses the default public endpoint or private endpoint access. If private endpoint access is enabled, verify DNS resolution from the relevant virtual network. |
| Key Vault purge protection | Foundation leaves purge protection off by default for evaluation reversibility. Enable it before storing platform secrets that must survive accidental deletion. Expanded platform enables purge protection by default unless it's disabled for evaluation teardown. |
| Microsoft Defender for Cloud | Confirm whether paid Defender coverage for Key Vault and storage is enabled. Defender plans for App Service, SQL, Virtual Machines, and Kubernetes aren't enabled by this deployment. Enable workload-specific plans separately when those workloads exist and recurring charges are approved. |
| Operational review | Document privileged access review expectations, audit and platform log retention, and any workload-specific security review boundaries. |
Review networking follow-up tasks
Review networking only for the features selected during deployment.
| Scenario | Follow-up task |
|---|---|
| Foundation simple network baseline | Confirm that the foundation virtual network and subnets match the intended single-subscription design. |
| Foundation private Key Vault access | Confirm that the simple network baseline is enabled and that Key Vault private DNS resolution works from the foundation virtual network. |
| Expanded Platform hub network | Confirm that the hub virtual network exists in the connectivity subscription and that network ownership is documented. |
| GatewaySubnet reservation | If the GatewaySubnet is reserved, plan VPN gateway, ExpressRoute gateway, or Azure Virtual WAN deployment separately. The landing zone reserves the subnet only; it doesn't create gateway resources, public IP addresses, or connection objects. |
| Expanded Platform private Key Vault access | Validate private DNS resolution for the shared platform Key Vault from the hub network before relying on private-only access. |
Optional transition tasks
If you're transitioning an existing foundation deployment to the expanded platform and the existing foundation virtual network must stay reachable during the transition window, use Peer a foundation virtual network with an Expanded Platform hub.
This procedure is needed only for existing foundation deployments that include the simple network baseline. It isn't required when the foundation deployment doesn't have virtual networks that need to remain reachable, or when workloads can be migrated without temporary connectivity.