Microsoft partner pushes an Azure landing zone, sounds like overkill
A full Cloud Adoption Framework landing zone with management groups, policy and Sentinel is often more infra than app for 5 to 30 staff. A trimmed version usually fits better.
Try this first
- 1Start with one production and one non-production subscription, not twelve
- 2Force MFA, named admin accounts, and cost alerts from day one, that part is non-negotiable
- 3Skip Sentinel and Defender for Cloud Plan 2 until you actually have a SOC or MDR
- 4Add Azure Policy only where you have a real rule, not "best practice" off a PDF
When to bring us in
Regulated industries (healthcare, finance) or a future NIS2 role: a full landing zone earns its keep, but tie the design to the law, not to a template.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.