-
I tested the deployment of the Azure Landing Zones in using the portal. Depending on the selections made, various services principals are created and assigned to the top management group and some at the subscription levels with different roles. I feel sorry for the questions. Thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Hey @zorglob, No worries happy to answer. So all the SPNs you see at the top management group, and they will also be on other management groups, are for the policy assignments that require permissions to complete remediation tasks. Please dont remove these as it will stop the policies from being able to work as designed. This is documented further here: https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#why-are-managed-identities-deployed-as-part-of-the-alz-policies The identity |
Beta Was this translation helpful? Give feedback.
Hey @zorglob,
No worries happy to answer.
So all the SPNs you see at the top management group, and they will also be on other management groups, are for the policy assignments that require permissions to complete remediation tasks. Please dont remove these as it will stop the policies from being able to work as designed. This is documented further here: https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#why-are-managed-identities-deployed-as-part-of-the-alz-policies
The identity
id-ama-prod-northeurope-001
is used for the Azure Monitor Agent and is critical for this to work, so please dont remove this either. Again this is documented further here https://github.com/Azure/Enterpri…