What we do?
The simple, safe and fast track to adopting and operating Microsoft Azure
Fellowmind Managed Platform (FMP) is a tenant-wide solution,
based on a platform and modules delivered as Software-as-a-Service,
maintained by our Platform team, and supported by our Managed Services
team. It is based on Fellowmind's best practice and experience from
multiple customer engagements and aligned with Enterprise Scale as
understood in Microsoft Cloud Adoption Framework (CAF).
All services are distributed to the Azure environments in your tenant through
CI/CD pipelines at Fellowmind.
For that reason, Fellowmind Managed Platform (FMP) is not a downloadable
package. It is a service comprised of modular software, with quality, support,
maintenance, documentation and backing from Fellowmind. It is composed of
a Managed Platform with everything included; all the central features
and functions, management, governance, automation and scalability.
What we do?
Everything you need to fast track your Azure deployments in a scalable and secure manner
The implementation process starts with a design workshop facilitated and executed
by our dedicated Fellowmind Managed Platform (FMP) team. The team provides best
practices and recommendations, facilitates decisions on your desired configuration,
policies, and modules, and then performs an automated
implementation in your preferred Azure Region(s)."
To ensure a solid update and customization process, configuration is maintained
as code, but separated from the platform code.
As part of our Fellowmind Managed Platform (FMP), we take care of your entire Azure platform.
As a result, we have integrated monitoring, security, and governance in the platform.
A selection of key features within the Managed Platform:
- Resource structure & organization
- Governance, Security and Compliance controls
- Management, logging, and patching
- Cost control and optimization
- Network topology & connectivity
- Landing Zone orchestration
Business Value
From a business perspective
When viewed from various perspectives, the platform delivers several notable process and technical advantages, as detailed below.
CIO Perspective
- A standardized delivery which is easy to use, expand and operate
- Service Catalogs enables self-service to individuals, teams or project manager
- Fewer critical or high impact cases and shorter time to recovery
- Avoid the dependency on key-employees
- Better control over budgets
Architect Perspective
- Easy to deploy a set of services and servers
- Integrated into the pipeline developers already use
- Better security utilizing governance and compliance controls
- Enables the transformation to native cloud and services
- Fast track to have compliance and security in place
Operations Perspective
- Automation saves time and provides consistency and flexibility
- Version control, tracking and change management ensure quality
- Automates recovery and deployment
- Free up time - leaving more time for innovation and improvements
- SaaS without the vendor lock-in
Services
These are in place to make sure that all modules of the managed platform are stable, secure, and evergreen.
- Governance
- Fellowmind establishes the tooling needed to support Azure governance, compliance auditing and automated guardrails, as well as provisioning landing zones.
- Continuous platform updates
- Fellowmind updates the platform on a continuous basis with new features, updates, emergency patches all applied ad-hoc. Detailed feature list of infrastructure can be found in the documentation service.
- Resolution of high priority incidents
- Fellowmind does resolution of high-priority incidents during office hours, 08:30-16:30 CET/CEST.
- Compliance reporting
- Fellowmind will send monthly compliance reports on set policies.
- Budget reporting
- Fellowmind will send monthly budget reports on set budgets.
- Platform monitoring and alerting
- Fellowmind monitors all services within the platform and handles alerts. Monitoring baseline is documented in the documentation service.
- Virtual machine services
- Fellowmind will continuously update Windows and Linux Operating systems according to chosen patch management strategy.
- Fellowmind monitors and do proactive maintenance of backups, assign default backup strategy to VMs.
- Fellowmind onboards virtual machines to Microsoft Defender for Servers and does alert dispatching.
- Service management meetings
- Fellowmind facilitates quarterly meetings with the purpose giving insights into future and current topics like, cost optimization, features, services and projects. This to identify potentials for the customer to deliver an improved quality of service and more cost effective service.
Deliveries
Fellowmind provides the following deliveries as part of the Managed Platform
- Fellowmind delivers a uniform structure of the Azure platform
- This means that all applications are built on the same principles, including networks, governance, logs, etc. They are subject to the same policies/rules/security principles based on what is currently Microsoft best practice.
- Regulatory Compliance
- It's possible to attach specific frameworks to the platform, such as NIS2 etc.
- Platform monitoring and alerting
- Fellowmind monitors the entire platform unless otherwise agreed, using a large set of standard alarms defined by Fellowmind. These alarms are either tenant wide alarms or platform specific alarms. Additionally, Fellowmind delivers a baseline set of catalog alarms.
- Reporting
- On a monthly basis, Fellowmind delivers reporting on usage, cost, security and compliance.
- Diagnostics and resource logs
- All set-up of diagnostics and resource logs on all resources, and their handling, are uniform.
- Platform resources
- The Managed Platform and its components are continuously updated as Microsoft features and services are updated or when Microsoft introduces new services.
- Identity and access management
- Identity and access management are governed uniformly. By automating assignment and mapping of Azure Roles with Entra Id Groups.
- Documentation
- All documentation is hosted as a web app to provide single site for all platform related documentation, uniform way of ordering new service requests, lookinto Roadmap and releases and be used in connection with risk management, controls and compliance.
Responsibilities
These are the responsibilities and how they are divided between the platform and the landing zone
| Subject | Platform Platform Responsibility | Landingzone Landingzone Responsibility |
|---|---|---|
| Policy Azure policy | Deploys recommend policies | Responsible for compliance in landing zones |
| Alerts Alerts | Deploys health and service alerts | Deploy specific resource alerts and take action |
| Network Network | Configures network solution (hub and spoke) and deploy peered VNets *Corp Landing Zones only* | Use the peered VNets and request firewall rules when needed |
| Cost Cost and budgets | Deploys budgets with thresholds and anomaly detection | Adhere to and evaluate budget, request updates |
| Tags Tags | Deploys tags on subscription which is inherited to resources | Configure specific values on resources which should not inherit from the subscription (e.g. Different budget code) |
| Backup Backup | Deploys recovery service vault and default backup policies | Onboard servers to the recovery service vault |
| Access Access management | Deploys Entra ID groups, configures PIM, and assigns to scopes throughout the Azure hierarchy | Add and remove members to groups |
| Update Update Management | Deploys Central maintenance configuration schedules and policy | Set Azure tag for configuring update management on a per VM basis |
| Logs Logging | Deploys central log analytics workspace and set up data collection rules. Configure diagnostic settings logs for supported Azure PaaS. Can set a default VM tag for default log ingestion | Add additional tag on VMs which are to extract extra logs than the default |
Architecture
This is the architecture of the Fellowmind Managed Platform
Features
Overview of the managed platform feature and a comparison with the Microsoft provided 'ALZ'
Microsoft Azure Landing Zone reference implementation.
Standard (for all customers)
Optional (based on customer needs)
ALZ = Microsoft ALZ
FM = Fellowmind
GSC (Governance, Security & Compliance)
| Feature | ALZ Microsoft ALZ | FM Fellowmind | |
|---|---|---|---|
| Hierarchy | (Hierarchy) Idempotent configuration of Management Groups and Subscriptions Idempotent configuration of Management Groups and Subscriptions | ||
| Subscription lifecycle | (Subscription lifecycle) Management of pre-ordered subscriptions available for immediate use for new Landing Zones Management of pre-ordered subscriptions available for immediate use for new Landing Zones | ||
| Policy | (Policy) Idempotent configuration of Azure Policy Initiatives, Definitions, Assignments, and Exemptions Idempotent configuration of Azure Policy Initiatives, Definitions, Assignments, and Exemptions | ||
| Policy | (Policy) Automated policy remediation Automated policy remediation | ||
| Subscription lifecycle | (Subscription lifecycle) Deletion of unused Landing Zones after end of lifecycle using Azure tags Deletion of unused Landing Zones after end of lifecycle using Azure tags | ||
| Subscription lifecycle | (Subscription lifecycle) Repurpose of decommissioned landing zones for future landing zones Repurpose of decommissioned landing zones for future landing zones | ||
| Resource lifecycle | (Resource lifecycle) Automated deletion of resources based on tags to control lifecycle and avoid runaway consumption. (Commonly for Dev/Test) Automated deletion of resources based on tags to control lifecycle and avoid runaway consumption. (Commonly for Dev/Test) | ||
| RBAC | (RBAC) Idempotent configuration of Entra Id Groups which are assigned to Azure RBAC roles Idempotent configuration of Entra Id Groups which are assigned to Azure RBAC roles | ||
| RBAC | (RBAC) Removal of Classic Administrator access on subscriptions Removal of Classic Administrator access on subscriptions | ||
| RBAC | (RBAC) Automatic cleanup of direct access created on management groups and subscriptions Automatic cleanup of direct access created on management groups and subscriptions | ||
| RBAC | (RBAC) Add users and service principals to Entra Id Groups as Group members & owners Add users and service principals to Entra Id Groups as Group members & owners | ||
| Landing Zone | (Landing Zone) Landing zone orchestration using Azure Blueprint Assignments Landing zone orchestration using Azure Blueprint Assignments | ||
| PIM | (PIM) Enrollment of Azure Access using Entra Id Group Enrollment of Azure Access using Entra Id Group | ||
| PIM | (PIM) Privileged Identity Management enrollment of Entra Id Role access using Entra Id Group Privileged Identity Management enrollment of Entra Id Role access using Entra Id Group | ||
| Reporting | (Reporting) Monthly report of Azure Consumption for each subscription in excel format Monthly report of Azure Consumption for each subscription in excel format | ||
| Reporting | (Reporting) Monthly report of centralized log analytics usage broken down on subscription usage in excel format Monthly report of centralized log analytics usage broken down on subscription usage in excel format | ||
| Reporting | (Reporting) Monthly report of centralized log analytics usage broken down on resource type in excel format Monthly report of centralized log analytics usage broken down on resource type in excel format | ||
| Reporting | (Reporting) Monthly report of Azure Policy compliance for each subscription in excel format Monthly report of Azure Policy compliance for each subscription in excel format | ||
| Reporting | (Reporting) Monthly report of Azure Secure Score for each subscription in excel format Monthly report of Azure Secure Score for each subscription in excel format | ||
| Reporting | (Reporting) Monthly report of Azure advisor score for each subscription in excel format Monthly report of Azure advisor score for each subscription in excel format | ||
| Operations | (Operations) Patch management enrollment using Azure Tags Patch management enrollment using Azure Tags |
Management
| Feature | ALZ Microsoft ALZ | FM Fellowmind | |
|---|---|---|---|
| Patching | (Patching) Centralized Patch Management for Linux and Windows VMs Centralized Patch Management for Linux and Windows VMs | ||
| Logging | (Logging) Central logging for all landing zones Central logging for all landing zones | ||
| Logging | (Logging) Automated Diagnostic Logs Collection for known and supported resources in Azure Automated Diagnostic Logs Collection for known and supported resources in Azure | ||
| VM Management | (VM Management) Azure AutoManage custom profiles ready to onboard landing zone VMs Azure AutoManage custom profiles ready to onboard landing zone VMs | ||
| Security | (Security) Azure sentinel ready (Online Landing zone) Azure sentinel ready (Online Landing zone) | ||
| Event Management | (Event Management) Centralized alerting for Tenant-wide alerts Centralized alerting for Tenant-wide alerts | ||
| Event Management | (Event Management) Alert Catalogue for common alerts to be used as a reference when building Landing Zones Alert Catalogue for common alerts to be used as a reference when building Landing Zones | ||
| Event Management | (Event Management) ITSM Integration ITSM Integration | ||
| Operations | (Operations) Azure Monitor Workbooks for Tenant-wide monitoring Azure Monitor Workbooks for Tenant-wide monitoring | ||
| Operations | (Operations) Graph queries for Tenant-wide monitoring Graph queries for Tenant-wide monitoring |
Landing Zone
| Feature | ALZ Microsoft ALZ | FM Fellowmind | |
|---|---|---|---|
| Governance | (Governance) Provisioning of infrastructure baseline in Landing Zones to get started quickly Provisioning of infrastructure baseline in Landing Zones to get started quickly | ||
| Governance | (Governance) Standardized tagging for Landing Zones Standardized tagging for Landing Zones | ||
| Connectivity | (Connectivity) Network spoke provisioning (Corp Landing Zone only) Network spoke provisioning (Corp Landing Zone only) | ||
| Connectivity | (Connectivity) Network hub peering (Corp Landing Zone only) Network hub peering (Corp Landing Zone only) | ||
| Connectivity | (Connectivity) Inter-Landing Zone Direct network peering (Corp Landing Zone only) Inter-Landing Zone Direct network peering (Corp Landing Zone only) | ||
| Connectivity | (Connectivity) Enroll Landing Zone provisioned resources to specific a subnet in the Landing Zone (Using Private Endpoint - Corp Landing Zone only) Enroll Landing Zone provisioned resources to specific a subnet in the Landing Zone (Using Private Endpoint - Corp Landing Zone only) | ||
| Management | (Management) Centralized management of select resources created in Landing Zones Centralized management of select resources created in Landing Zones | ||
| Management | (Management) Landing Zone updates at scale Landing Zone updates at scale | ||
| Management | (Management) Backup policy baseline for Landing Zones Backup policy baseline for Landing Zones | ||
| Management | (Management) Azure Advisor baseline configuration for Landing Zones Azure Advisor baseline configuration for Landing Zones | ||
| Operations | (Operations) Alert processing architecture for Landing Zones Alert processing architecture for Landing Zones | ||
| Operations | (Operations) Resource Health Monitoring dispatch for Landing Zones Resource Health Monitoring dispatch for Landing Zones | ||
| Operations | (Operations) Budgets and threshold notifications for Landing Zones Budgets and threshold notifications for Landing Zones | ||
| Operations | (Operations) Security event notification for Landing Zones Security event notification for Landing Zones |
Connectivity
| Feature | ALZ Microsoft ALZ | FM Fellowmind | |
|---|---|---|---|
| SD-WAN | (SD-WAN) Connectivity architecture with Azure Virtual WAN or Standalone Resource Implementation (VPN Gateway, Azure Firewall, etc.) Connectivity architecture with Azure Virtual WAN or Standalone Resource Implementation (VPN Gateway, Azure Firewall, etc.) | ||
| SD-WAN | (SD-WAN) Full mesh global hybrid connectivity using SD-WAN Full mesh global hybrid connectivity using SD-WAN | ||
| Network Hub | (Network Hub) Standalone Network Resource implementation (Hubs without vWAN) Standalone Network Resource implementation (Hubs without vWAN) | ||
| Firewall | (Firewall) Regional Azure Firewalls to add security between Landing zone networks and to and from the public internet Regional Azure Firewalls to add security between Landing zone networks and to and from the public internet | ||
| Local Connectivity | (Local Connectivity) to privately linked Azure PaaS Resources in Corp Landing Zones using Azure Private Link and Private Endpoints to privately linked Azure PaaS Resources in Corp Landing Zones using Azure Private Link and Private Endpoints | ||
| Front Door | (Front Door) A Central Front Door with WAF to provide a globally distributed single-entry point for web applications hosted in landing zones A Central Front Door with WAF to provide a globally distributed single-entry point for web applications hosted in landing zones | ||
| Application Gateway | (Application Gateway) A central Application Gateway with WAF to provide regionally distributed entry points for web applications hosted in landing zones A central Application Gateway with WAF to provide regionally distributed entry points for web applications hosted in landing zones | ||
| DNS | (DNS) Centralized DNS management for Landing Zones Centralized DNS management for Landing Zones | ||
| DNS | (DNS) Private DNS Resolver for Landing Zones Private DNS Resolver for Landing Zones |
Identity
| Feature | ALZ Microsoft ALZ | FM Fellowmind | |
|---|---|---|---|
| Identity | (Identity) Domain controllers hosted in Virtual Machines, and their associated resources Domain controllers hosted in Virtual Machines, and their associated resources | ||
| Governance | (Governance) User Access Managed Identity for various Platform modules User Access Managed Identity for various Platform modules |
Documentation
| Feature | ALZ Microsoft ALZ | FM Fellowmind | |
|---|---|---|---|
| Documentation | (Documentation) Centralized and automated documentation site build on docusaurus Centralized and automated documentation site build on docusaurus | ||
| Documentation | (Documentation) Autogenerated documentation updated hourly Autogenerated documentation updated hourly | ||
| Product lifecycle | (Product lifecycle) Product roadmap documentation Product roadmap documentation | ||
| Product lifecycle | (Product lifecycle) Product release notes documentation Product release notes documentation |
Azure DevOps
| Feature | ALZ Microsoft ALZ | FM Fellowmind | |
|---|---|---|---|
| DevOps Projects | (DevOps Projects) Create an Azure DevOps Project for each Landing Zone Create an Azure DevOps Project for each Landing Zone | ||
| DevOps Projects | (DevOps Projects) Entra Id Groups for license and access management to Azure DevOps projects Entra Id Groups for license and access management to Azure DevOps projects | ||
| DevOps Projects | (DevOps Projects) Configure Azure Resource Manager Service Connections with access to Landing Zone Subscriptions Configure Azure Resource Manager Service Connections with access to Landing Zone Subscriptions | ||
| DevOps Projects | (DevOps Projects) Configure Azure DevOps project with policies and build validation for GitHub Flow branch strategy Configure Azure DevOps project with policies and build validation for GitHub Flow branch strategy | ||
| DevOps Projects | (DevOps Projects) Provision Landing Zones with an IaC repository and multi-stage pipeline baseline Provision Landing Zones with an IaC repository and multi-stage pipeline baseline | ||
| DevOps Projects | (DevOps Projects) Daily backup of Azure DevOps Repositories with full git history Daily backup of Azure DevOps Repositories with full git history | ||
| Service Connection | (Service Connection) Federated identities using Open Id Connect in a Managed DevOps Projects Federated identities using Open Id Connect in a Managed DevOps Projects |
Azure DevOps Self-Hosted Pipeline Agents
| Feature | ALZ Microsoft ALZ | FM Fellowmind | |
|---|---|---|---|
| DevOps | (DevOps) Self-managed build agent pools for Azure DevOps running on Azure VMs or Containers Self-managed build agent pools for Azure DevOps running on Azure VMs or Containers |
Book a demo
Book a demo to get a closer look at the Managed Platform and how we can help your organization. Our team of experts will guide you through the features and benefits, ensuring you get the most out of our services. Whether you're looking to improve efficiency, enhance security, or scale your operations, our demo will provide you with the insights you need to make an informed decision.
Book a Demo