Azure
Fellowmind Managed Platform for Azure — a fully managed, governed, and continuously updated platform delivered into your tenant.
What we do
Your Azure platform, fully managed
Azure doesn't manage your workloads for you — that's your responsibility. FMP fills that gap. Fellowmind handles governance, security, compliance, monitoring, and continuous updates, all delivered directly into your Azure tenant.
- ✓ Pre-built governance and compliance frameworks reduce operational risks
- ✓ Comprehensive service catalogue streamlines service requests and platform changes
- ✓ Dedicated customer portal — manage service requests, monitor your platform, and track incidents in one place
- ✓ Financial transparency supports effective budgets and cost management
- ✓ Automation and 24/7 operations ensure stability, platform updates, and incident management
- ✓ All resources and data reside in your tenant
- ✓ Built on Microsoft's best-practice architecture with Zero Trust security — stronger protection, compliance, and scalability from day one
- ✓ Strategic partnership that fosters innovation and business growth
Why FMP
Modern applications require a modern platform
AI, cloud-native workloads, and modern SaaS solutions demand a platform that is secure, governed, and ready from day one. Without the right foundation, innovation stalls — teams spend months building infrastructure instead of delivering value.
FMP gives you that foundation instantly. So when the next wave of AI tools or cloud services arrives, you can adopt them in days — not quarters.
- ✓ Adopt AI and cloud-native services faster
- ✓ Compliance and governance built-in from the start
- ✓ Landing Zones ready for any workload
- ✓ Your team focuses on innovation, not infrastructure
Business value
Built for the whole organisation
- ✓ Standardised, scalable delivery
- ✓ Fewer critical incidents
- ✓ Full budget visibility
- ✓ Compliance from day one
- ✓ Integrates with existing pipelines
- ✓ Accelerates cloud-native adoption
- ✓ Ready-to-use landing zones for every workload
- ✓ Deploy AI and cloud-native services without infrastructure overhead
- ✓ Governed environment that doesn't slow you down
- ✓ Automated recovery and deployment
- ✓ More time for innovation
- ✓ SaaS — no vendor lock-in
For Application Owners
You shouldn't need to be an Azure infrastructure expert to run your workloads. Here's what FMP handles for you — so you can focus on the applications that actually deliver business value.
Piece together your own Azure platform from scratch — design a management group hierarchy, decide on naming conventions, pick a network topology, write policies, set up monitoring, and hope all the pieces fit. Every decision is a one-off and nothing is reusable across teams or environments
Get a fully managed Azure platform with an opinionated, proven architecture: management group hierarchy, landing zone patterns, governance baseline, connectivity hub, identity, monitoring, and cost management — all continuously updated and operated by Fellowmind
Open an IT ticket for a bare Azure subscription — then spend days configuring RBAC groups, tags, resource providers, backup vaults, and service health alerts. Every new environment restarts the cycle from zero
Request a landing zone and receive a fully provisioned environment: management group hierarchy, subscriptions per DTAP stage, pre-created resource groups, backup policies, service health alerts, and audited tags — productive on day one
Define your own Azure Policy initiatives, write custom definitions, assign them at the right scopes, and remediate non-compliant resources — drift accumulates silently and auditors arrive unannounced
Policies are managed as code and deployed idempotently — unreferenced policies are automatically removed, remediation runs continuously, and monthly compliance reports are generated for you
Manually create VNets, figure out address spaces, set up hub peering, configure route tables, open firewall rules, and link Private DNS zones — one wrong route and traffic disappears into a black hole
Your corp landing zone ships with a VNet peered to the regional hub, correct route tables, managed firewall rules, and centrally managed Private DNS — Private Endpoints just work
Manually create Entra ID groups, assign RBAC roles at multiple scopes, and hope nobody grants direct assignments that bypass PIM. Enable Defender for Cloud plan by plan, per subscription, forgetting half the workload protections
Entra ID groups are auto-created per scope and role with optional PIM and Access Reviews. Direct role assignments are cleaned up automatically. Defender for Cloud is enabled across all subscriptions via policy
Forget to create budget alerts and get a surprise bill. Dev/test VMs run 24/7 because nobody configured auto-shutdown. Patch Tuesday is a manual scramble across every subscription
Every subscription ships with budget thresholds and anomaly alerts. Dev/test VMs auto-start/stop via tags. VM patching runs on centralized maintenance schedules. Monthly cost and compliance reports land in your inbox
Onboarding in four easy steps
From first meeting to live platform — a structured, low-friction process.
Data collection session
Dive into requirements through a comprehensive data collection session, extracting vital information to shape the platform for your needs.
Implementation
Deploying pipelines, setting up the platform, and onboarding your landing zones.
Onboarding session
Guidance on effectively navigating and utilising the platform, including a deeper walk-through of all key capabilities.
Start innovating
Continual collaboration and a recurring cycle of maintenance, updates, and strategic reviews.
Services
These are in place to make sure that all modules of the managed platform are stable, secure, and evergreen.
Deliveries
Fellowmind provides the following deliveries as part of the Managed Platform.
Features
Overview of managed platform features and a comparison with Microsoft Azure Landing Zone (ALZ).
GSC (Governance, Security & Compliance)
Core set of features to establish Governance, Security and Compliance baseline for Azure Landing Zones with the Fellowmind Managed Platform. These features are foundational and often required as a prerequisite for other features in the platform.
GSC (Governance, Security & Compliance)
Core set of features to establish Governance, Security and Compliance baseline for Azure Landing Zones with the Fellowmind Managed Platform. These features are foundational and often required as a prerequisite for other features in the platform.
| Feature | Description | Microsoft ALZ | Fellowmind |
|---|---|---|---|
| Hierarchy | Idempotent configuration of Management Groups and Subscriptions | | |
| Subscription lifecycle | Management of pre-ordered subscriptions available for immediate use for new Landing Zones | | |
| Policy | Idempotent configuration of Azure Policy Initiatives, Definitions, Assignments, and Exemptions | | |
| Policy | Automated policy remediation | | |
| Subscription lifecycle | Deletion of unused Landing Zones after end of lifecycle using Azure tags | | |
| Subscription lifecycle | Repurpose of decommissioned landing zones for future landing zones | | |
| Resource lifecycle | Automated deletion of resources based on tags to control lifecycle and avoid runaway consumption. (Commonly for Dev/Test) | | |
| RBAC | Idempotent configuration of Entra Id Groups which are assigned to Azure RBAC roles | | |
| RBAC | Removal of Classic Administrator access on subscriptions | | |
| RBAC | Automatic cleanup of direct access created on management groups and subscriptions | | |
| RBAC | Add users and service principals to Entra Id Groups as Group members & owners | | |
| Landing Zone | Landing zone orchestration using Azure Blueprint Assignments | | |
| PIM | Enrollment of Azure Access using Entra Id Group Requires Entra ID P2 | | |
| PIM | Privileged Identity Management enrollment of Entra Id Role access using Entra Id Group Requires Entra ID P2 | | |
| Access Review | Configuration of Access Review for Entra Id Groups Requires Entra ID P2 | | |
| Reporting | Monthly report of Azure Consumption for each subscription in excel format | | |
| Reporting | Monthly report of centralized log analytics usage broken down on subscription usage in excel format | | |
| Reporting | Monthly report of centralized log analytics usage broken down on resource type in excel format | | |
| Reporting | Monthly report of Azure Policy compliance for each subscription in excel format | | |
| Reporting | Monthly report of Azure Secure Score for each subscription in excel format | | |
| Reporting | Monthly report of Azure advisor score for each subscription in excel format | | |
| Operations | Patch management enrollment using Azure Tags | | |
Management
Centralized Logging, Monitoring, Alerting and Automation features to manage and operate Landing Zones at scale with the Fellowmind Managed Platform.
Management
Centralized Logging, Monitoring, Alerting and Automation features to manage and operate Landing Zones at scale with the Fellowmind Managed Platform.
| Feature | Description | Microsoft ALZ | Fellowmind |
|---|---|---|---|
| Patching | Centralized Patch Management for Linux and Windows VMs | | |
| Logging | Central logging for all landing zones | | |
| Logging | Automated Diagnostic Logs Collection for known and supported resources in Azure | | |
| VM Auto-Start/Stop | Automated Start/Stop of VMs based on tags to save costs | | |
| Security | Azure sentinel ready (Online Landing zone) | | |
| Event Management | Centralized alerting for Tenant-wide alerts | | |
| Event Management | Alert Catalogue for common alerts to be used as a reference when building Landing Zones | | |
| Event Management | ITSM Integration | | |
| Operations | Azure Monitor Workbooks for Tenant-wide monitoring | | |
| Operations | Graph queries for Tenant-wide monitoring | | |
Landing Zone
Provisioning and mangement of Corp and Online Landing Zones at scale, to get started quickly with new workloads in Azure
Landing Zone
Provisioning and mangement of Corp and Online Landing Zones at scale, to get started quickly with new workloads in Azure
| Feature | Description | Microsoft ALZ | Fellowmind |
|---|---|---|---|
| Governance | Provisioning of infrastructure baseline in Landing Zones to get started quickly | | |
| Governance | Standardized tagging for Landing Zones | | |
| Connectivity | Network spoke provisioning (Corp Landing Zone only) | | |
| Connectivity | Network hub peering (Corp Landing Zone only) | | |
| Connectivity | Inter-Landing Zone Direct network peering (Corp Landing Zone only) | | |
| Connectivity | Enroll Landing Zone provisioned resources to specific a subnet in the Landing Zone (Using Private Endpoint - Corp Landing Zone only) | | |
| Management | Centralized management of select resources created in Landing Zones | | |
| Management | Landing Zone updates at scale | | |
| Management | Backup policy baseline for Landing Zones | | |
| Management | Azure Advisor baseline configuration for Landing Zones | | |
| Operations | Alert processing architecture for Landing Zones | | |
| Operations | Resource Health Monitoring dispatch for Landing Zones | | |
| Operations | Budgets and threshold notifications for Landing Zones | | |
| Operations | Security event notification for Landing Zones | | |
Connectivity
Global and regional connectivity features to connect Landing Zones to the internet, to each other, and to on-premises environments with various architectural patterns based on customer needs.
Connectivity
Global and regional connectivity features to connect Landing Zones to the internet, to each other, and to on-premises environments with various architectural patterns based on customer needs.
| Feature | Description | Microsoft ALZ | Fellowmind |
|---|---|---|---|
| SD-WAN | Connectivity architecture with Azure Virtual WAN or Standalone Resource Implementation (VPN Gateway, Azure Firewall, etc.) | | |
| SD-WAN | Full mesh global hybrid connectivity using SD-WAN | | |
| Network Hub | Standalone Network Resource implementation (Hubs without vWAN) | | |
| Firewall | Regional Azure Firewalls to add security between Landing zone networks and to and from the public internet | | |
| Local Connectivity | to privately linked Azure PaaS Resources in Corp Landing Zones using Azure Private Link and Private Endpoints | | |
| Front Door | A Central Front Door with WAF to provide a globally distributed single-entry point for web applications hosted in landing zones | | |
| Application Gateway | A central Application Gateway with WAF to provide regionally distributed entry points for web applications hosted in landing zones | | |
| DNS | Centralized DNS management for Landing Zones | | |
| DNS | Private DNS Resolver for Landing Zones | | |
Identity
Identity features to provide a secure and scalable identity foundation for Landing Zones with the Fellowmind Managed Platform.
Identity
Identity features to provide a secure and scalable identity foundation for Landing Zones with the Fellowmind Managed Platform.
| Feature | Description | Microsoft ALZ | Fellowmind |
|---|---|---|---|
| Identity | Domain controllers hosted in Virtual Machines, and their associated resources | | |
| Governance | User Access Managed Identity for various Platform modules | | |
Azure Kubernetes Service
Requires GSC, Management & Connectivity as a minimum Kubernetes features to provide a scalable and secure container orchestration platform for Landing Zones with the Fellowmind Managed Platform.
Azure Kubernetes Service
Kubernetes features to provide a scalable and secure container orchestration platform for Landing Zones with the Fellowmind Managed Platform.
| Feature | Description | Microsoft ALZ | Fellowmind |
|---|---|---|---|
| Cluster Baseline | Managed AKS cluster with private API, Azure CNI Overlay networking, and automatic node OS upgrades | | |
| Networking | Internal load balancer with private IP, service CIDRs, and integration with platform connectivity (Private DNS, hub peering) | | |
| Security | Azure Policy add-on, Azure Defender for Containers, and Entra ID-integrated RBAC with conditional-access compliant device login | | |
| Monitoring | Container Insights with managed Prometheus, Grafana dashboards, and metric-based alerts for cluster health | | |
| Multi-tenancy | Namespace isolation per tenant project with dedicated service accounts, network policies, and resource quotas | | |
| RBAC | Entra ID group-based Kubernetes RBAC with cluster-admin, namespace-admin, and read-only roles | | |
| Workload Identity | Federated workload identity per namespace enabling pods to authenticate to Azure services without stored credentials | | |
| Secrets Management | Secrets Store CSI Driver with Azure Key Vault provider, automatic secret rotation, and per-namespace vault integration | | |
| Container Registry | Shared Azure Container Registry with private endpoint, pull-through cache for public images, and RBAC-scoped push/pull access | | |
| Ingress | Managed NGINX Ingress Controller (app-routing add-on) with internal load balancer and integration with Azure DNS for automatic record management | | |
| Autoscaling | Cluster autoscaler for node pools and KEDA-based event-driven pod autoscaling | | |
| Backup | AKS Backup via Azure Backup vault with scheduled protection of cluster state and persistent volumes | | |
| Cost Management | Per-cluster budget alerts and monthly cost thresholds with automated notifications | | |
Documentation
Requires GSC as a minimum Documentation features to provide easily accessible and up-to-date documentation for the Fellowmind Managed Platform and its features.
Documentation
Documentation features to provide easily accessible and up-to-date documentation for the Fellowmind Managed Platform and its features.
| Feature | Description | Microsoft ALZ | Fellowmind |
|---|---|---|---|
| Documentation | Centralized and automated documentation site build on docusaurus | | |
| Documentation | Autogenerated documentation updated hourly | | |
| Product lifecycle | Product roadmap documentation | | |
| Product lifecycle | Product release notes documentation | | |
Azure DevOps
Requires GSC & Management as a minimum Azure DevOps features to provide a governed and secure DevOps platform for Landing Zones with the Fellowmind Managed Platform.
Azure DevOps
Azure DevOps features to provide a governed and secure DevOps platform for Landing Zones with the Fellowmind Managed Platform.
| Feature | Description | Microsoft ALZ | Fellowmind |
|---|---|---|---|
| User Management | Automatic removal of disabled Entra ID users from Azure DevOps organizations | | |
| Billing | Centralized billing configuration pointing to the management subscription for cost tracking | | |
| Security Policies | Idempotent configuration of Azure DevOps security policies based on best practices | | |
| Advanced Security | Enable Advanced Security on repositories for code scanning, secret scanning, and dependency scanning | | |
| Repository Settings | Configure global repository settings including TFVC prevention and Gravatar enablement | | |
| Pipeline Settings | Enforce pipeline security settings including YAML requirements and task restrictions | | |
| License and User Access Management | Entra Id Groups for license and access management to Azure DevOps projects | | |
| Projects | Create an Azure DevOps Project for each Landing Zone | | |
| Projects | Configure Azure Resource Manager Service Connections with access to Landing Zone Subscriptions using Federated Identity Credentials based on Open Id Connect | | |
| Projects | Configure Azure DevOps project with policies and build validation for GitHub Flow branch strategy | | |
| Projects | Provision Landing Zones with an IaC repository and multi-stage pipeline baseline | | |
| Projects | Daily backup of Azure DevOps Repositories with full git history | | |
| Agents | Self-managed build agent pools for Azure DevOps running on Azure VMs or Containers | | |
Responsibilities
These are the responsibilities and how they are divided between the platform and the landing zone.
| Subject | Platform responsibility | Landing zone responsibility |
|---|---|---|
| Policy Azure policy | Deploys recommend policies | Responsible for compliance in landing zones |
| Alerts Alerts | Deploys health and service alerts | Deploy specific resource alerts and take action |
| Network Network | Configures network solution (hub and spoke) and deploy peered VNets *Corp Landing Zones only* | Use the peered VNets and request firewall rules when needed |
| Cost Cost and budgets | Deploys budgets with thresholds and anomaly detection | Adhere to and evaluate budget, request updates |
| Tags Tags | Deploys tags on subscription which is inherited to resources | Configure specific values on resources which should not inherit from the subscription (e.g. Different budget code) |
| Backup Backup | Deploys recovery service vault and default backup policies | Onboard servers to the recovery service vault |
| Access Access management | Deploys Entra ID groups, configures PIM and Access Review, assigns to scopes throughout the Azure hierarchy, and cleans up non-described access | Add and remove members and owners of groups, and review access |
| Update Update Management | Deploys Central maintenance configuration schedules and policy | Set Azure tag for configuring update management on a per VM basis |
| Logs Logging | Deploys central log analytics workspace, sets up data collection rules, configures diagnostic settings logs for supported Azure PaaS. Can set a default VM tag for default log ingestion | Add additional tag on VMs which are to extract extra logs than the default |
| ADO Azure DevOps | Deploys Azure DevOps project, repos, pipelines, service connections, agent pools, organizational policies, Entra ID groups for access management, report on recommended user and license management | Manage code, pipelines, and access to Azure DevOps |
Architecture
High-level architecture of the Fellowmind Managed Platform showing all modules, layers, and key dependencies across the Azure landing zone.
