Azure Citadel
  • Blogs
  • Azure Arc
    • Overview
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy an Azure Landing Zone
      • Create an initial ALZ config
      • Run through the CI/CD workflow
    • Example Library Configs
      • Azure Landing Zone library
      • Azure Landing Zone library with overrides
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
      • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • User IDs & PAL
    • Service principals & PAL
    • CI/CD pipelines & PAL
    • Creating a dedicated PAL service principal
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Sovereign Landing Zones
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy Sovereign Landing Zone
      • Create an initial SLZ config
      • Run through the CI/CD workflow
      • Sovereign Landing Zone
    • Example Library Configs
      • Sovereign Landing Zone
      • Sovereign Landing Zone library with overrides
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Get set up for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Sovereign Landing Zones
  3. ALZ Accelerator
  4. Prereqs
Prereqs
Prereqs
ALZ Accelerator
Prereqs
Elevate
Bootstrap
Demote
Components

Prereqs

You will need a few things before you can run the accelerator's bootstrap and work on Azure Landing Zones.

Table of Contents

Overview

For the bootstrap you will need a few prerequisites as summarised below. This page includes links to the official documentation, but you will also find the commands repeated here to save you jumping around too much.

  1. Access to an Azure tenant with one to four subscriptions for use in the Platform Landing Zone area:

    • management (mandatory)
    • connectivity (recommended)
    • identity
    • security

    (It is assumed that the subscriptions will be directly under the Tenant Root Group in Management Groups.)

  2. An ID with Global Administrator

    Note that you will need to temporarily elevate a Global Administrator ID and assign root level privileges for the duration of the bootstrap. (As per the elevate and demote pages in this series.)

  3. A GitHub organization

    If you are an individual GitHub user then you can create an organization for free. For example, my GitHub organization for testing is richeney-org.

    You will also need the ability to create personal access tokens in the context of your organization.

  4. PowerShell with the ALZ module installed

  5. Visual Studio Code with the Hashicorp Terraform extension

Create personal access tokens

  1. Authenticate to GitHub

  2. Go to Settings

    Click on your profile at the top right and select Settings

  3. Switch setting context at the top of the page to your organization

    The URL will switch to https://github.com/organizations/orgName/settings/profile.

  4. Navigate to Developer Settings > Personal Access Tokens > Fine-grained tokens

Bootstrap

Create a personal access token for the bootstrap process.

  1. Click on Generate new token.

    • Token Name: Azure Landing Zone accelerator
    • Description: Short-lived token for the ALZ Accelerator bootstrap process
    • Resource Owner: Switch to your organization
    • Expiration: Custom, select short period.
    • Repository access: All repositories

  2. Add Repositories permissions

    Permission Access
    Actions Read and write
    Administration Read and write
    Contents Read and write
    Environments Read and write
    Secrets Read and write
    Variables Read and write
    Workflows Read and write

  3. Add Organizations permissions

    Permission Access
    Members Read and write
    Self-hosted runners Read and write

  4. Generate the token.

  5. Copy the token value and keep it somewhere safe.

Private Runners

Create a personal access token for the private runners

  1. Click on Generate new token.

    • Token Name: Azure Landing Zone private runners
    • Description: Long-term token used by the private runners
    • Resource Owner: Switch to your organization
    • Expiration: Select no expiration.
    • Repository access: All repositories

  2. Add Repositories permissions

    Permission Access
    Administration Read and write

  3. Add Organizations permissions

    Permission Access
    Self-hosted runners Read and write

  4. Generate the token.

  5. Copy the token value and keep it somewhere safe.

ALZ PowerShell module

As per the bootstrap page:

  1. Open PowerShell 7

  2. Trust the

    Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted

  3. Install the ALZ module

    Install-Module -Name ALZ -Scope CurrentUser
    Additional commands

    If the module is already installed then you can run this command to check for an update.

    Update-Module -Name ALZ

    Check the version number(s):

    Get-InstalledModule -Name ALZ -AllVersions

    Remove an older versions:

    Uninstall-Module -Name ALZ -RequiredVersion X.Y.Z

    RequiredVersion should be set to the major.minor.patch that you are removing. It is recommended to have a. the latest version and b. only one version, or you may see an error from the ALZ Accelerator.

    The ALZ PowerShell module is open source at https://github.com/Azure/ALZ-PowerShell-Module.

Setup

  1. Bash, plus Visual Studio Code with the Hashicorp Terraform extension

    These labs assume you will be working in a Bash environment, and you have vscode configured with the Terraform extension. See our Setup page for a recommended config.

ℹ️ If the pages prove very popular then I will add PowerShell for those who prefer to stay within the Windows OS level.

Source: https://icy-island-077f0c303-135.westeurope.4.azurestaticapps.net/slz/accelerator/prereqs/
Published: 10 Oct 2025
Printed:
ALZ Accelerator Prereqs Elevate