This starter kit provides Infrastructure-as-Code templates to deploy a foundational CDM Starter Kit infrastructure stack on Azure. It is designed as a customer-deployed reference architecture on customer-owned Azure subscriptions.
All infrastructure is declared using Azure Bicep:
- Version-controlled - All configurations tracked in Git
- Repeatable - Consistent, idempotent deployments
- Parameterized - Customer-supplied values at deployment time
- Modular - Components organized for reusability and maintainability
- RBAC-First: Role-based access control is the foundation
- No Service Accounts: Customers manage all identities
- Least Privilege: RBAC scaffolding supports principled access assignment
- Customer-Controlled: All access decisions made by deploying organization
This architecture does NOT provision:
- ❌ Microsoft-hosted services on behalf of the customer
- ❌ First-party production infrastructure
- ❌ Long-running Microsoft managed processes
- ❌ Internal authentication or tenant-scoped components
Instead, it deploys standard Azure customer-owned resources that the organization operates directly.
Purpose: Foundation data storage layer
- Supports data lakes, backups, and artifact repositories
- RBAC configured by customer for multi-user access
- Diagnostic data and logs stored securely
- Network access restricted via SAS/RBAC policies
Customer Responsibility: Configure lifecycle policies, network security, data retention
Purpose: High-performance analytics and telemetry ingestion
- Time-series data analysis and exploration
- Real-time dashboard and alerting capabilities
- Data aggregation
- Query-based insights and reporting
Customer Responsibility: Query optimization, data retention policies, cluster sizing
Purpose: Data warehousing, ELT/ETL, and advanced analytics
- Structured data warehouse for BI and reporting
- SQL and Spark pools for processing
- Integration with Power BI for visualization
- Cost and resource optimization analysis
Customer Responsibility: Workload tuning, compute scaling, metadata management
Purpose: Principled access control foundation
- Role assignments for service principals and users
- Audit-ready access management
Customer Responsibility: Assigning actual users/services, ongoing access reviews
- Customer opens Create → Search "CDM Starter Kit"
- Guided form captures:
- Subscription and resource group
- Resource naming conventions
- Compliance/regulatory tags
- One-click deployment
- Resources created in customer's subscription
az deployment group create \
--resource-group myResourceGroup \
--template-file main.bicep \
--parameters @params.jsonBoth paths produce identical resource configurations.
✅ Customer controls all identities (AAD users, service principals) ✅ Customer controls RBAC and permissions ✅ Data is encrypted at rest and in transit (Azure defaults) ✅ Audit logs are captured and retained ✅ Network access is configurable via NSGs
❌ This architecture does not include:
- Multi-tenant isolation (customer-owned resources only)
- Advanced threat detection (customer enablement required)
- Compliance automation (customer responsibility)
- Secrets/credentials management (customer's Azure Key Vault)
| Component | Deployed | Managed | Secured |
|---|---|---|---|
| Azure Storage | Starter Kit | Customer | Customer |
| Data Explorer | Starter Kit | Customer | Customer |
| Synapse | Starter Kit | Customer | Customer |
| RBAC Foundation | Starter Kit | Customer | Customer |
| VNets / NSGs | Starter Kit | Customer | Customer |
| Credentials | Customer | Customer | Customer |
| Access Reviews | - | Customer | Customer |
| Monitoring/Alerting | Starter Kit | Customer | Customer |
Summary: This kit provides the infrastructure template. Customers are responsible for deployment configuration, operational management, and security hardening.
The starter kit is designed for easy customization:
- SKU Flexibility: Bicep parameters support resource sizing
- Regional Deployment: Works across Azure regions
- Tagging Strategy: Customer-defined tag schemas (TBD)
- Module Reusability: Components can be extended or replaced
- Integration: Designed to connect with existing Azure infrastructure
- Audit Logging: All deployments and access logged to Activity Log
- Blueprint Support: Can be packaged as Azure Blueprint
- Policy-Compatible: Works with Azure Policy for governance
- Tagging: Supports cost allocation and compliance tagging (TBD)
- Documentation: Clear parameter descriptions for compliance review
Key Takeaway: This is a reference architecture starter kit, not a production service. Customers deploy, operate, and secure the infrastructure. Microsoft provides the template and examples.