MCF Components
What MCF Delivers
Five pre-built, fully automated components form the backbone of every MCF deployment — consistent, secure, and ready on day one.
Subscriptions Management Groups
Management Groups
& Subscriptions
- ▸ Hierarchical structure: Root → Platform → Landing Zones
- ▸ Subscription vending for fast workload onboarding
- ▸ Policy inheritance enforced at group level
- ▸ Budget alerts per subscription
Networking Hub-Spoke
Hub-Spoke
Network
- ▸ Central hub with Azure Firewall or NVA
- ▸ Spoke VNets peered per workload
- ▸ Forced tunneling & UDR for egress control
- ▸ Private DNS zones for all PaaS services
Identity Entra ID
Entra ID
& RBAC
- ▸ Least-privilege custom roles per workload tier
- ▸ PIM (Privileged Identity Management) enabled
- ▸ Conditional access policies enforced
- ▸ Service principals via managed identities only
Security
Defender for Cloud + AMA
- ▸ Microsoft Defender enabled on all subscriptions
- ▸ Azure Monitor Agent on all VMs via Policy
- ▸ Secure Score baseline tracked continuously
- ▸ Security alerts forwarded to SIEM/Sentinel
Governance Azure Policy
Azure Policy
& Blueprints
- ▸ 200+ policies covering CIS, ISO 27001, DSGVO
- ▸ DeployIfNotExists: auto-remediate non-compliant resources
- ▸ Required tags enforced — cost allocation ready
- ▸ Deny unapproved regions, SKUs, and services