Add FAQ & Portal Warning for #1080 (#1094)

* fixes for 1080

* jf review comment

docs/wiki/FAQ.md

@@ -9,6 +9,8 @@
 - [What if we can't deploy by using the Azure landing zone accelerator portal-based experience, but can deploy via infrastructure-as-code?](#what-if-we-cant-deploy-by-using-the-azure-landing-zone-accelerator-portal-based-experience-but-can-deploy-via-infrastructure-as-code)
 - [If we already deployed enterprise-scale architecture without using infrastructure-as-code, do we have to delete everything and start again to use infrastructure-as-code?](#if-we-already-deployed-enterprise-scale-architecture-without-using-infrastructure-as-code-do-we-have-to-delete-everything-and-start-again-to-use-infrastructure-as-code)
 - [The `AzureDiagnostics` table in my Log Analytics Workspace has hit the 500 column limit, what should I do?](#the-azurediagnostics-table-in-my-log-analytics-workspace-has-hit-the-500-column-limit-what-should-i-do)
+- [What happens if I have existing Management Groups that have the same Name/IDs as ones that will be deployed in the ALZ Portal Accelerator?](#what-happens-if-i-have-existing-management-groups-that-have-the-same-nameids-as-ones-that-will-be-deployed-in-the-alz-portal-accelerator)
+- [What are the ALZ Portal Accelerator Management Group Name/IDs that are created?](#what-are-the-alz-portal-accelerator-management-group-nameids-that-are-created)
 
 ---
 
@@ -118,4 +120,35 @@ As of today only a limited number of services support the [**Resource-specific**
 
 We are working closely with the relevant Azure engineering teams to ensure the services add support for the [**Resource-specific** collection mode](https://docs.microsoft.com/azure/azure-monitor/essentials/resource-logs#resource-specific) and also create/update the [built-in Azure Policies](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#built-in-policy-definitions-for-azure-monitor) so we can then utilise them as part of our solution. 
 
-Stay tuned to our [What's New page](https://github.com/Azure/Enterprise-Scale/wiki/Whats-new) where we will be announcing when we migrate services to the new collection type. Also watch [Azure Updates](https://azure.microsoft.com/updates/) for announcements from service teams for adding support to their services for this collection type.
+Stay tuned to our [What's New page](https://github.com/Azure/Enterprise-Scale/wiki/Whats-new) where we will be announcing when we migrate services to the new collection type. Also watch [Azure Updates](https://azure.microsoft.com/updates/) for announcements from service teams for adding support to their services for this collection type.
+
+## What happens if I have existing Management Groups that have the same Name/IDs as ones that will be deployed in the ALZ Portal Accelerator?
+
+As raised in issue [#1080](https://github.com/Azure/Enterprise-Scale/issues/1080) it is possible for you to deploy the ALZ Portal Accelerator in a AAD Tenant with existing Management Groups. If these existing Management Groups have the same Name/ID (not Display Name) as the ones deployed as part of the ALZ Portal Accelerator these existing Management Groups will be targeted in the deployment and brought into the ALZ hierarchy and deployment. This means that the Management Groups will be:
+
+- Display Name will be changed to ALZ default for that Management Group
+- Moved into the ALZ Management Group hierarchy
+- Have Subscriptions placed beneath them based on selections during ALZ portal accelerator deployment
+- Have Azure Policy Definitions and Assignments created upon them
+- Have Azure RBAC Custom Role Definitions & Assignments created upon them
+
+You should be aware of this and decide if this is something you want to happen, if not you need to ensure the naming prefix entered is unique for the Management Group Name/IDs that the ALZ Portal Accelerator will create to ensure the existing Management Groups are not targeted in the deployment. These are listed in the following FAQ Q&A: [What are the ALZ Portal Accelerator Management Group Name/IDs that are created?](#what-are-the-alz-portal-accelerator-management-group-nameids-that-are-created)
+
+## What are the ALZ Portal Accelerator Management Group Name/IDs that are created?
+
+The Management Group Names/IDs created via the ALZ Portal Accelerator deployment are all based on the Resource Prefix (Root ID) that you enter in the ALZ Portal Experience on the "Azure core setup" blade that is shown below:
+
+![ALZ Portal Accelerator Resource Prefix (Root ID) Screenshot](media/mg-resource-prefix-portal.png)
+
+The Management Group Names/IDs created via the ALZ Portal Accelerator Deployment are listed below:
+
+- `<Resource Prefix (Root ID)>` - Intermediate Root Management Group - e.g. `Contoso`
+ - `<Resource Prefix (Root ID)>-platform`
+ - `<Resource Prefix (Root ID)>-management`
+ - `<Resource Prefix (Root ID)>-connectivity`
+ - `<Resource Prefix (Root ID)>-identity`
+ - `<Resource Prefix (Root ID)>-landingzones`
+ - `<Resource Prefix (Root ID)>-online`
+ - `<Resource Prefix (Root ID)>-corp`
+ - `<Resource Prefix (Root ID)>-decommissioned`
+ - `<Resource Prefix (Root ID)>-sandbox`

docs/wiki/Whats-new.md

@@ -50,7 +50,9 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 #### Docs
 
-- *No updates, yet.*
+- Added 2 new FAQ Q&As based on issue [#1080](https://github.com/Azure/Enterprise-Scale/issues/1080)
+ - [What happens if I have existing Management Groups that have the same Name/IDs as ones that will be deployed in the ALZ Portal Accelerator?](https://github.com/Azure/Enterprise-Scale/wiki/FAQ#what-happens-if-i-have-existing-management-groups-that-have-the-same-nameids-as-ones-that-will-be-deployed-in-the-alz-portal-accelerator)
+ - [What are the ALZ Portal Accelerator Management Group Name/IDs that are created?](https://github.com/Azure/Enterprise-Scale/wiki/FAQ#what-are-the-alz-portal-accelerator-management-group-nameids-that-are-created)
 
 #### Tooling
 
@@ -68,6 +70,11 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
  - **⚠️This is a breaking change, only if you attempt to redeploy the Azure landing zone portal accelerator over the top of an existing Azure landing zone portal accelerator deployment that was deployed prior to 12/10/2022 (12th October 2022)⚠️**
  - The outcome if you do this will be that new vNets will be created based on what you input into the Azure landing zone portal accelerator form when you fill it out. Even if you input exactly the same inputs and details as the first time you deployed it.
  - However, this is a very uncommon action and if you are impacted [please raise an issue](https://github.com/Azure/Enterprise-Scale/issues) on the repo and we can assist further
+- Release of various [ALZ-Bicep](https://aka.ms/alz/bicep) versions:
+ - [`v0.10.6`](https://github.com/Azure/ALZ-Bicep/releases/tag/v0.10.6)
+ - [`v0.10.5`](https://github.com/Azure/ALZ-Bicep/releases/tag/v0.10.5)
+ - [`v0.10.4`](https://github.com/Azure/ALZ-Bicep/releases/tag/v0.10.4)
+- Updated Azure landing zone portal accelerator with a note around existing Management Group Name/IDs on "Azure core setup" blade linking to FAQ Q&As
 
 ### Policy
 

eslzArm/eslz-portal.json

@@ -110,6 +110,16 @@
  }
  }
  },
+ {
+ "name": "alzMgmtGroupExistingWarning",
+ "type": "Microsoft.Common.InfoBox",
+ "visible": true,
+ "options": {
+ "text": "This deployment will create the ALZ default Management Group hierarchy with Names/IDs that are documented in the FAQ (click on this box to be taken to this page). If you have existing Management Groups that have the same Names/IDs these will be targeted in the ALZ deployment (click on this box to find out how to handle this or to see what will happen)",
+ "style": "Warning",
+ "uri": "https://github.com/Azure/Enterprise-Scale/wiki/FAQ#what-happens-if-i-have-existing-management-groups-that-have-the-same-nameids-as-ones-that-will-be-deployed-in-the-alz-portal-accelerator"
+ }
+ },
  {
  "name": "enterpriseScaleCompanyPrefix",
  "type": "Microsoft.Common.TextBox",