1. Management Groups & Subscription Design

   • Root → Production / Sandbox / Dev

2. Identity & Security

   • Azure AD, RBAC, Key Vault

3. Networking

   • Hub-Spoke topology, NSGs, Firewall

4. Platform Services

   • Monitoring, Log Analytics, Azure Policy

• Single-Subscription Mode for small teams

• Multi-Subscription Mode for segmentation (e.g., Prod vs. Dev)

Module | Description -- | -- identity.bicep | AAD tenants, service principals network.bicep | VNet, subnets, NSGs, peering security.bicep | Azure Policy assignments management.bicep | Log Analytics, Monitoring