Responsibility assignment matrix (RACI)
Clear roles and responsibilities between MyPlatform and the Customer for an effective, secure, and transparent Azure journey.
Understanding the RACI model
This model clarifies roles for establishing and operating your Azure platform.
R Responsible: Performs the task.
A Accountable: Owns the outcome.
C Consulted: Provides input and expertise.
I Informed: Is kept up to date.
Assumptions and prerequisites
- Customer has an Entra ID Global Administrator to purchase and bootstrap via Azure Marketplace.
- Customer initiates and runs the bootstrap using MyPlatform self-service automation; MyPlatform does not purchase or execute on customer’s behalf.
- Customer consents to the MyPlatform multi-tenant Enterprise App and the deployment Enterprise App created during bootstrap.
- Deployment Enterprise App gets least-privilege roles at the MyPlatform root Management Group to deploy platform resources.
- All services are deployed into the customer’s tenant and subscriptions; the customer owns cost, data, and access.
- Customer manages Identity & Access: Entra ID security (MFA/CA, lifecycle), PIM, and Azure RBAC design/assignments, including access reviews.
- Evergreen updates are delivered as code by MyPlatform; customer can pause/stop updates by removing deployment permissions or unsubscribing.
- MyPlatform provides the necessary identities and role assignments for platform resources it deploys, scoped by least privilege.
Phase 1: Establishment (onboarding & foundation)
Initial setup of a secure, governed Azure platform.
| Activity | MyPlatform | Customer | Notes |
|---|---|---|---|
| Azure Marketplace purchase & tenant consent | C | R A | Customer purchases the offer and grants consent; MyPlatform provides the offer and entitlement validation. |
| Bootstrap: run automated process | C | R A | Customer initiates and runs the bootstrap; MyPlatform provides automation and guidance. |
| Management Group hierarchy | R A | I | Deployed as code during bootstrap via MyPlatform automation. |
| Log Analytics Workspace (initial) | R A | I | Created during bootstrap to support Entra diagnostics; retention tuned later by customer. |
| Entra ID Diagnostic Settings | R A | I | Configured via automation; customer owns data retention & privacy compliance. |
| PIM: platform role groups | R A | I | Groups created and PIM-enabled; customer manages identity security and approvals. |
| Platform Automation Function | R A | I | Automation for remediation/ops with managed identity and least-privileged roles. |
| Custom roles for least privilege | R A | I | Deployed for automation and resource-to-resource access; scoped to platform resources only. |
| Azure Policy: definitions, initiatives, assignments | R A | I | Delivered as code; customer tunes parameters/exemptions post-deployment. |
| Defender for Cloud baseline | R A | I | Baseline enabled; customer may opt in/out of costed plans later. |
| Action Groups | R A | I | Created as code; customer updates recipients post-deployment. |
| Initial alert rules (service health, security) | R A | I | Initial routing via action groups; customer operates alerts in steady state. |
| Cost anomaly alert (baseline) | R A | I | Baseline deployed; customer tunes thresholds/notifications later. |
| Documentation & admin portal access | R A | I | Admin portal baseline enabled; customer adds operators and maintains runbooks. |
Phase 2: Operations (ongoing maintenance)
Division of responsibilities after the platform is established.
| Activity | MyPlatform | Customer | Notes |
|---|---|---|---|
| Evergreen platform updates (IaC, policies) | R A | I C | MyPlatform ships updates; customer reviews release notes and plans change windows as needed. |
| Policy compliance and remediation | R | A R | Automation assists remediation; customer owns exemptions and workload-side fixes. |
| Alert triage and incident response | I | A R | Customer SOC/NOC responds; MyPlatform receives platform-facing alerts where applicable. |
| Access management (PIM, RBAC) | I | A R | Customer manages Entra ID/PIM, RBAC design and assignments, and periodic access reviews. |
| Cost management and budgets | I | A R | Customer owns usage and optimization; baseline alerts provided. |
| Security operations (MFA, identity hygiene) | I | A R | Customer enforces identity security; MyPlatform aligns guardrails, does not operate identity. |
| Log retention, data handling, privacy | I | A R | Customer sets retention/data residency to meet compliance. |
| Platform configuration changes | I | A R | Changes via code/parameters; customer decides and approves. |
| Workload deployment and operations | I | A R | Customer deploys/operates workloads; MyPlatform provides guardrails/patterns/updates. |
| Add-ons (Core Network, VM Management) | R | A R | MyPlatform deploys; customer operates day to day. |
| Handover and exit | R | A | If subscription ends, deployed resources remain; updates stop. |
Summary of shared responsibility
- MyPlatform delivers the platform baseline as code (policies, guardrails, alerts, automation) into the customer tenant.
- Least-privilege access is enforced for platform resources and managed identities created by the deployment.
- Evergreen updates from MyPlatform keep security and compliance aligned with Azure; release notes are provided before rollout.
- Customer retains full control of identities, access approvals, and any workload-level exemptions.
- Operational alerts are routed via customer-controlled action groups and contacts.
- On exit, deployed resources remain; only updates from MyPlatform stop (no lock-in).
What the customer must provide
- Entra ID Global Administrator to purchase via Azure Marketplace and to run bootstrap.
- PIM and RBAC design, assignments, and periodic access reviews for operators and approvers.
- Governance inputs: allowed regions, naming conventions, tag taxonomy, and any policy exemptions.
- Security contacts and routing (email/SMS/webhooks/ITSM) for action groups and alert handling.
- Data governance: Log Analytics retention, residency, and privacy requirements.
- Workload operations: remediation at workload scope, incident response, and cost management.
Change control and communication
- MyPlatform provides release notes with material changes to any service or configuration in the platform.
- Customer designates stakeholders to be informed/consulted before rollout to production scopes.
- Breaking changes or cost-impacting toggles (e.g., Defender plans) require explicit customer approval.