The IT administrator is responsible for provisioning infrastructure and services that are reused and consumed by multiple applications within the enterprise. The services provisioned by the IT administrator include centralized monitoring and log management, provisioning of Key Vaults, storage accounts, and service accounts that are consumed by individual application and release management to perform their deployment and management operations in their environments. Access to these services are constrained and limited to authorized administrators only.

An IT administrator will log in to the Azure subscription with his credentials and create a new Azure AD application, an Azure AD service application, and provide the owner's permissions to the service application on the subscription. Individual application owners and release management will use this Azure AD service application to log in to Azure and perform management actions to deploy, update, and configure their infrastructure and applications. They should not be using their individual account IDs to perform any action related to application and infrastructure management.

The IT administrator is responsible for storing secrets and credentials in the Azure Key Vault. A specific ARM template has been designed and build specifically for this purpose. The IT administrator will execute the template to store the secrets and confidential information in the Azure Key Vault. An IT administrator will pass on these credentials and secrets as a parameter to the ARM template. These secrets and credentials are neither available nor visible to the application and release teams. They would consume these credentials and secrets by consuming directly from the Key Vault. They do not have permissions to view these secrets and credentials.

The IT administrator is also responsible for provisioning a storage account for storing scripts, templates, and code.

The Operational Insights workspace is also provisioned so that application owners can use this service for centralized monitoring and application logging. The administrator can get intelligent information from this workspace about the availability, performance, scalability, and security aspects of every application using this service.

An release or deployment role is another important role responsible for provisioning, deploying, and configuring the infrastructure and application. They are also responsible for maintaining, managing, and monitoring both the infrastructure and application. Deployment is typically executed as part of the VSTS release pipeline by a VSTS release management user or manually by these operators. They do not have access to an Azure storage account, Azure Key Vault, Azure SQL, VSTS repositories, and virtual machines. They can log in to the Azure subscription using a service principal created by the IT administrator and perform management operations on their workloads.