Currently, I am working on establishing enterprise-scale landing zones for Cloud Adoption Framework in Azure.
I was going through Cloud Adoption Framework and implemented Level#0. I could see few Azure AD Groups like mentioned below
however I don't find any relevant details or description. The CAF documentation is very limited and it covers only the high level steps without any explanation
While I can assume the need for these groups, I am looking help in understanding the purpose of the Azure AD Groups.
Short answer: delegation of duties
There is 1 superuser for caf. Needed to make the initial groups and service principals. After this, the superuser is not needed and for safety reasons, not to be used. The credentials made during the level0 deployment are used to create resources for later levels. Ensuring that the creator of a level doesn't have access to the resources created in this level by another credential.