We are currently investigating the following solution option to support this use case:

We will validate "ownership" of subscriptions to import based on their placement in the resource hierarchy. This is based on the assumption that most platform teams will delegate an entire part of the resource hierarchy to another platform team (e.g. provide them a Management Group under which they can freely operate).

1) To enforce this, we will enable the replicator to evaluate resource hierarchy constraints. These constraints can be configured on the landing zone. The replicator will evaluate constraints prior to replication. This way, the replicator will refuse to perform any operation on a landing zone that is not part of the resource hierarchy delegated to a platform team. Subscriptions that are not supposed to be owned by the platform team will thus not be adopted by meshStack.

In a later iteration of this solution, resource hierarchy constraints may become a mandatory setting on landing zones owned by Landing Zone Contributors and we may put measures in place that they can be only configured via the admin area.

2) We will add new API key permissions for "import tenants into owned landing zones" for landing zone contributors and enforce this accordingly in the API. This enables platform teams to use their workspace-scoped API keys for tenant import.

We intend to make this feature available with similar capabilities across Azure, AWS and GCP. However we will most likely launch this as a preview for Azure first to validate the practical use of this solution.