diff --git a/kit/azure/aviatrix/README.md b/kit/azure/aviatrix/README.md
index ffa07094..5dda2a1e 100644
--- a/kit/azure/aviatrix/README.md
+++ b/kit/azure/aviatrix/README.md
@@ -17,8 +17,9 @@ Aviatrix
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.46.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.81.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.53.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | 0.11.1 |
 
 ## Modules
 
@@ -28,23 +29,21 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_app_role_assignment.aviatrix_deploy-approle](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
-| [azuread_app_role_assignment.aviatrix_deploy-directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
-| [azuread_application.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
-| [azuread_application_password.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password) | resource |
-| [azuread_service_principal.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
-| [azurerm_role_assignment.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
-| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
-| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source |
-| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
+| [azuread_app_role_assignment.aviatrix_deploy-approle](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/app_role_assignment) | resource |
+| [azuread_app_role_assignment.aviatrix_deploy-directory](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/app_role_assignment) | resource |
+| [azuread_application.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/application) | resource |
+| [azuread_application_password.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/application_password) | resource |
+| [azuread_service_principal.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/service_principal) | resource |
+| [azurerm_role_assignment.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.aviatrix_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
+| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/rotating) | resource |
+| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/application_published_app_ids) | data source |
+| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/service_principal) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_allowed_user_group_id"></a> [allowed\_user\_group\_id](#input\_allowed\_user\_group\_id) | id of the authorized id which can do changes | `list(string)` | n/a | yes |
-| <a name="input_location"></a> [location](#input\_location) | The Azure location used for creating policy assignments establishing this landing zone's guardrails. | `string` | n/a | yes |
 | <a name="input_parent_management_group"></a> [parent\_management\_group](#input\_parent\_management\_group) | id of the tenant management group | `string` | n/a | yes |
 | <a name="input_service_principal_name"></a> [service\_principal\_name](#input\_service\_principal\_name) | id of the tenant management group | `string` | `"avaitrix_deploy_spn"` | no |
 
diff --git a/kit/azure/aviatrix/variables.tf b/kit/azure/aviatrix/variables.tf
index f64d10ca..2f92a9bb 100644
--- a/kit/azure/aviatrix/variables.tf
+++ b/kit/azure/aviatrix/variables.tf
@@ -10,14 +10,3 @@ variable "service_principal_name" {
   default     = "avaitrix_deploy_spn"
   description = "id of the tenant management group"
 }
-
-variable "allowed_user_group_id" {
-  type        = list(string)
-  nullable    = false
-  description = "id of the authorized id which can do changes"
-}
-
-variable "location" {
-  type        = string
-  description = "The Azure location used for creating policy assignments establishing this landing zone's guardrails."
-}
diff --git a/kit/azure/aviatrix/versions.tf b/kit/azure/aviatrix/versions.tf
index 4da6ddd1..ab0713ca 100644
--- a/kit/azure/aviatrix/versions.tf
+++ b/kit/azure/aviatrix/versions.tf
@@ -4,12 +4,17 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.81.0"
+      version = "3.116.0"
     }
 
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.46.0"
+      version = "2.53.1"
+    }
+
+    time = {
+      source  = "hashicorp/time"
+      version = "0.11.1"
     }
   }
 }
diff --git a/kit/azure/billing/README.md b/kit/azure/billing/README.md
index 04fdfec6..51f269d7 100644
--- a/kit/azure/billing/README.md
+++ b/kit/azure/billing/README.md
@@ -22,8 +22,8 @@ Microsoft Cost Management is a suite of tools that help organizations monitor, a
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.41.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.53.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -33,15 +33,13 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_group.billing_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
-| [azuread_group.billing_readers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
-| [azurerm_consumption_budget_management_group.tenant_root_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/consumption_budget_management_group) | resource |
-| [azurerm_role_assignment.cost_management_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.cost_management_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.management_group_biling_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.management_group_billing_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azuread_group.billing_admins](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/group) | resource |
+| [azuread_group.billing_readers](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/group) | resource |
+| [azurerm_consumption_budget_management_group.tenant_root_group](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/consumption_budget_management_group) | resource |
+| [azurerm_role_assignment.cost_management_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cost_management_reader](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.management_group_biling_admin](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.management_group_billing_reader](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
 
 ## Inputs
 
diff --git a/kit/azure/billing/resources.group.tf b/kit/azure/billing/resources.group.tf
index cbc27540..5564023a 100644
--- a/kit/azure/billing/resources.group.tf
+++ b/kit/azure/billing/resources.group.tf
@@ -1,7 +1,3 @@
-data "azuread_client_config" "current" {}
-
-data "azurerm_subscription" "current" {}
-
 resource "azuread_group" "billing_admins" {
   display_name     = var.billing_admin_group
   description      = "Privileged Cloud Foundation group. Members can manage billing profiles, reserved instances and have full access to all Azure Cost Management data."
diff --git a/kit/azure/billing/versions.tf b/kit/azure/billing/versions.tf
index 1f004dd0..075f9ba5 100644
--- a/kit/azure/billing/versions.tf
+++ b/kit/azure/billing/versions.tf
@@ -4,12 +4,12 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "3.116.0"
     }
 
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.41.0"
+      version = "2.53.1"
     }
   }
 }
diff --git a/kit/azure/bootstrap/README.md b/kit/azure/bootstrap/README.md
index 551122d9..78dfbf8d 100644
--- a/kit/azure/bootstrap/README.md
+++ b/kit/azure/bootstrap/README.md
@@ -122,7 +122,7 @@ collie foundation deploy --bootstrap -- destroy
 | <a name="input_documentation_uami"></a> [documentation\_uami](#input\_documentation\_uami) | read-only UAMI with access to terraform states to generate documentation in CI pipelines | <pre>object({<br>    name = string<br>    # note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373<br>    oidc_subject = string<br>  })</pre> | `null` | no |
 | <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | This object contains configuration details for setting up a key vault. | <pre>object({<br>    name                = string,<br>    resource_group_name = string<br>  })</pre> | <pre>{<br>  "name": "cloudfoundation-kv",<br>  "resource_group_name": "cloudfoundation-rg"<br>}</pre> | no |
 | <a name="input_parent_management_group_name"></a> [parent\_management\_group\_name](#input\_parent\_management\_group\_name) | Name of the management group you want to use as parent for your foundation. | `string` | n/a | yes |
-| <a name="input_platform_engineers_group"></a> [platform\_engineers\_group](#input\_platform\_engineers\_group) | the name of the cloud foundation platform engineers group | `string` | n/a | yes |
+| <a name="input_platform_engineers_group"></a> [platform\_engineers\_group](#input\_platform\_engineers\_group) | the name of the cloud foundation platform engineers group | `string` | `"cloudfoundation-platform-engineers"` | no |
 | <a name="input_platform_engineers_members"></a> [platform\_engineers\_members](#input\_platform\_engineers\_members) | Set up a group of platform engineers. If enabled, this group will receive access to terraform\_state\_storage | <pre>list(object({<br>    email = string,<br>    upn   = string,<br>  }))</pre> | n/a | yes |
 | <a name="input_terraform_state_storage"></a> [terraform\_state\_storage](#input\_terraform\_state\_storage) | Configure this object to enable setting up a terraform state store in Azure Storage. | <pre>object({<br>    location            = string,<br>    name                = string,<br>    config_file_path    = string,<br>    resource_group_name = optional(string)<br>  })</pre> | n/a | yes |
 | <a name="input_validation_uami"></a> [validation\_uami](#input\_validation\_uami) | read-only UAMI with access to terraform states and read-only access on the landingzone architecture for validation of the deployment in CI pipelines | <pre>object({<br>    name = string<br>    # note: it seems wildcards are not supported yet, see https://github.com/Azure/azure-workload-identity/issues/373<br>    oidc_subject = string<br>  })</pre> | `null` | no |
diff --git a/kit/azure/bootstrap/documentation.tf b/kit/azure/bootstrap/documentation.tf
index 25b210a4..3546dad2 100644
--- a/kit/azure/bootstrap/documentation.tf
+++ b/kit/azure/bootstrap/documentation.tf
@@ -1,43 +1,37 @@
 output "documentation_md" {
   value = <<EOF
 
-# 🌐 Cloud Foundation Deployment
+# Cloud Foundation Deployment
 
 %{if var.terraform_state_storage != null}
-## 🔒 Terraform State Management
+## Terraform State Management
 
-Terraform state for the cloud foundation repository is stored in an Azure Blob Storage Container. 🗄️
-This container is located in the subscription `${data.azurerm_subscription.current.display_name}`. 🎫
-Resource Group: `${module.terraform_state.resource_group_name}` 📁
-
-Access to terraform state is restricted to members of the `${azuread_group.platform_engineers.display_name}` group. 👥
+Terraform state for the cloud foundation repository is stored in an Azure Blob Storage Container.
+This container is located in the subscription `${data.azurerm_subscription.current.display_name}`.
 
+Access to terraform state is restricted to members of the `${azuread_group.platform_engineers.display_name}` group.
 %{endif}
 
 %{if var.documentation_uami != null || var.validation_uami != null}
-## 🤖 Automation
+## Automation
 
 %{if var.documentation_uami != null}
 The UAMI `${azurerm_user_assigned_identity.docs[0].name}` has been set up for the automated creation of
-landing zone documentation via a GitHub actions pipeline. This UAMI has read-only access to terraform state. 📚
+landing zone documentation via a GitHub actions pipeline. This UAMI has read-only access to terraform state.
 %{endif}
 
 %{if var.validation_uami != null}
 The UAMI `${azurerm_user_assigned_identity.validation[0].name}` has been set up for the automated validation a GitHub actions pipeline.
-This UAMI has read-only access to terraform state and read only access to the entire landing zone architecture. 🏗️
+This UAMI has read-only access to terraform state and read only access to the entire landing zone architecture.
 %{endif}
 %{endif}
 
-## 👨‍💻 Platform Engineer Access Management
+## Platform Engineer Access Management
 
 The `${azuread_group.platform_engineers.display_name}` group is used to grant privileged access to members of the
 cloud foundation team. The group has the following members:
 
 ${join("\n", formatlist("- %s", var.platform_engineers_members[*].email))}
 
-|permissions|
-|-|
-${join("\n", formatlist("| %s |", azurerm_role_definition.cloudfoundation_deploy.permissions[0].actions))}
-
 EOF
 }
diff --git a/kit/azure/bootstrap/template/platform-module/terragrunt.hcl b/kit/azure/bootstrap/template/platform-module/terragrunt.hcl
index 06308b94..1a9fad0e 100644
--- a/kit/azure/bootstrap/template/platform-module/terragrunt.hcl
+++ b/kit/azure/bootstrap/template/platform-module/terragrunt.hcl
@@ -36,19 +36,15 @@ provider "azuread" {
 EOF
 }
 
-locals {
-  location = "germanywestcentral" #TODO change, the azure location of the resource group and storage account
-}
-
 inputs = {
-  parent_management_group_name = "cloudfoundation-management-group" #TODO the cloudfoundation is created in a separate management group so as not to jeopardize the existing infrastructure
+  aad_tenant_id = include.platform.locals.platform.azure.aadTenantId
 
   terraform_state_storage = {
     name             = "${include.platform.locals.cloudfoundation.name}"
-    location         = local.location
+    location         = "germanywestcentral"                                     #TODO change, the azure location of the resource group and storage account
     config_file_path = include.platform.locals.terraform_state_config_file_path # platform.hcl expects state configuration output in this location, do not change
   }
-  platform_engineers_group = "cloudfoundation-platform-engineers"
+
   platform_engineers_members = [
     {
       email = "meshi@meshithesheep.io"              #TODO change, enter PLATFORM ENGINEERS MAIL here
@@ -56,7 +52,9 @@ inputs = {
     }
   ]
   key_vault = {
-    name                = "cloudfoundation-kv"
-    resource_group_name = "cloudfoundation-keyvault"
+    name                = "likvid-cloudfoundation-kv"
+    resource_group_name = "likvid-cloudfoundation-keyvault"
   }
+
+
 }
diff --git a/kit/azure/bootstrap/variables.tf b/kit/azure/bootstrap/variables.tf
index 0e3fc121..a771764a 100644
--- a/kit/azure/bootstrap/variables.tf
+++ b/kit/azure/bootstrap/variables.tf
@@ -38,6 +38,7 @@ variable "platform_engineers_members" {
 
 variable "platform_engineers_group" {
   type        = string
+  default     = "cloudfoundation-platform-engineers"
   description = "the name of the cloud foundation platform engineers group"
 }
 
diff --git a/kit/azure/buildingblocks/automation/README.md b/kit/azure/buildingblocks/automation/README.md
index 0524a61a..50324497 100644
--- a/kit/azure/buildingblocks/automation/README.md
+++ b/kit/azure/buildingblocks/automation/README.md
@@ -26,7 +26,13 @@ The only alternatives I see
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.53.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | 3.6.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | 0.11.1 |
 
 ## Modules
 
@@ -36,26 +42,26 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_app_role_assignment.buildingblock-directory](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
-| [azuread_application.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
-| [azuread_service_principal.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
-| [azuread_service_principal_password.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_password) | resource |
-| [azurerm_management_group_policy_assignment.buildingblock_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_policy_assignment) | resource |
-| [azurerm_policy_definition.buildingblock_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/policy_definition) | resource |
-| [azurerm_resource_group.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
-| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.keyvault_administrator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.tfstates_engineers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.buildingblock_plan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
-| [azurerm_storage_account.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource |
-| [azurerm_storage_container.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
-| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
-| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
-| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids) | data source |
-| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
-| [azurerm_key_vault.cf_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
-| [azurerm_role_definition.keyvault_administrator](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/role_definition) | data source |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azuread_app_role_assignment.buildingblock-directory](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/app_role_assignment) | resource |
+| [azuread_application.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/application) | resource |
+| [azuread_service_principal.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/service_principal) | resource |
+| [azuread_service_principal_password.buildingblock](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/service_principal_password) | resource |
+| [azurerm_management_group_policy_assignment.buildingblock_access](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group_policy_assignment) | resource |
+| [azurerm_policy_definition.buildingblock_access](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/policy_definition) | resource |
+| [azurerm_resource_group.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/resource_group) | resource |
+| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.keyvault_administrator](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.tfstates_engineers](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.buildingblock_plan](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
+| [azurerm_storage_account.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_account) | resource |
+| [azurerm_storage_container.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_container) | resource |
+| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs/resources/string) | resource |
+| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/rotating) | resource |
+| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/application_published_app_ids) | data source |
+| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/service_principal) | data source |
+| [azurerm_key_vault.cf_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/key_vault) | data source |
+| [azurerm_role_definition.keyvault_administrator](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/role_definition) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source |
 
 ## Inputs
 
diff --git a/kit/azure/buildingblocks/automation/documentation.tf b/kit/azure/buildingblocks/automation/documentation.tf
index ba090f71..7c0cf19b 100644
--- a/kit/azure/buildingblocks/automation/documentation.tf
+++ b/kit/azure/buildingblocks/automation/documentation.tf
@@ -3,16 +3,25 @@ output "documentation_md" {
 
 # 🏗️ Building Blocks Automation Infrastructure
 
-This module automates the deployment of building blocks within Azure. It utilizes service principles for automation. The states of these resources are maintained in a designated storage account.
+The Likvid Bank Cloud Foundation team maintains a set of building blocks to help application teams get started on the cloud quickly
+and provide common services to all application teams.
+
+We use some common infrastructure to automate deployment of building blocks from meshStack.
 
 ## 🛠️ Service Principal
 
+The building block automation infrastructure uses a service principal to deploy building blocks.
+Each building block definition creates the necessary roles and assigns them to this service principal, so that it
+has the right permissions to deploy the building block implementation to a target subscription.
+
 | Name | ID | Client ID |
 | --- | --- | --- |
 | `${azuread_service_principal.buildingblock.display_name}` | `${azuread_service_principal.buildingblock.id}` | `${azuread_service_principal.buildingblock.client_id}` |
 
 ## 🗃️ Storage Account
 
+We maintain all terraform states of deployed building blocks in a central storage account.
+
 | Resource Group | Name | Container Name |
 | --- | --- | --- |
 | `${azurerm_resource_group.tfstates.name}` | `${azurerm_storage_account.tfstates.name}` | `${azurerm_storage_container.tfstates.name}` |
diff --git a/kit/azure/buildingblocks/automation/versions.tf b/kit/azure/buildingblocks/automation/versions.tf
new file mode 100644
index 00000000..e514b0f8
--- /dev/null
+++ b/kit/azure/buildingblocks/automation/versions.tf
@@ -0,0 +1,26 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.116.0"
+    }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.53.1"
+    }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "3.6.0"
+    }
+
+    time = {
+      source  = "hashicorp/time"
+      version = "0.11.1"
+    }
+  }
+}
+
diff --git a/kit/azure/buildingblocks/budget-alert/backplane/README.md b/kit/azure/buildingblocks/budget-alert/backplane/README.md
index 4982e357..05d00e89 100644
--- a/kit/azure/buildingblocks/budget-alert/backplane/README.md
+++ b/kit/azure/buildingblocks/budget-alert/backplane/README.md
@@ -19,7 +19,7 @@ across all subscriptions underneath a management group (typically the top-level
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -29,9 +29,8 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
 
 ## Inputs
 
diff --git a/kit/azure/buildingblocks/budget-alert/backplane/documentation.tf b/kit/azure/buildingblocks/budget-alert/backplane/documentation.tf
index efd7db87..3f5ab6fc 100644
--- a/kit/azure/buildingblocks/budget-alert/backplane/documentation.tf
+++ b/kit/azure/buildingblocks/budget-alert/backplane/documentation.tf
@@ -9,26 +9,14 @@ mechanism to prevent unintentional cost overruns.
 We encourage application teams to deploy additional alerts with fine-grained notification rules according to the
 specific needs of their application and infrastructure.
 
-# 💰 Budget Alert Building Block Backplane
+## Automation
 
-This module automates the deployment of a Budget Alert building block within Azure. It utilizes the common [Azure Building Blocks Automation Infrastructure](./azure-buildingblocks-automation)
+We automate the deployment of a Budget Alert building block using the common [Azure Building Blocks Automation Infrastructure](../automation.md).
+In order to deploy this building block, this infrastructure receives the following roles.
 
-
-## 🛠️ Role Definition
-
-| Name | ID |
-| --- | --- |
-| ${azurerm_role_definition.buildingblock_deploy.name} | ${azurerm_role_definition.buildingblock_deploy.id} |
-
-## 📝 Role Assignments
-
-| Principal ID |
-| --- |
-| ${join("\n", [for assignment in azurerm_role_assignment.buildingblock_deploy : assignment.principal_id])} |
-
-## 🎯 Scope
-
-- **Scope**: `${var.scope}`
+| Role Name | Description | Permissions |
+|-----------|-------------|-------------|
+| `${azurerm_role_definition.buildingblock_deploy.name}` | ${azurerm_role_definition.buildingblock_deploy.description} | ${join("<br>", formatlist("- `%s`", azurerm_role_definition.buildingblock_deploy.permissions[0].actions))} |
 
 EOF
   description = "Markdown documentation with information about the Budget Alert building block backplane"
diff --git a/kit/azure/buildingblocks/budget-alert/backplane/main.tf b/kit/azure/buildingblocks/budget-alert/backplane/main.tf
index 417c17d5..253d3781 100644
--- a/kit/azure/buildingblocks/budget-alert/backplane/main.tf
+++ b/kit/azure/buildingblocks/budget-alert/backplane/main.tf
@@ -1,6 +1,3 @@
-data "azurerm_subscription" "current" {
-}
-
 resource "azurerm_role_definition" "buildingblock_deploy" {
   name        = "${var.name}-deploy"
   description = "Enables deployment of the ${var.name} building block to subscriptions"
diff --git a/kit/azure/buildingblocks/budget-alert/backplane/versions.tf b/kit/azure/buildingblocks/budget-alert/backplane/versions.tf
index 804ffa0a..f04a3a77 100644
--- a/kit/azure/buildingblocks/budget-alert/backplane/versions.tf
+++ b/kit/azure/buildingblocks/budget-alert/backplane/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "3.116.0"
     }
   }
 }
diff --git a/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf b/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf
index 4917af3d..05954801 100644
--- a/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf
+++ b/kit/azure/buildingblocks/budget-alert/buildingblock/versions.tf
@@ -4,8 +4,9 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.108.0"
+      version = "3.116.0"
     }
+
     time = {
       source  = "hashicorp/time"
       version = "0.11.1"
diff --git a/kit/azure/buildingblocks/connectivity/backplane/README.md b/kit/azure/buildingblocks/connectivity/backplane/README.md
index 9cdfdd98..e81efe93 100644
--- a/kit/azure/buildingblocks/connectivity/backplane/README.md
+++ b/kit/azure/buildingblocks/connectivity/backplane/README.md
@@ -24,7 +24,7 @@ An Azure Policy confines the access of the SPN to that resource group.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -34,9 +34,9 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azurerm_role_assignment.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_role_assignment.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.buildingblock_deploy_hub](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source |
 
 ## Inputs
 
@@ -44,7 +44,6 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_name"></a> [name](#input\_name) | name of the building block, used for naming resources | `string` | n/a | yes |
 | <a name="input_principal_ids"></a> [principal\_ids](#input\_principal\_ids) | set of principal ids that will be granted permissions to deploy the building block | `set(string)` | n/a | yes |
-| <a name="input_scope"></a> [scope](#input\_scope) | Scope where the building block should be deployable, typically the parent of all Landing Zones. | `string` | n/a | yes |
 
 ## Outputs
 
diff --git a/kit/azure/buildingblocks/connectivity/backplane/documentation.tf b/kit/azure/buildingblocks/connectivity/backplane/documentation.tf
index ddbd4e3b..27d3d94c 100644
--- a/kit/azure/buildingblocks/connectivity/backplane/documentation.tf
+++ b/kit/azure/buildingblocks/connectivity/backplane/documentation.tf
@@ -5,26 +5,14 @@ output "documentation_md" {
 The Connectivity building block deploys a managed VNet that's connected to Likvid Bank's network hub.
 This enables on-premise connectivity.
 
-# 🌐 Connectivity Building Block Backplane
+## Automation
 
-This module automates the deployment of a Connectivity building block within Azure. It utilizes service principles for automation. The states of these resources are maintained in a designated storage account.
+We automates the deployment of a Budget Alert building block using the common [Azure Building Blocks Automation Infrastructure](../automation.md).
+In order to deploy this building block, this infrastructure receives the following roles.
 
-## 🛠️ Role Definition
-
-| Name | ID |
-| --- | --- |
-| ${azurerm_role_definition.buildingblock_deploy_hub.name} | ${azurerm_role_definition.buildingblock_deploy_hub.id} |
-
-## 📝 Role Assignments
-
-| Principal ID |
-| --- |
-| ${join("\n", [for assignment in azurerm_role_assignment.buildingblock_deploy_hub : assignment.principal_id])} |
-
-
-## 🎯 Scope
-
-- **Scope**: `${var.scope}`
+| Role Name | Description | Permissions |
+|-----------|-------------|-------------|
+| `${azurerm_role_definition.buildingblock_deploy_hub.name}` | ${azurerm_role_definition.buildingblock_deploy_hub.description} | ${join("<br>", formatlist("- `%s`", azurerm_role_definition.buildingblock_deploy_hub.permissions[0].actions))} |
 
 EOF
   description = "Markdown documentation with information about the Connectivity building block backplane"
diff --git a/kit/azure/buildingblocks/connectivity/backplane/variables.tf b/kit/azure/buildingblocks/connectivity/backplane/variables.tf
index 5f9226b2..94a55259 100644
--- a/kit/azure/buildingblocks/connectivity/backplane/variables.tf
+++ b/kit/azure/buildingblocks/connectivity/backplane/variables.tf
@@ -8,12 +8,6 @@ variable "name" {
   }
 }
 
-variable "scope" {
-  type        = string
-  nullable    = false
-  description = "Scope where the building block should be deployable, typically the parent of all Landing Zones."
-}
-
 variable "principal_ids" {
   type        = set(string)
   nullable    = false
diff --git a/kit/azure/buildingblocks/connectivity/backplane/versions.tf b/kit/azure/buildingblocks/connectivity/backplane/versions.tf
index 804ffa0a..f04a3a77 100644
--- a/kit/azure/buildingblocks/connectivity/backplane/versions.tf
+++ b/kit/azure/buildingblocks/connectivity/backplane/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "3.116.0"
     }
   }
 }
diff --git a/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf b/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf
index 7f45dd0e..b765d9c7 100644
--- a/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf
+++ b/kit/azure/buildingblocks/connectivity/buildingblock/variables.tf
@@ -14,6 +14,8 @@ variable "address_space" {
   type = string
 }
 
+# this variable is supposed to be used by an injected config.tf file for configuring the azurerm provider
+# tflint-ignore: terraform_unused_declarations
 variable "subscription_id" {
   type        = string
   description = "The ID of the subscription that you want to deploy the spoke to"
diff --git a/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf b/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf
index 56843d8e..f04e43a9 100644
--- a/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf
+++ b/kit/azure/buildingblocks/connectivity/buildingblock/versions.tf
@@ -1,11 +1,11 @@
 terraform {
 
-  required_version = ">=1.0"
+  required_version = ">= 1.0"
 
   required_providers {
     azurerm = {
       source                = "hashicorp/azurerm"
-      version               = "~> 3.108.0"
+      version               = "3.116.0"
       configuration_aliases = [azurerm.spoke, azurerm.hub]
     }
 
diff --git a/kit/azure/buildingblocks/github-repo/backplane/documentation.tf b/kit/azure/buildingblocks/github-repo/backplane/documentation.tf
index 36e908b7..517dbd48 100644
--- a/kit/azure/buildingblocks/github-repo/backplane/documentation.tf
+++ b/kit/azure/buildingblocks/github-repo/backplane/documentation.tf
@@ -6,6 +6,5 @@ The Github Repository building block deploys a Github repository for the applica
 
 This building block is an essential part of the application infrastructure, enabling teams to focus on developing
 their application without worrying about the underlying repository setup.
-
 EOF
 }
diff --git a/kit/azure/buildingblocks/github-repo/backplane/main.tf b/kit/azure/buildingblocks/github-repo/backplane/main.tf
index 953e3d99..e69de29b 100644
--- a/kit/azure/buildingblocks/github-repo/backplane/main.tf
+++ b/kit/azure/buildingblocks/github-repo/backplane/main.tf
@@ -1,9 +0,0 @@
-data "azurerm_key_vault" "cloudfoundation_keyvault" {
-  name                = var.key_vault_name
-  resource_group_name = var.key_vault_rg
-}
-
-data "azurerm_key_vault_secret" "github_token" {
-  name         = var.github_token_secret_name
-  key_vault_id = data.azurerm_key_vault.cloudfoundation_keyvault.id
-}
diff --git a/kit/azure/buildingblocks/github-repo/backplane/variables.tf b/kit/azure/buildingblocks/github-repo/backplane/variables.tf
index b1cc7990..e69de29b 100644
--- a/kit/azure/buildingblocks/github-repo/backplane/variables.tf
+++ b/kit/azure/buildingblocks/github-repo/backplane/variables.tf
@@ -1,19 +0,0 @@
-variable "key_vault_name" {
-  type        = string
-  description = "Name of the Key Vault"
-  sensitive   = true
-}
-
-variable "key_vault_rg" {
-  type        = string
-  description = "Name of the Resource Group where the Key Vault is located"
-  sensitive   = true
-
-}
-
-variable "github_token_secret_name" {
-  type        = string
-  description = "Name of the secret in Key Vault that holds the GitHub token"
-  sensitive   = true
-
-}
diff --git a/kit/azure/buildingblocks/github-repo/backplane/versions.tf b/kit/azure/buildingblocks/github-repo/backplane/versions.tf
new file mode 100644
index 00000000..e13c9c69
--- /dev/null
+++ b/kit/azure/buildingblocks/github-repo/backplane/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.116.0"
+    }
+
+    github = {
+      source  = "integrations/github"
+      version = "5.42.0"
+    }
+  }
+}
diff --git a/kit/azure/buildingblocks/github-repo/buildingblock/README.md b/kit/azure/buildingblocks/github-repo/buildingblock/README.md
index 0efb5ff2..5a0e8f98 100644
--- a/kit/azure/buildingblocks/github-repo/buildingblock/README.md
+++ b/kit/azure/buildingblocks/github-repo/buildingblock/README.md
@@ -31,8 +31,8 @@ The building block outputs the name, description, and visibility of the created
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.81.0 |
-| <a name="requirement_github"></a> [github](#requirement\_github) | 5.34.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
+| <a name="requirement_github"></a> [github](#requirement\_github) | 5.42.0 |
 
 ## Modules
 
@@ -42,9 +42,9 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [github_repository.repository](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/resources/repository) | resource |
-| [azurerm_key_vault.cloudfoundation_keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
-| [azurerm_key_vault_secret.github_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [github_repository.repository](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/repository) | resource |
+| [azurerm_key_vault.cloudfoundation_keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/key_vault) | data source |
+| [azurerm_key_vault_secret.github_token](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/key_vault_secret) | data source |
 
 ## Inputs
 
diff --git a/kit/azure/buildingblocks/github-repo/buildingblock/provider.tf b/kit/azure/buildingblocks/github-repo/buildingblock/provider.tf
index 26c6cda5..1013520f 100644
--- a/kit/azure/buildingblocks/github-repo/buildingblock/provider.tf
+++ b/kit/azure/buildingblocks/github-repo/buildingblock/provider.tf
@@ -2,11 +2,11 @@ terraform {
   required_providers {
     github = {
       source  = "integrations/github"
-      version = "5.34.0"
+      version = "5.42.0"
     }
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.81.0"
+      version = "3.116.0"
     }
   }
 }
diff --git a/kit/azure/buildingblocks/starterkit/backplane/README.md b/kit/azure/buildingblocks/starterkit/backplane/README.md
new file mode 100644
index 00000000..5e237f90
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/backplane/README.md
@@ -0,0 +1,227 @@
+---
+name: Starter Kits
+summary: |
+  Offers templates for application teams to get started quickly with deploying their applications on the cloud while following best practices.
+compliance:
+- control: cfmm/service-ecosystem/managed-devops-toolchain
+  statement: |
+    Provides a GitHub repository set up to deploy against Azure Subscriptions using Workload Identity Federation.
+- control: cfmm/iam/service-account-management
+  statement:  |
+    Automatically manages service principals for CI/CD pipelines using Workload Identity Federation.
+---
+
+# Starter Kits
+
+This is an implementation of "Cloud Starter Kits" that provides application teams with
+
+- a GitHub repository, seeded with an application starter kit
+- a GitHub actions pipeline
+- a service account solution that enables the GitHub actions pipeline to deploy to their Azure Subscription
+
+## Prerequisites
+
+### GitHub App
+
+Apart from an Azure Landing Zone (we recommend using starter kits only with Sandbox Landing Zones) you will need a
+GitHub organization and the ability to [create and install a private GitHub App](https://docs.github.com/en/apps/creating-github-apps/registering-a-github-app/registering-a-github-app) on the organization. This app will need the following permissions
+
+- Permissions
+  -  `Read access to metadata and organization administration`
+  - ` Read and write access to actions, administration, code, secrets, and workflows`
+- Repository access: `All repositories`
+
+You will also need to generate a private key `.PEM` file for the app to be used by the [github terraform provider](https://registry.terraform.io/providers/integrations/github/latest/docs#github-app-installation) when deploying instances of the `buildingblock/` module.
+
+
+### Template Repository
+
+You will also need a template repository that contains code and GitHub actions pipelines. The "official example"
+that we use for testing is [likvid-bank/starterkit-template-azure-static-website](https://github.com/likvid-bank/starterkit-template-azure-static-website).
+This template sets up an Azure Static Website including a PR workflow for terraform and code.
+
+## Structure of this Kit module
+
+This kit module comes with three components, each responsible for enabling deployment of the next
+
+- the kit module itself, acting as the building block's "backplane" that sets up all required infrastructure for deploying starterkits for application teams
+- a terraform module that forms the definition for each "building block", i.e. the instance of the starterkit deployed for a particular application team including a GitHub repo and GitHub actions pipeline
+- terraform code that lives in the starterkit template, deployed by a GitHub actions pipeline
+
+The following sections explain these parts in more detail
+
+### Deployment of the Building Block backplane
+
+Before we can deploy building blocks, we need to first set up the backplane. This operation is only performed once by deploying this kit module using collie as any other kit module with `collie kit apply` and `collie foundation deploy`.
+
+> Unforutnately it's currently not possible to setup a GitHub app via terraform, so please perform this manually.
+
+This will deploy the following resources:
+
+```mermaid
+flowchart TD
+  subgraph github[GitHub Organization]
+    ghapp[GitHub App]
+    ghrepotemplate[GitHub Template Repository]
+  end
+  subgraph Azure
+    subgraph bbsub[Building Block Backplane Subscription]
+      bbsubtfstate[StarterKit BB TF State]
+      bbspn[StarterKit SPN]
+
+    end
+  end
+
+  BB((Starter Kit<br>Building Block))
+
+  BB --> github
+  BB --> Azure
+  bbspn --Storage Blob Owner--> bbsubtfstate
+
+
+```
+
+### Deployment of a Building Block
+
+Now that we the backplane deployed, we can use the backplane to deploy an instance of the [buildingblock](./buildingblock/) terraform module into a sandbox subscription supplied by the application team.
+The easiest way to do this is to create a building block definition from the `buildingblock` terraform module in meshStack and configure it with the `config_tf` file produced by the backplane module.
+
+The chart below shows the interaction of cloud resources when deploying a new building block using the backplane:
+
+```mermaid
+flowchart TD
+  subgraph GitHub[GitHub Organization]
+    ghapp[GitHub App]
+    subgraph ghrepo [GitHub Repo]
+      ghpipeline[Deploy Pipeline]
+    end
+    ghrepotemplate[GitHub Template Repository]
+  end
+  subgraph Azure
+    subgraph bbsub[Building Block Backplane Subscription]
+      bbsubtfstate[StarterKit BB TF State]
+      bbspn[StarterKit SPN]
+
+    end
+    subgraph sbsub[Sandbox Subscription]
+      subgraph rgcicd[Resource Group ci-cd]
+        ghactionsuami[UAMI for GitHub Actions]
+        sbsubtfstate[Pipeline TF State]
+      end
+      subgraph rgapp[Resource Group app]
+        staticwebsite
+      end
+    end
+  end
+
+  BB((Starter Kit Building Block))
+
+  ghapp -.deploys.-> ghrepo
+  bbspn -.deploys.-> rgcicd
+  bbspn -.deploys.-> rgapp
+  BB -.via github provider.-> ghapp
+  BB -.via azurerm provider.-> bbspn
+  ghrepotemplate -.from template.-> ghrepo
+  ghactionsuami --Storage Blob Owner--> sbsubtfstate
+  ghpipeline --Workload Identity Federation--> ghactionsuami
+  bbspn --Storage Blob Owner--> bbsubtfstate
+  ghactionsuami --Owner--> rgapp
+
+  linkStyle 0,1,2,3,4,5 stroke:#ff3,stroke-width:4px;
+```
+
+## Deployment of the App
+
+Now that we have the application team's sandbox subscription and their GitHub repository configured, the team can use the setup to deploy their `staticwebsite` app.
+
+```mermaid
+flowchart TD
+  subgraph GitHub[GitHub Organization]
+    subgraph ghrepo [GitHub Repo]
+      ghpipeline[Deploy Pipeline]
+    end
+  end
+  subgraph Azure
+    subgraph sbsub[Sandbox Subscription]
+      subgraph rgcicd[Resource Group ci-cd]
+        ghactionsuami[UAMI for GitHub Actions]
+        sbsubtfstate[Pipeline TF State]
+      end
+      subgraph rgapp[Resource Group app]
+        staticwebsite
+      end
+    end
+  end
+
+  ghactionsuami -.deploys.-> staticwebsite
+
+  ghactionsuami --Storage Blob Owner--> sbsubtfstate
+  ghpipeline --Workload Identity Federation--> ghactionsuami
+  ghactionsuami --Owner--> rgapp
+
+  linkStyle 0 stroke:#ff3,stroke-width:4px;
+
+```
+
+## Creating Custom Starter Kits
+
+Using this kit module as a template, you can quickly develop similar starter kits.
+You will typically only need to customize the template repository with code and GitHub Actions workflows.
+
+For advanced use cases, you can of course also want to customize the `buildingblock/` terraform module itself or even the backplane terraform module.
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.53.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
+| <a name="requirement_github"></a> [github](#requirement\_github) | 5.42.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | 3.6.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | 0.11.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azuread_app_role_assignment.starterkit-directory](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/app_role_assignment) | resource |
+| [azuread_application.starterkit](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/application) | resource |
+| [azuread_service_principal.starterkit](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/service_principal) | resource |
+| [azuread_service_principal_password.starterkit](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/service_principal_password) | resource |
+| [azurerm_resource_group.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/resource_group) | resource |
+| [azurerm_role_assignment.starterkit_access](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.terraform_state](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.starterkit_access](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
+| [azurerm_role_definition.starterkit_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
+| [azurerm_storage_account.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_account) | resource |
+| [azurerm_storage_container.tfstates](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_container) | resource |
+| [github_repository.staticwebsite_template](https://registry.terraform.io/providers/integrations/github/5.42.0/docs/resources/repository) | resource |
+| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs/resources/string) | resource |
+| [time_rotating.key_rotation](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/rotating) | resource |
+| [azuread_application_published_app_ids.well_known](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/application_published_app_ids) | data source |
+| [azuread_group.project_admins](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/group) | data source |
+| [azuread_service_principal.msgraph](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/service_principal) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_github_app_id"></a> [github\_app\_id](#input\_github\_app\_id) | id of your GitHub App | `number` | n/a | yes |
+| <a name="input_github_app_installation_id"></a> [github\_app\_installation\_id](#input\_github\_app\_installation\_id) | id of your GitHub App installation as it appears in URLs on GitHub.com | `number` | n/a | yes |
+| <a name="input_github_org"></a> [github\_org](#input\_github\_org) | id of your GitHub organization as it appears in URLs on GitHub.com | `string` | n/a | yes |
+| <a name="input_location"></a> [location](#input\_location) | Azure location for deploying the building block terraform state storage account | `string` | n/a | yes |
+| <a name="input_scope"></a> [scope](#input\_scope) | Scope where the building block should be deployable, typically a Sandbox Landing Zone Management Group | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_config_tf"></a> [config\_tf](#output\_config\_tf) | Generates a config.tf that can be dropped into meshStack's BuildingBlockDefinition as an encrypted file input to configure this building block. |
+| <a name="output_documentation_md"></a> [documentation\_md](#output\_documentation\_md) | n/a |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/kit/azure/buildingblocks/starterkit/backplane/documentation.tf b/kit/azure/buildingblocks/starterkit/backplane/documentation.tf
new file mode 100644
index 00000000..1d7b9bf8
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/backplane/documentation.tf
@@ -0,0 +1,39 @@
+output "documentation_md" {
+  value = <<EOF
+# Starter Kit Building Block
+
+The Likvid Bank DevOps Toolchain team maintains a set of starter kits to help application teams get started
+on the cloud quickly.
+
+"Cloud Starter Kits" provide application teams with
+
+- a GitHub repository, seeded with an application starter kit
+- a GitHub actions pipeline
+- an Azure Managed Identity that enables the GitHub actions pipeline to deploy to your Azure Subscription
+
+## How to work with a Starter Kit
+
+> Starter Kits are meant to be used in [Sandbox Landing Zones](./azure-landingzones-sandbox.md) for learning and experimentation only.
+
+The easiest way to get started with a Starter Kit is to search for "Starter Kit" in the Likvid Bank Cloud Portal
+Marketplace and let the portal help you add it to a Sandbox Subscription (or create a new one if you don't have one yet).
+
+Starter Kits will create a (private) GitHub repository for you in our [GitHub Organization](https://github.com/${var.github_org}).
+You will find the URL for your repository in the Starter Kit building block output tab. Please review the `README.md`
+of that repository for further instructions and inspiration for working with the starter kit.
+
+## Next Steps when using a Starter Kit
+
+Once you are happy with your results, please provision a [Cloud-Native Landing Zone](./azure-landingzones-cloud-native.md) and fork-and-own the
+starter kit template, including the infrastructure set up by the starter kit building block. We recommend this policy,
+because for productive use cases you will eventually need to customize the way your CI/CD pipeline interacts with the
+cloud. See [Secure DevOps Best Practices](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/best-practices/secure-devops)
+for a good overview of securing production pipelines.
+
+## Automation
+
+This building block uses its own dedicated service principal `${azuread_application.starterkit.display_name}` to automate deployment
+of required resources to your Azure subscription.
+
+EOF
+}
diff --git a/kit/azure/buildingblocks/starterkit/backplane/main.tf b/kit/azure/buildingblocks/starterkit/backplane/main.tf
new file mode 100644
index 00000000..43935a5b
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/backplane/main.tf
@@ -0,0 +1,67 @@
+# configure our logging subscription
+data "azurerm_subscription" "current" {
+}
+
+resource "azurerm_role_assignment" "terraform_state" {
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = azuread_service_principal.starterkit.object_id
+  scope                = azurerm_storage_container.tfstates.resource_manager_id
+}
+
+# DESIGN: we don't want to permanently hold permissions on all subscriptions via the MG hierarchy
+# this is mean to work in conjunction with the conditional assignment below
+resource "azurerm_role_definition" "starterkit_access" {
+  name              = "${azuread_service_principal.starterkit.display_name}-access"
+  description       = "Allow self-assignment of a role in order access an application team's subscription for deployment"
+  scope             = var.scope
+  assignable_scopes = [var.scope]
+
+  permissions {
+    actions = [
+      "Microsoft.Authorization/roleAssignments/*"
+    ]
+  }
+}
+
+resource "azurerm_role_definition" "starterkit_deploy" {
+  name        = "${azuread_service_principal.starterkit.display_name}-deploy"
+  description = "Enables deployment of starter kits to applicaiton team subscriptions"
+  scope       = var.scope
+
+  permissions {
+    actions = [
+      "Microsoft.Authorization/*/read",
+      "Microsoft.Authorization/roleDefinitions/*",
+      "Microsoft.Authorization/roleAssignments/*",
+      "Microsoft.Resources/subscriptions/resourceGroups/*",
+      "Microsoft.Storage/storageAccounts/*",
+      "Microsoft.ManagedIdentity/*"
+    ]
+  }
+}
+
+resource "azurerm_role_assignment" "starterkit_access" {
+  role_definition_id = azurerm_role_definition.starterkit_access.role_definition_resource_id
+
+  description  = "Allow the ${azuread_service_principal.starterkit.display_name} SPN to grant itself permissions on an application team's subscription to deploy a starterkit building block."
+  principal_id = azuread_service_principal.starterkit.object_id
+  scope        = var.scope
+
+  condition_version = "2.0"
+
+  # what this does: if the request is  not a write and not a delete, pass, else check that it only contains the expected role definition id
+
+  condition = <<-EOT
+(
+  !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
+  AND
+  !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
+)
+OR
+(
+  @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${azurerm_role_definition.starterkit_deploy.role_definition_id}}
+  AND
+  @Request[Microsoft.Authorization/roleAssignments:PrincipalId] ForAnyOfAnyValues:GuidEquals {${azuread_service_principal.starterkit.object_id}}
+)
+EOT
+}
\ No newline at end of file
diff --git a/kit/azure/buildingblocks/starterkit/backplane/outputs.tf b/kit/azure/buildingblocks/starterkit/backplane/outputs.tf
new file mode 100644
index 00000000..2655e715
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/backplane/outputs.tf
@@ -0,0 +1,59 @@
+output "config_tf" {
+  description = "Generates a config.tf that can be dropped into meshStack's BuildingBlockDefinition as an encrypted file input to configure this building block."
+  sensitive   = true
+  value       = <<EOF
+terraform {
+  backend "azurerm" {
+    use_azuread_auth      = true
+    tenant_id             = "${data.azurerm_subscription.current.tenant_id}"
+    subscription_id       = "${data.azurerm_subscription.current.subscription_id}"
+    resource_group_name   = "${azurerm_resource_group.tfstates.name}"
+    storage_account_name  = "${azurerm_storage_account.tfstates.name}"
+    container_name        = "${azurerm_storage_container.tfstates.name}"
+    key                   = "buildingblocks.tfstate"
+
+    client_id             = "${azuread_service_principal.starterkit.client_id}"
+    client_secret         = "${azuread_service_principal_password.starterkit.value}"
+  }
+}
+
+provider "github" {
+  owner = "${var.github_org}"
+
+  app_auth {
+    id              = "${var.github_app_id}"
+    installation_id = "${var.github_app_installation_id}"
+
+    # TODO: ensure the pem file exists on disk in the BB execution environment (with meshStack: secret file input)
+    pem_file = file("./likvid-bank-devops-toolchain-team.private-key.pem")
+  }
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false # This allows the deletion of the building block without having to separately delete the app resources
+    }
+  }
+
+  resource_provider_registrations = "core"
+
+  storage_use_azuread        = true
+
+  tenant_id       = "${data.azurerm_subscription.current.tenant_id}"
+  subscription_id = var.subscription_id
+  client_id       = "${azuread_service_principal.starterkit.client_id}"
+  client_secret   = "${azuread_service_principal_password.starterkit.value}"
+}
+
+locals {
+  deploy_role_definition_id = "${azurerm_role_definition.starterkit_deploy.role_definition_resource_id}"
+}
+
+provider "azuread" {
+  tenant_id       = "${data.azurerm_subscription.current.tenant_id}"
+  client_id       = "${azuread_service_principal.starterkit.client_id}"
+  client_secret   = "${azuread_service_principal_password.starterkit.value}"
+}
+EOF
+}
diff --git a/kit/azure/buildingblocks/starterkit/backplane/resources.bbtfstate.tf b/kit/azure/buildingblocks/starterkit/backplane/resources.bbtfstate.tf
new file mode 100644
index 00000000..2376e884
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/backplane/resources.bbtfstate.tf
@@ -0,0 +1,26 @@
+resource "random_string" "resource_code" {
+  length  = 5
+  special = false
+  upper   = false
+}
+
+resource "azurerm_resource_group" "tfstates" {
+  name     = "starterkit-buildingblock-tfstates"
+  location = var.location
+}
+
+resource "azurerm_storage_account" "tfstates" {
+  name                      = "tfstates${random_string.resource_code.result}"
+  resource_group_name       = azurerm_resource_group.tfstates.name
+  location                  = azurerm_resource_group.tfstates.location
+  account_tier              = "Standard"
+  account_replication_type  = "GRS"
+  shared_access_key_enabled = false
+}
+
+resource "azurerm_storage_container" "tfstates" {
+  name                  = "tfstates"
+  storage_account_name  = azurerm_storage_account.tfstates.name
+  container_access_type = "private"
+}
+
diff --git a/kit/azure/buildingblocks/starterkit/backplane/resources.github.tf b/kit/azure/buildingblocks/starterkit/backplane/resources.github.tf
new file mode 100644
index 00000000..336f7243
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/backplane/resources.github.tf
@@ -0,0 +1,4 @@
+resource "github_repository" "staticwebsite_template" {
+  name        = "starterkit-template-azure-static-website"
+  is_template = true
+}
diff --git a/kit/azure/buildingblocks/starterkit/backplane/resources.starterkit-spn.tf b/kit/azure/buildingblocks/starterkit/backplane/resources.starterkit-spn.tf
new file mode 100644
index 00000000..846b132b
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/backplane/resources.starterkit-spn.tf
@@ -0,0 +1,51 @@
+# set up an SPN for the BB execution
+
+data "azuread_group" "project_admins" {
+  # note: this group is managed via meshStack
+  display_name = "devopstoolchain.buildingblocks-prod-admin"
+}
+
+resource "azuread_application" "starterkit" {
+  display_name = "devops-toolchain-starterkit-buildingblock"
+  description  = "This SPN is used by the Likvid Bank DevOps Toolchain team to automate starterkit buildingblocks"
+  owners       = data.azuread_group.project_admins.members
+}
+
+resource "azuread_service_principal" "starterkit" {
+  client_id                    = azuread_application.starterkit.client_id
+  app_role_assignment_required = false
+  owners                       = data.azuread_group.project_admins.members
+}
+
+
+data "azuread_application_published_app_ids" "well_known" {}
+
+data "azuread_service_principal" "msgraph" {
+  client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
+}
+
+# allow reading the groups and users
+resource "azuread_app_role_assignment" "starterkit-directory" {
+  app_role_id        = data.azuread_service_principal.msgraph.app_role_ids["Directory.Read.All"]
+  resource_object_id = data.azuread_service_principal.msgraph.object_id
+
+  principal_object_id = azuread_service_principal.starterkit.object_id
+}
+
+# note this rotation technique requires the terraform to be run regularly
+resource "time_rotating" "key_rotation" {
+  rotation_days = 365
+}
+
+resource "azuread_service_principal_password" "starterkit" {
+  service_principal_id = azuread_service_principal.starterkit.id
+  rotate_when_changed = {
+    rotation = time_rotating.key_rotation.id
+  }
+}
+
+# grant access to the terraform state
+moved {
+  from = azurerm_role_assignment.tfstates_engineers
+  to   = azurerm_role_assignment.terraform_state
+}
diff --git a/kit/azure/buildingblocks/starterkit/backplane/variables.tf b/kit/azure/buildingblocks/starterkit/backplane/variables.tf
new file mode 100644
index 00000000..f132c686
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/backplane/variables.tf
@@ -0,0 +1,29 @@
+variable "location" {
+  type        = string
+  nullable    = false
+  description = "Azure location for deploying the building block terraform state storage account"
+}
+
+variable "scope" {
+  type        = string
+  nullable    = false
+  description = "Scope where the building block should be deployable, typically a Sandbox Landing Zone Management Group"
+}
+
+# unfortunately we can't set up the app via terraform right now, so we need to manually set this up
+# outside of terraform an inject result as vars
+
+variable "github_app_id" {
+  type        = number
+  description = "id of your GitHub App"
+}
+
+variable "github_app_installation_id" {
+  type        = number
+  description = "id of your GitHub App installation as it appears in URLs on GitHub.com"
+}
+
+variable "github_org" {
+  type        = string
+  description = "id of your GitHub organization as it appears in URLs on GitHub.com"
+}
\ No newline at end of file
diff --git a/kit/azure/buildingblocks/starterkit/backplane/versions.tf b/kit/azure/buildingblocks/starterkit/backplane/versions.tf
new file mode 100644
index 00000000..374612e7
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/backplane/versions.tf
@@ -0,0 +1,31 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.116.0"
+    }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.53.1"
+    }
+
+    github = {
+      source  = "integrations/github"
+      version = "5.42.0"
+    }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "3.6.0"
+    }
+
+    time = {
+      source  = "hashicorp/time"
+      version = "0.11.1"
+    }
+  }
+}
+
diff --git a/kit/azure/buildingblocks/starterkit/buildingblock/.gitignore b/kit/azure/buildingblocks/starterkit/buildingblock/.gitignore
new file mode 100644
index 00000000..c1fdea6f
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/buildingblock/.gitignore
@@ -0,0 +1,8 @@
+# ignore local files that allow connecting the local terraform environment to this building block's backend and providers
+config.tf
+*.private-key.pem
+terraform.tfvars
+
+# todo: ideally this ought to be comitted & locked to the runners OS (linux) but we curently don't have the process in place
+# to ensure this when running from a different development environment (e.g. macOS), so we leave it out for now
+.terraform.lock.hcl
diff --git a/kit/azure/buildingblocks/starterkit/buildingblock/main.tf b/kit/azure/buildingblocks/starterkit/buildingblock/main.tf
new file mode 100644
index 00000000..79e958c5
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/buildingblock/main.tf
@@ -0,0 +1,33 @@
+data "azurerm_subscription" "current" {}
+data "azuread_client_config" "current" {}
+
+# note: it's important that all other azure resources transitively depend on this role assignment or else they will fail
+resource "azurerm_role_assignment" "starterkit_deploy" {
+  # since the role is defined on MG level, we need to prefix the subscription id here to make terraform happy and not plan replacements
+  # see https://github.com/hashicorp/terraform-provider-azurerm/issues/19847#issuecomment-1407262429
+  role_definition_id = "${data.azurerm_subscription.current.id}${local.deploy_role_definition_id}"
+
+  description  = "Grant permissions to deploy a starterkit building block."
+  principal_id = data.azuread_client_config.current.object_id
+  scope        = data.azurerm_subscription.current.id
+}
+
+#
+# configure developer acess
+#
+
+# note: this group is managed via meshStack and provided as part of the sandbox landing zone
+data "azuread_group" "project_admins" {
+  display_name = "${var.workspace_identifier}.${var.project_identifier}-admin"
+}
+
+# rationale: normal uses with "Project User" role should only deploy code via the pipeline and therefore don't need
+# access to terraform state, but users wotj "Project Admin" role should be able to debug terraform issues and therefore
+# work with the state directly
+resource "azurerm_role_assignment" "project_admins_blobs" {
+  role_definition_name = "Storage Blob Data Owner"
+  description          = "Allow developer assigned the 'Project Admin' role via meshStack to work directly with terraform state"
+
+  principal_id = data.azuread_group.project_admins.object_id
+  scope        = azurerm_storage_container.tfstates.resource_manager_id
+}
diff --git a/kit/azure/buildingblocks/starterkit/buildingblock/outputs.tf b/kit/azure/buildingblocks/starterkit/buildingblock/outputs.tf
new file mode 100644
index 00000000..302b440f
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/buildingblock/outputs.tf
@@ -0,0 +1,3 @@
+output "repository_html_url" {
+  value = github_repository.repository.html_url
+}
\ No newline at end of file
diff --git a/kit/azure/buildingblocks/starterkit/buildingblock/resources.azure.app.tf b/kit/azure/buildingblocks/starterkit/buildingblock/resources.azure.app.tf
new file mode 100644
index 00000000..a148bbfc
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/buildingblock/resources.azure.app.tf
@@ -0,0 +1,54 @@
+resource "azurerm_resource_group" "app" {
+  depends_on = [azurerm_role_assignment.starterkit_deploy]
+
+  name     = "app"
+  location = var.location
+}
+
+# WARNING: this shows _one_ way of setting up permissions for the github pipeline by confining it to a single resource
+# group. We deliberately allow every action in that resource group because we want to encourage application teams to
+# experiment with deploying different resources via the pipeline.
+#
+# Application teams using this starter kit as a "fork and own" template for setting up their own pipelines for
+# proper application development (including production use) should use more specific permissions.
+# See https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/best-practices/secure-devops for a good
+# overview to customize to your individual needs.
+resource "azurerm_role_definition" "ghactions" {
+  name              = "${data.azurerm_subscription.current.id}-github-action-deployment"
+  description       = "Permissions for the ${azurerm_user_assigned_identity.ghactions.name} UAMI to create/modify/delete resources in this resource group"
+  scope             = azurerm_resource_group.app.id
+  assignable_scopes = [azurerm_resource_group.app.id]
+
+  permissions {
+    actions = [
+      "*"
+    ]
+    not_actions = []
+  }
+}
+
+resource "azurerm_role_assignment" "ghactions_app" {
+  role_definition_id = azurerm_role_definition.ghactions.role_definition_resource_id
+  scope              = azurerm_resource_group.app.id
+  principal_id       = azurerm_user_assigned_identity.ghactions.principal_id
+}
+
+resource "azurerm_role_definition" "ghactions_register" {
+  name              = "${data.azurerm_subscription.current.id}-github-action-register"
+  description       = "Permissions for the ${azurerm_user_assigned_identity.ghactions.name} UAMI to register providers"
+  scope             = data.azurerm_subscription.current.id
+  assignable_scopes = [data.azurerm_subscription.current.id]
+
+  permissions {
+    actions = [
+      "*/register/action"
+    ]
+    not_actions = []
+  }
+}
+
+resource "azurerm_role_assignment" "ghactions_register" {
+  role_definition_id = azurerm_role_definition.ghactions_register.role_definition_resource_id
+  scope              = data.azurerm_subscription.current.id
+  principal_id       = azurerm_user_assigned_identity.ghactions.principal_id
+}
diff --git a/kit/azure/buildingblocks/starterkit/buildingblock/resources.azure.cicd.tf b/kit/azure/buildingblocks/starterkit/buildingblock/resources.azure.cicd.tf
new file mode 100644
index 00000000..5169e600
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/buildingblock/resources.azure.cicd.tf
@@ -0,0 +1,63 @@
+resource "azurerm_resource_group" "cicd" {
+  depends_on = [azurerm_role_assignment.starterkit_deploy]
+
+  name     = "ci-cd"
+  location = var.location
+}
+
+#
+# Terraform State Storage
+#
+
+resource "random_string" "resource_code" {
+  length  = 5
+  special = false
+  upper   = false
+}
+
+resource "azurerm_storage_account" "tfstates" {
+  name                      = "tfstates${random_string.resource_code.result}"
+  resource_group_name       = azurerm_resource_group.cicd.name
+  location                  = azurerm_resource_group.cicd.location
+  account_tier              = "Standard"
+  account_replication_type  = "GRS"
+  shared_access_key_enabled = false
+}
+
+resource "azurerm_storage_container" "tfstates" {
+  name                  = "tfstates"
+  storage_account_name  = azurerm_storage_account.tfstates.name
+  container_access_type = "private"
+}
+
+#
+# set up an UAMI for the github actions pipeline to use
+#
+
+resource "azurerm_user_assigned_identity" "ghactions" {
+  name                = "github-actions"
+  location            = azurerm_resource_group.cicd.location
+  resource_group_name = azurerm_resource_group.cicd.name
+}
+
+# see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure#adding-the-federated-credentials-to-azure
+resource "azurerm_federated_identity_credential" "ghactions" {
+  parent_id           = azurerm_user_assigned_identity.ghactions.id
+  resource_group_name = azurerm_resource_group.cicd.name
+
+  name     = "github-actions"
+  audience = ["api://AzureADTokenExchange"]
+  issuer   = "https://token.actions.githubusercontent.com"
+
+  # see ../resources.github.tf for how the BB backplane sets up a "sandbox" environment for each deployment
+  subject = "repo:${github_repository.repository.full_name}:environment:${github_repository_environment.sandbox.environment}"
+}
+
+resource "azurerm_role_assignment" "ghaction_tfstate" {
+  role_definition_name = "Storage Blob Data Owner"
+  description          = "allows the ${azurerm_user_assigned_identity.ghactions.name} UAMI to read/write terraform state"
+
+  principal_id = azurerm_user_assigned_identity.ghactions.principal_id
+  scope        = azurerm_storage_container.tfstates.resource_manager_id
+}
+
diff --git a/kit/azure/buildingblocks/starterkit/buildingblock/resources.github.tf b/kit/azure/buildingblocks/starterkit/buildingblock/resources.github.tf
new file mode 100644
index 00000000..7dc3d3a0
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/buildingblock/resources.github.tf
@@ -0,0 +1,121 @@
+# note: this building block is expected to be executed with a config.tf file as output by the "backplane" module in the
+# parent dir, this needs to provided in the BB execution enviornment
+
+resource "github_repository" "repository" {
+  depends_on = [
+    azurerm_role_assignment.ghaction_tfstate,
+    azurerm_role_assignment.ghactions_register,
+    azurerm_role_assignment.ghactions_app
+  ] # Wait with creating the Repo until the UAMI all the permissions needed to execute the pipeline
+  name        = var.repo_name
+  description = "Created from a Likvid Bank DevOps Toolchain starter kit for ${var.workspace_identifier}.${var.project_identifier}"
+  visibility  = var.visibility
+
+  topics = ["starterkit"]
+
+  auto_init            = true
+  vulnerability_alerts = true
+
+  lifecycle {
+    ignore_changes = [description]
+  }
+
+  template {
+    owner      = var.template_owner
+    repository = var.template_repo
+  }
+}
+
+# In theory these settings could also be copied from the template repository, however it's unclear whether this is
+# supported for every setting we care about. Having them in the BB instead of the backplane has the following benefits
+# - we can decide to upgrade these rules on existing repos with a BB definition version upgrade
+# - we have important concepts like the sandbox environment available for cross-referencing in other resources and don't
+#   need "magic constants" here
+
+resource "github_repository_environment" "sandbox" {
+  environment = "sandbox"
+  repository  = github_repository.repository.name
+
+  deployment_branch_policy {
+    protected_branches     = false
+    custom_branch_policies = true
+  }
+}
+
+# we currently don't set up a separate prod/non-prod enviornment on GitHub as that would require giving the UAMI
+# two sets of permissions as well - this would be great for production use cases but complicates this starter kit
+# Azure/static-web-apps-deploy@v1 implements proper staging for PR previews
+resource "github_repository_environment_deployment_policy" "sandbox_all" {
+  repository     = github_repository.repository.name
+  environment    = github_repository_environment.sandbox.environment
+  branch_pattern = "*"
+}
+
+#
+# Files
+#
+
+
+#
+# add pipeline file to repo
+#
+
+locals {
+  commit_author = "DevOps Toolchain Team"
+  commit_email  = "devopstoolchain@likvid-bank.com"
+}
+
+resource "github_repository_file" "provider_tf" {
+  depends_on = [
+    github_repository_file.backend_tf
+  ] # Only commit the provider.tf file after the backend.tf file has been committed to avoid unmanaged resources
+  repository     = github_repository.repository.name
+  commit_message = "Configuring azurerm provider to deploy to your subscription"
+  commit_author  = local.commit_author
+  commit_email   = local.commit_email
+
+  file    = "infra/provider.tf"
+  content = <<-EOT
+provider "azurerm" {
+  features {}
+  resource_provider_registrations = "core"
+  tenant_id                       = "${data.azurerm_subscription.current.tenant_id}"
+  subscription_id                 = "${data.azurerm_subscription.current.subscription_id}"
+  storage_use_azuread             = true
+}
+
+provider "azuread" {
+ tenant_id                  = "${data.azurerm_subscription.current.tenant_id}"
+}
+EOT
+}
+
+resource "github_repository_file" "backend_tf" {
+  repository     = github_repository.repository.name
+  commit_message = "Configuring terraform backend to store state in your subscription"
+  commit_author  = local.commit_author
+  commit_email   = local.commit_email
+
+  file    = "infra/backend.tf"
+  content = <<-EOT
+terraform {
+  backend "azurerm" {
+    use_azuread_auth      = true
+    tenant_id             = "${data.azurerm_subscription.current.tenant_id}"
+    subscription_id       = "${data.azurerm_subscription.current.subscription_id}"
+    resource_group_name   = "${azurerm_resource_group.cicd.name}"
+    storage_account_name  = "${azurerm_storage_account.tfstates.name}"
+    container_name        = "${azurerm_storage_container.tfstates.name}"
+    key                   = "starterkit.tfstate"
+  }
+}
+EOT
+}
+
+# pass the UAMI client id as a secret, not because it's secret, but because this allows us to have an easy interface with
+# template repositories (we can keep workflow files in the template repos and don't need to generate them via terraform)
+resource "github_actions_secret" "arm_client_id" {
+  repository      = github_repository.repository.name
+  secret_name     = "ARM_CLIENT_ID"
+  plaintext_value = azurerm_user_assigned_identity.ghactions.client_id
+}
diff --git a/kit/azure/buildingblocks/starterkit/buildingblock/variables.tf b/kit/azure/buildingblocks/starterkit/buildingblock/variables.tf
new file mode 100644
index 00000000..2ef5702a
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/buildingblock/variables.tf
@@ -0,0 +1,37 @@
+variable "repo_name" {
+  type    = string
+  default = "name of the created repository"
+}
+
+variable "visibility" {
+  type    = string
+  default = "private"
+}
+
+variable "template_owner" {
+  type = string
+}
+
+variable "template_repo" {
+  type = string
+}
+
+variable "workspace_identifier" {
+  type = string
+}
+
+variable "project_identifier" {
+  type = string
+}
+
+# this variable is supposed to be used by an injected config.tf file for configuring the azurerm provider
+# tflint-ignore: terraform_unused_declarations
+variable "subscription_id" {
+  type        = string
+  description = "the subscription id to which this building block shall be deployed"
+}
+
+variable "location" {
+  type    = string
+  default = "westeurope"
+}
diff --git a/kit/azure/buildingblocks/starterkit/buildingblock/versions.tf b/kit/azure/buildingblocks/starterkit/buildingblock/versions.tf
new file mode 100644
index 00000000..fe7359d8
--- /dev/null
+++ b/kit/azure/buildingblocks/starterkit/buildingblock/versions.tf
@@ -0,0 +1,26 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "5.42.0"
+    }
+
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.116.0"
+    }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.53.1"
+    }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "3.6.0"
+    }
+  }
+}
+
diff --git a/kit/azure/buildingblocks/subscription/backplane/README.md b/kit/azure/buildingblocks/subscription/backplane/README.md
index ed970cd6..b99d05a3 100644
--- a/kit/azure/buildingblocks/subscription/backplane/README.md
+++ b/kit/azure/buildingblocks/subscription/backplane/README.md
@@ -19,7 +19,7 @@ across all subscriptions underneath a management group (typically the top-level
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -29,9 +29,8 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_role_assignment.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.buildingblock_deploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
 
 ## Inputs
 
diff --git a/kit/azure/buildingblocks/subscription/backplane/documentation.tf b/kit/azure/buildingblocks/subscription/backplane/documentation.tf
index 33853898..fccf1885 100644
--- a/kit/azure/buildingblocks/subscription/backplane/documentation.tf
+++ b/kit/azure/buildingblocks/subscription/backplane/documentation.tf
@@ -7,26 +7,15 @@ This building block deploys default configuration for a subscription.
 - Enforces subscription naming policy
 - Ensures subscriptions are placed correctly in the resource hierarchy
 
-# 📚 Subscription Building Block Backplane
+# Automation
 
-This module automates the deployment of a Subscription building block within Azure. It utilizes service principles for automation. The states of these resources are maintained in a designated storage account.
+We automates the deployment of a Budget Alert building block using the common [Azure Building Blocks Automation Infrastructure](../automation.md).
+In order to deploy this building block, this infrastructure receives the following roles.
 
-## 🛠️ Role Definition
+| Role Name | Description | Permissions |
+|-----------|-------------|-------------|
+| `${azurerm_role_definition.buildingblock_deploy.name}` | ${azurerm_role_definition.buildingblock_deploy.description} | ${join("<br>", formatlist("- `%s`", azurerm_role_definition.buildingblock_deploy.permissions[0].actions))} |
 
-| Name | ID |
-| --- | --- |
-| ${azurerm_role_definition.buildingblock_deploy.name} | ${azurerm_role_definition.buildingblock_deploy.id} |
-
-## 📝 Role Assignments
-
-| Principal ID |
-| --- |
-| ${join("\n", [for assignment in azurerm_role_assignment.buildingblock_deploy : assignment.principal_id])} |
-
-
-## 🎯 Scope
-
-- **Scope**: `${var.scope}`
 
 EOF
   description = "Markdown documentation with information about the Subscription building block backplane"
diff --git a/kit/azure/buildingblocks/subscription/backplane/main.tf b/kit/azure/buildingblocks/subscription/backplane/main.tf
index e810d38d..02b1f98a 100644
--- a/kit/azure/buildingblocks/subscription/backplane/main.tf
+++ b/kit/azure/buildingblocks/subscription/backplane/main.tf
@@ -1,6 +1,3 @@
-data "azurerm_subscription" "current" {
-}
-
 resource "azurerm_role_definition" "buildingblock_deploy" {
   name        = "${var.name}-deploy"
   description = "Enables deployment of the ${var.name} building block to subscriptions"
diff --git a/kit/azure/buildingblocks/subscription/backplane/versions.tf b/kit/azure/buildingblocks/subscription/backplane/versions.tf
index a0c42f5d..ca8cf1fd 100644
--- a/kit/azure/buildingblocks/subscription/backplane/versions.tf
+++ b/kit/azure/buildingblocks/subscription/backplane/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "3.116.0"
     }
   }
 }
diff --git a/kit/azure/buildingblocks/subscription/buildingblock/versions.tf b/kit/azure/buildingblocks/subscription/buildingblock/versions.tf
index 374ea43b..ca8cf1fd 100644
--- a/kit/azure/buildingblocks/subscription/buildingblock/versions.tf
+++ b/kit/azure/buildingblocks/subscription/buildingblock/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.108.0"
+      version = "3.116.0"
     }
   }
 }
diff --git a/kit/azure/landingzones/cloud-native/README.md b/kit/azure/landingzones/cloud-native/README.md
index 152ea844..6d572f03 100644
--- a/kit/azure/landingzones/cloud-native/README.md
+++ b/kit/azure/landingzones/cloud-native/README.md
@@ -22,7 +22,7 @@ The kit will create a dev group and a prod management groups.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -32,9 +32,9 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azurerm_management_group.cloudnative](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group.dev](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group.prod](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
+| [azurerm_management_group.cloudnative](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
+| [azurerm_management_group.dev](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
+| [azurerm_management_group.prod](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
 
 ## Inputs
 
diff --git a/kit/azure/landingzones/cloud-native/versions.tf b/kit/azure/landingzones/cloud-native/versions.tf
index a0c42f5d..ca8cf1fd 100644
--- a/kit/azure/landingzones/cloud-native/versions.tf
+++ b/kit/azure/landingzones/cloud-native/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "3.116.0"
     }
   }
 }
diff --git a/kit/azure/landingzones/container-platform/README.md b/kit/azure/landingzones/container-platform/README.md
index 5553795b..69560d85 100644
--- a/kit/azure/landingzones/container-platform/README.md
+++ b/kit/azure/landingzones/container-platform/README.md
@@ -19,7 +19,7 @@ The Container Platform Landing Zone is a pre-configured environment designed to
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.102.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -31,17 +31,14 @@ The Container Platform Landing Zone is a pre-configured environment designed to
 
 | Name | Type |
 |------|------|
-| [azurerm_management_group.container_platform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group.dev](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group.prod](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
+| [azurerm_management_group.container_platform](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_landingzones"></a> [landingzones](#input\_landingzones) | The parent\_management\_group where your landingzones are | `string` | `"landingzones"` | no |
 | <a name="input_location"></a> [location](#input\_location) | The Azure location where this policy assignment should exist, required when an Identity is assigned. | `string` | `"germanywestcentral"` | no |
-| <a name="input_name"></a> [name](#input\_name) | n/a | `string` | `"container-platform"` | no |
+| <a name="input_lz-container-platform"></a> [lz-container-platform](#input\_lz-container-platform) | n/a | `string` | `"container-platform"` | no |
 | <a name="input_parent_management_group_id"></a> [parent\_management\_group\_id](#input\_parent\_management\_group\_id) | The tenant management group of your cloud foundation | `string` | `"foundation"` | no |
 
 ## Outputs
diff --git a/kit/azure/landingzones/container-platform/documentation.tf b/kit/azure/landingzones/container-platform/documentation.tf
index 297c4e7f..e89edd62 100644
--- a/kit/azure/landingzones/container-platform/documentation.tf
+++ b/kit/azure/landingzones/container-platform/documentation.tf
@@ -1,30 +1,18 @@
 output "documentation_md" {
   value = <<EOF
+# Container Platform Landing Zone
 
-# 🚢 Container Platform Landing Zone
+A Container Platform Landing Zone is a pre-configured infrastructure setup designed to support the deployment of containerized serverless applications. This landing zone is designed to provide a secure and compliant environment for running containerized workloads on Azure Kubernetes Service (AKS).
 
-A Container Platform Landing Zone is a pre-configured infrastructure setup designed to support the deployment of containerized serverless applications. This landing zone is designed to provide a secure and compliant environment for running containerized workloads on Azure Kubernetes Service (AKS). 🚀
+- **${resource.azurerm_management_group.container_platform.display_name}** - this is the Container Platform management group
 
-## 📂 Management Group Structure
-
-```md
-`${resource.azurerm_management_group.container_platform.display_name}` management group for cloud-native landing zone 🚢
-  ├── `${resource.azurerm_management_group.dev.display_name}` management group for development workloads 🛠️
-  │  └── *application team subscriptions* 📚
-  └── `${resource.azurerm_management_group.prod.display_name}` management group for production workloads 🏭
-     └── *application team subscriptions* 📚
-```
-
-## 🛡️ Active Policies
+### Active Policies
 
 |Policy|Effect|Description|Rationale|
 |-|-|-|-|
 |${module.policy_container_platform.policy_assignments["K8S-Security-Baseline"].display_name}|Audit|${module.policy_container_platform.policy_assignments["K8S-Security-Baseline"].description}|This initiative enforces several security best practices for Kubernetes pods, such as running containers as a non-root user and not allowing privilege escalation. These practices help to minimize the attack surface of your Kubernetes workloads and protect against common security threats.|
 
-## 📚 References
-
 - [CFMM container-platform-landing-zone](https://cloudfoundation.org/maturity-model/tenant-management/container-platform-landing-zone.html)
 - [Policy Set K8S-Security-Baseline](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/a8640138-9b0a-4a28-b8cb-1666c838647d.html)
-
 EOF
 }
diff --git a/kit/azure/landingzones/container-platform/main.tf b/kit/azure/landingzones/container-platform/main.tf
index b42b44e4..65bdf81c 100644
--- a/kit/azure/landingzones/container-platform/main.tf
+++ b/kit/azure/landingzones/container-platform/main.tf
@@ -1,26 +1,8 @@
 resource "azurerm_management_group" "container_platform" {
-  display_name               = var.name
+  display_name               = var.lz-container-platform
   parent_management_group_id = var.parent_management_group_id
 }
 
-resource "azurerm_management_group" "dev" {
-  display_name               = "${var.name}-dev"
-  parent_management_group_id = azurerm_management_group.container_platform.id
-
-  lifecycle {
-    ignore_changes = [subscription_ids]
-  }
-}
-
-resource "azurerm_management_group" "prod" {
-  display_name               = "${var.name}-prod"
-  parent_management_group_id = azurerm_management_group.container_platform.id
-
-  lifecycle {
-    ignore_changes = [subscription_ids]
-  }
-}
-
 module "policy_container_platform" {
   source = "github.com/meshcloud/collie-hub//kit/azure/util/azure-policies?ref=7c356a7"
 
@@ -29,7 +11,7 @@ module "policy_container_platform" {
   location            = var.location
 
   template_file_variables = {
-    default_location          = "${var.location}"
+    default_location          = var.location
     current_scope_resource_id = azurerm_management_group.container_platform.id
   }
 }
diff --git a/kit/azure/landingzones/container-platform/variables.tf b/kit/azure/landingzones/container-platform/variables.tf
index ff9901bc..ffdb0397 100644
--- a/kit/azure/landingzones/container-platform/variables.tf
+++ b/kit/azure/landingzones/container-platform/variables.tf
@@ -3,12 +3,7 @@ variable "parent_management_group_id" {
   default     = "foundation"
 }
 
-variable "landingzones" {
-  description = "The parent_management_group where your landingzones are"
-  default     = "landingzones"
-}
-
-variable "name" {
+variable "lz-container-platform" {
   default = "container-platform"
 }
 
diff --git a/kit/azure/landingzones/container-platform/versions.tf b/kit/azure/landingzones/container-platform/versions.tf
index 8b849451..ca8cf1fd 100644
--- a/kit/azure/landingzones/container-platform/versions.tf
+++ b/kit/azure/landingzones/container-platform/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.102.0"
+      version = "3.116.0"
     }
   }
 }
diff --git a/kit/azure/landingzones/corp-online/README.md b/kit/azure/landingzones/corp-online/README.md
index 8ac56cdc..dd0b92bf 100644
--- a/kit/azure/landingzones/corp-online/README.md
+++ b/kit/azure/landingzones/corp-online/README.md
@@ -20,7 +20,10 @@ This kit provides a Terraform configuration for setting up Azure Management Grou
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -33,10 +36,10 @@ No requirements.
 
 | Name | Type |
 |------|------|
-| [azurerm_management_group.corp](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group.dev](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group.online](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group.prod](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
+| [azurerm_management_group.corp](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
+| [azurerm_management_group.dev](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
+| [azurerm_management_group.online](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
+| [azurerm_management_group.prod](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
 
 ## Inputs
 
@@ -44,7 +47,6 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | <a name="input_cloudfoundation"></a> [cloudfoundation](#input\_cloudfoundation) | the name of your cloudfoundation | `string` | n/a | yes |
 | <a name="input_corp"></a> [corp](#input\_corp) | n/a | `string` | `"corp"` | no |
-| <a name="input_landingzones"></a> [landingzones](#input\_landingzones) | The parent\_management\_group where your landingzones are | `string` | `"lv-landingzones"` | no |
 | <a name="input_location"></a> [location](#input\_location) | The Azure location where this policy assignment should exist, required when an Identity is assigned. | `string` | `"germanywestcentral"` | no |
 | <a name="input_online"></a> [online](#input\_online) | n/a | `string` | `"online"` | no |
 | <a name="input_parent_management_group_id"></a> [parent\_management\_group\_id](#input\_parent\_management\_group\_id) | The tenant management group of your cloud foundation | `string` | `"lv-foundation"` | no |
diff --git a/kit/azure/landingzones/corp-online/main.tf b/kit/azure/landingzones/corp-online/main.tf
index 06468fcb..40ee50c0 100644
--- a/kit/azure/landingzones/corp-online/main.tf
+++ b/kit/azure/landingzones/corp-online/main.tf
@@ -27,8 +27,8 @@ module "policy_corp" {
   location            = var.location
 
   template_file_variables = {
-    default_location          = "${var.location}"
-    connectivity_location     = "${var.location}"
+    default_location          = var.location
+    connectivity_location     = var.location
     current_scope_resource_id = azurerm_management_group.corp.id
     root_scope_resource_id    = azurerm_management_group.corp.id
     vnet_address_space_id     = var.vnet_address_space_id
@@ -44,7 +44,7 @@ module "policy_online" {
   location            = var.location
 
   template_file_variables = {
-    default_location          = "${var.location}"
+    default_location          = var.location
     current_scope_resource_id = azurerm_management_group.online.id
     root_scope_resource_id    = azurerm_management_group.online.id
   }
diff --git a/kit/azure/landingzones/corp-online/variables.tf b/kit/azure/landingzones/corp-online/variables.tf
index 00f2e63a..2bedfb51 100644
--- a/kit/azure/landingzones/corp-online/variables.tf
+++ b/kit/azure/landingzones/corp-online/variables.tf
@@ -9,11 +9,6 @@ variable "cloudfoundation" {
   description = "the name of your cloudfoundation"
 }
 
-variable "landingzones" {
-  description = "The parent_management_group where your landingzones are"
-  default     = "lv-landingzones"
-}
-
 variable "corp" {
   default = "corp"
 }
diff --git a/kit/azure/landingzones/corp-online/versions.tf b/kit/azure/landingzones/corp-online/versions.tf
new file mode 100644
index 00000000..ca8cf1fd
--- /dev/null
+++ b/kit/azure/landingzones/corp-online/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.116.0"
+    }
+  }
+}
diff --git a/kit/azure/landingzones/sandbox/README.md b/kit/azure/landingzones/sandbox/README.md
index 6f7444bb..b1645e2f 100644
--- a/kit/azure/landingzones/sandbox/README.md
+++ b/kit/azure/landingzones/sandbox/README.md
@@ -23,7 +23,7 @@ This kit provides a Terraform configuration for setting a sandbox landing zone m
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -35,7 +35,7 @@ This kit provides a Terraform configuration for setting a sandbox landing zone m
 
 | Name | Type |
 |------|------|
-| [azurerm_management_group.sandbox](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
+| [azurerm_management_group.sandbox](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
 
 ## Inputs
 
diff --git a/kit/azure/landingzones/sandbox/main.tf b/kit/azure/landingzones/sandbox/main.tf
index fa392a03..d452beec 100644
--- a/kit/azure/landingzones/sandbox/main.tf
+++ b/kit/azure/landingzones/sandbox/main.tf
@@ -11,7 +11,7 @@ module "policy_sandbox" {
   location            = var.location
 
   template_file_variables = {
-    default_location          = "${var.location}"
+    default_location          = var.location
     current_scope_resource_id = azurerm_management_group.sandbox.id
     root_scope_resource_id    = azurerm_management_group.sandbox.id
   }
diff --git a/kit/azure/landingzones/sandbox/versions.tf b/kit/azure/landingzones/sandbox/versions.tf
index a0c42f5d..ca8cf1fd 100644
--- a/kit/azure/landingzones/sandbox/versions.tf
+++ b/kit/azure/landingzones/sandbox/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "3.116.0"
     }
   }
 }
diff --git a/kit/azure/landingzones/serverless/README.md b/kit/azure/landingzones/serverless/README.md
index ce74b074..2caf7ca3 100644
--- a/kit/azure/landingzones/serverless/README.md
+++ b/kit/azure/landingzones/serverless/README.md
@@ -16,7 +16,10 @@ This kit provides a Terraform configuration for setting up Azure Management Grou
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -28,13 +31,12 @@ No requirements.
 
 | Name | Type |
 |------|------|
-| [azurerm_management_group.serverless](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
+| [azurerm_management_group.serverless](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_landingzones"></a> [landingzones](#input\_landingzones) | The parent\_management\_group where your landingzones are | `string` | `"lv-landingzones"` | no |
 | <a name="input_location"></a> [location](#input\_location) | The Azure location where this policy assignment should exist, required when an Identity is assigned. | `string` | `"germanywestcentral"` | no |
 | <a name="input_lz-serverless"></a> [lz-serverless](#input\_lz-serverless) | n/a | `string` | `"serverless"` | no |
 | <a name="input_parent_management_group_id"></a> [parent\_management\_group\_id](#input\_parent\_management\_group\_id) | The tenant management group of your cloud foundation | `string` | `"lv-foundation"` | no |
diff --git a/kit/azure/landingzones/serverless/main.tf b/kit/azure/landingzones/serverless/main.tf
index 31682c6e..12c7f844 100644
--- a/kit/azure/landingzones/serverless/main.tf
+++ b/kit/azure/landingzones/serverless/main.tf
@@ -11,7 +11,7 @@ module "policy_serverless" {
   location            = var.location
 
   template_file_variables = {
-    default_location          = "${var.location}"
+    default_location          = var.location
     current_scope_resource_id = azurerm_management_group.serverless.id
     root_scope_resource_id    = azurerm_management_group.serverless.id
   }
diff --git a/kit/azure/landingzones/serverless/variables.tf b/kit/azure/landingzones/serverless/variables.tf
index 2c7182d5..fed99062 100644
--- a/kit/azure/landingzones/serverless/variables.tf
+++ b/kit/azure/landingzones/serverless/variables.tf
@@ -3,11 +3,6 @@ variable "parent_management_group_id" {
   default     = "lv-foundation"
 }
 
-variable "landingzones" {
-  description = "The parent_management_group where your landingzones are"
-  default     = "lv-landingzones"
-}
-
 variable "lz-serverless" {
   default = "serverless"
 }
diff --git a/kit/azure/landingzones/serverless/versions.tf b/kit/azure/landingzones/serverless/versions.tf
new file mode 100644
index 00000000..ca8cf1fd
--- /dev/null
+++ b/kit/azure/landingzones/serverless/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.116.0"
+    }
+  }
+}
diff --git a/kit/azure/logging/README.md b/kit/azure/logging/README.md
index 5f5f1db7..f5b24d78 100644
--- a/kit/azure/logging/README.md
+++ b/kit/azure/logging/README.md
@@ -42,8 +42,8 @@ AzureActivity
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_azapi"></a> [azapi](#requirement\_azapi) | ~> 1.12.1 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.41.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.53.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -56,20 +56,20 @@ AzureActivity
 | Name | Type |
 |------|------|
 | [azapi_resource.diag_setting_management_group](https://registry.terraform.io/providers/Azure/azapi/latest/docs/resources/resource) | resource |
-| [azuread_group.security_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
-| [azuread_group.security_auditors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
-| [azurerm_log_analytics_workspace.law](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource |
-| [azurerm_management_group_subscription_association.logging](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_subscription_association) | resource |
-| [azurerm_resource_group.law_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
-| [azurerm_role_assignment.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.logging](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.security_admins](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.security_admins_law](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.security_auditors](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.security_auditors_law](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
+| [azuread_group.security_admins](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/group) | resource |
+| [azuread_group.security_auditors](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/group) | resource |
+| [azurerm_log_analytics_workspace.law](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/log_analytics_workspace) | resource |
+| [azurerm_management_group_subscription_association.logging](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group_subscription_association) | resource |
+| [azurerm_resource_group.law_rg](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/resource_group) | resource |
+| [azurerm_role_assignment.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.logging](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.security_admins](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.security_admins_law](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.security_auditors](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.security_auditors_law](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
 | [terraform_data.subscription_name](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source |
 
 ## Inputs
 
diff --git a/kit/azure/logging/versions.tf b/kit/azure/logging/versions.tf
index 7fbbf1a9..4d378b14 100644
--- a/kit/azure/logging/versions.tf
+++ b/kit/azure/logging/versions.tf
@@ -4,12 +4,12 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "3.116.0"
     }
 
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.41.0"
+      version = "2.53.1"
     }
 
     azapi = {
diff --git a/kit/azure/meshplatform/main.tf b/kit/azure/meshplatform/main.tf
index f083d869..8e5db5bd 100644
--- a/kit/azure/meshplatform/main.tf
+++ b/kit/azure/meshplatform/main.tf
@@ -6,10 +6,14 @@ module "meshplatform" {
   source  = "registry.terraform.io/meshcloud/meshplatform/azure"
   version = "0.6.0"
 
-  metering_enabled                      = var.metering_enabled
-  metering_service_principal_name       = var.metering_service_principal_name
-  metering_assignment_scopes            = var.metering_assignment_scopes
-  sso_enabled                           = var.sso_enabled
+  metering_enabled                = var.metering_enabled
+  metering_service_principal_name = var.metering_service_principal_name
+  metering_assignment_scopes      = var.metering_assignment_scopes
+
+  sso_enabled                = var.sso_enabled
+  sso_meshstack_redirect_uri = var.sso_meshstack_redirect_uri
+  sso_service_principal_name = var.sso_service_principal_name
+
   replicator_enabled                    = var.replicator_enabled
   replicator_rg_enabled                 = var.replicator_rg_enabled
   replicator_service_principal_name     = var.replicator_service_principal_name
diff --git a/kit/azure/networking/README.md b/kit/azure/networking/README.md
index 07f129b7..ab775d72 100644
--- a/kit/azure/networking/README.md
+++ b/kit/azure/networking/README.md
@@ -21,8 +21,9 @@ on the internet.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.41.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.85.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.53.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | 3.6.0 |
 
 ## Modules
 
@@ -32,51 +33,51 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_group.network_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
-| [azurerm_firewall.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall) | resource |
-| [azurerm_firewall_application_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_application_rule_collection) | resource |
-| [azurerm_firewall_nat_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_nat_rule_collection) | resource |
-| [azurerm_firewall_network_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall_network_rule_collection) | resource |
-| [azurerm_management_group_subscription_association.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_subscription_association) | resource |
-| [azurerm_monitor_diagnostic_setting.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
-| [azurerm_monitor_diagnostic_setting.fw_pip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
-| [azurerm_monitor_diagnostic_setting.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
-| [azurerm_monitor_diagnostic_setting.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
-| [azurerm_network_ddos_protection_plan.hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_ddos_protection_plan) | resource |
-| [azurerm_network_security_group.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |
-| [azurerm_network_security_rule.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
-| [azurerm_network_watcher.netwatcher](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher) | resource |
-| [azurerm_network_watcher_flow_log.mgmt_logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log) | resource |
-| [azurerm_public_ip.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
-| [azurerm_public_ip.fw_mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
-| [azurerm_public_ip_prefix.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip_prefix) | resource |
-| [azurerm_resource_group.hub_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
-| [azurerm_resource_group.netwatcher](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
-| [azurerm_role_assignment.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.network_admins](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.network_admins_connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.network_admins_dns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.network_admins_landingzone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_definition.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
-| [azurerm_route.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route) | resource |
-| [azurerm_route_table.out](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table) | resource |
-| [azurerm_storage_account.flowlogs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource |
-| [azurerm_storage_container.flowlogs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
-| [azurerm_subnet.firewall](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
-| [azurerm_subnet.firewallmgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
-| [azurerm_subnet.gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
-| [azurerm_subnet.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
-| [azurerm_subnet_network_security_group_association.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association) | resource |
-| [azurerm_subnet_route_table_association.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) | resource |
-| [azurerm_virtual_network.hub_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource |
-| [random_string.dns](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
-| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [azuread_group.network_admins](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/group) | resource |
+| [azurerm_firewall.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/firewall) | resource |
+| [azurerm_firewall_application_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/firewall_application_rule_collection) | resource |
+| [azurerm_firewall_nat_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/firewall_nat_rule_collection) | resource |
+| [azurerm_firewall_network_rule_collection.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/firewall_network_rule_collection) | resource |
+| [azurerm_management_group_subscription_association.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group_subscription_association) | resource |
+| [azurerm_monitor_diagnostic_setting.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/monitor_diagnostic_setting) | resource |
+| [azurerm_monitor_diagnostic_setting.fw_pip](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/monitor_diagnostic_setting) | resource |
+| [azurerm_monitor_diagnostic_setting.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/monitor_diagnostic_setting) | resource |
+| [azurerm_monitor_diagnostic_setting.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/monitor_diagnostic_setting) | resource |
+| [azurerm_network_ddos_protection_plan.hub](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/network_ddos_protection_plan) | resource |
+| [azurerm_network_security_group.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/network_security_group) | resource |
+| [azurerm_network_security_rule.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/network_security_rule) | resource |
+| [azurerm_network_watcher.netwatcher](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/network_watcher) | resource |
+| [azurerm_network_watcher_flow_log.mgmt_logs](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/network_watcher_flow_log) | resource |
+| [azurerm_public_ip.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/public_ip) | resource |
+| [azurerm_public_ip.fw_mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/public_ip) | resource |
+| [azurerm_public_ip_prefix.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/public_ip_prefix) | resource |
+| [azurerm_resource_group.hub_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.netwatcher](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/resource_group) | resource |
+| [azurerm_role_assignment.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.network_admins](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.network_admins_connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.network_admins_dns](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.network_admins_landingzone](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_definition.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_definition) | resource |
+| [azurerm_route.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/route) | resource |
+| [azurerm_route_table.out](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/route_table) | resource |
+| [azurerm_storage_account.flowlogs](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_account) | resource |
+| [azurerm_storage_container.flowlogs](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/storage_container) | resource |
+| [azurerm_subnet.firewall](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet) | resource |
+| [azurerm_subnet.firewallmgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet) | resource |
+| [azurerm_subnet.gateway](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet) | resource |
+| [azurerm_subnet.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet) | resource |
+| [azurerm_subnet_network_security_group_association.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet_network_security_group_association) | resource |
+| [azurerm_subnet_route_table_association.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/subnet_route_table_association) | resource |
+| [azurerm_virtual_network.hub_network](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/virtual_network) | resource |
+| [random_string.dns](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs/resources/string) | resource |
+| [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs/resources/string) | resource |
 | [terraform_data.subscription_name](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
-| [azurerm_monitor_diagnostic_categories.fw](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_diagnostic_categories) | data source |
-| [azurerm_monitor_diagnostic_categories.fw_pip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_diagnostic_categories) | data source |
-| [azurerm_monitor_diagnostic_categories.hub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_diagnostic_categories) | data source |
-| [azurerm_monitor_diagnostic_categories.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_diagnostic_categories) | data source |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_monitor_diagnostic_categories.fw](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/monitor_diagnostic_categories) | data source |
+| [azurerm_monitor_diagnostic_categories.fw_pip](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/monitor_diagnostic_categories) | data source |
+| [azurerm_monitor_diagnostic_categories.hub](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/monitor_diagnostic_categories) | data source |
+| [azurerm_monitor_diagnostic_categories.mgmt](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/monitor_diagnostic_categories) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source |
 
 ## Inputs
 
@@ -94,13 +95,11 @@ No modules.
 | <a name="input_firewall_network_rules"></a> [firewall\_network\_rules](#input\_firewall\_network\_rules) | List of network rules to apply to the firewall. | <pre>list(object({<br>    name                  = string<br>    action                = string<br>    source_addresses      = list(string)<br>    destination_ports     = list(string)<br>    destination_addresses = list(string)<br>    protocols             = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_firewall_sku_tier"></a> [firewall\_sku\_tier](#input\_firewall\_sku\_tier) | Specify the tier for the firewall, choosing from options like Basic or Standard, Premium. | `string` | `"Basic"` | no |
 | <a name="input_firewall_zones"></a> [firewall\_zones](#input\_firewall\_zones) | Collection of availability zones to distribute the Firewall across. | `list(string)` | `null` | no |
-| <a name="input_hub_networking_deploy"></a> [hub\_networking\_deploy](#input\_hub\_networking\_deploy) | Service Principal responsible for deploying the central hub networking | `string` | `"cloudfoundation_hub_network_deploy_user"` | no |
 | <a name="input_hub_resource_group"></a> [hub\_resource\_group](#input\_hub\_resource\_group) | Name of the central hub resource group | `string` | `"hub-vnet-rg"` | no |
 | <a name="input_hub_subscription_name"></a> [hub\_subscription\_name](#input\_hub\_subscription\_name) | Name of your hub subscription | `string` | `"hub"` | no |
 | <a name="input_hub_vnet_name"></a> [hub\_vnet\_name](#input\_hub\_vnet\_name) | Name of the central virtual network | `string` | `"hub-vnet"` | no |
 | <a name="input_landingzone_scope"></a> [landingzone\_scope](#input\_landingzone\_scope) | Identifier for the management group landinzone | `string` | n/a | yes |
 | <a name="input_location"></a> [location](#input\_location) | Region for resource deployment | `string` | n/a | yes |
-| <a name="input_lz_networking_deploy"></a> [lz\_networking\_deploy](#input\_lz\_networking\_deploy) | Service Principal responsible for deploying the landing zone networking | `string` | `"cloudfoundation_lz_network_deploy_user"` | no |
 | <a name="input_management_nsg_rules"></a> [management\_nsg\_rules](#input\_management\_nsg\_rules) | Network security rules to add to the management subnet. Refer to README for setup details. | `list(any)` | `[]` | no |
 | <a name="input_netwatcher"></a> [netwatcher](#input\_netwatcher) | Properties for creating network watcher. If set, it creates a Network Watcher resource using standard naming conventions. | <pre>object({<br>    log_analytics_workspace_id       = string<br>    log_analytics_workspace_id_short = string<br>    log_analytics_resource_id        = string<br>  })</pre> | `null` | no |
 | <a name="input_network_admin_group"></a> [network\_admin\_group](#input\_network\_admin\_group) | Name of the Cloud Foundation network administration group | `string` | `"cloudfoundation-network-admins"` | no |
diff --git a/kit/azure/networking/outputs.tf b/kit/azure/networking/outputs.tf
index a7660b6f..06a440ee 100644
--- a/kit/azure/networking/outputs.tf
+++ b/kit/azure/networking/outputs.tf
@@ -24,7 +24,7 @@ output "hub_vnet_id" {
 }
 
 output "firewall_name" {
-  value       = join("", azurerm_firewall.fw.*.name)
+  value       = join("", azurerm_firewall.fw[*].name)
   description = "Hub VNet firewall name"
 }
 
diff --git a/kit/azure/networking/resources.firewall.tf b/kit/azure/networking/resources.firewall.tf
index 9399bb0b..5111bc9f 100644
--- a/kit/azure/networking/resources.firewall.tf
+++ b/kit/azure/networking/resources.firewall.tf
@@ -31,7 +31,7 @@ resource "azurerm_route" "fw" {
   route_table_name       = azurerm_route_table.out.name
   address_prefix         = "0.0.0.0/0"
   next_hop_type          = "VirtualAppliance"
-  next_hop_in_ip_address = azurerm_firewall.fw[0].ip_configuration.0.private_ip_address
+  next_hop_in_ip_address = azurerm_firewall.fw[0].ip_configuration[0].private_ip_address
 }
 
 resource "azurerm_public_ip_prefix" "fw" {
diff --git a/kit/azure/networking/variables.tf b/kit/azure/networking/variables.tf
index 08979ccf..9f84704d 100644
--- a/kit/azure/networking/variables.tf
+++ b/kit/azure/networking/variables.tf
@@ -58,18 +58,6 @@ variable "management_nsg_rules" {
   default     = []
 }
 
-variable "lz_networking_deploy" {
-  type        = string
-  default     = "cloudfoundation_lz_network_deploy_user"
-  description = "Service Principal responsible for deploying the landing zone networking"
-}
-
-variable "hub_networking_deploy" {
-  type        = string
-  default     = "cloudfoundation_hub_network_deploy_user"
-  description = "Service Principal responsible for deploying the central hub networking"
-}
-
 variable "network_admin_group" {
   type        = string
   default     = "cloudfoundation-network-admins"
diff --git a/kit/azure/networking/versions.tf b/kit/azure/networking/versions.tf
index dc6d67ac..83d8db34 100644
--- a/kit/azure/networking/versions.tf
+++ b/kit/azure/networking/versions.tf
@@ -4,12 +4,17 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.85.0"
+      version = "3.116.0"
     }
 
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.41.0"
+      version = "2.53.1"
+    }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "3.6.0"
     }
   }
 }
diff --git a/kit/azure/organization-hierarchy/README.md b/kit/azure/organization-hierarchy/README.md
index acebafc1..b3998461 100644
--- a/kit/azure/organization-hierarchy/README.md
+++ b/kit/azure/organization-hierarchy/README.md
@@ -57,7 +57,7 @@ After deploying this module, you should probably deploy the following kit module
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.97.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -69,15 +69,15 @@ After deploying this module, you should probably deploy the following kit module
 
 | Name | Type |
 |------|------|
-| [azurerm_management_group.connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group.identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group.landingzones](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group.management](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group.platform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group) | resource |
-| [azurerm_management_group_subscription_association.management](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_group_subscription_association) | resource |
+| [azurerm_management_group.connectivity](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
+| [azurerm_management_group.identity](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
+| [azurerm_management_group.landingzones](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
+| [azurerm_management_group.management](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
+| [azurerm_management_group.platform](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group) | resource |
+| [azurerm_management_group_subscription_association.management](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_group_subscription_association) | resource |
 | [terraform_data.management_subscription_name](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
-| [azurerm_management_group.parent](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/management_group) | data source |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_management_group.parent](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/management_group) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/subscription) | data source |
 
 ## Inputs
 
diff --git a/kit/azure/organization-hierarchy/versions.tf b/kit/azure/organization-hierarchy/versions.tf
index 302be9cf..ca8cf1fd 100644
--- a/kit/azure/organization-hierarchy/versions.tf
+++ b/kit/azure/organization-hierarchy/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.97.0"
+      version = "3.116.0"
     }
   }
 }
diff --git a/kit/azure/pam/README.md b/kit/azure/pam/README.md
index fa31aa66..1fd528d6 100644
--- a/kit/azure/pam/README.md
+++ b/kit/azure/pam/README.md
@@ -32,8 +32,8 @@ and cohesive overview.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 2.41.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.71.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 2.53.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 3.116.0 |
 
 ## Modules
 
@@ -43,13 +43,11 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azuread_group_member.pam_desired_memberships](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member) | resource |
-| [azuread_client_config.current](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/client_config) | data source |
-| [azuread_group.pam_desired_groups](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.pam_groups](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_user.pam_desired_users](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/user) | data source |
-| [azuread_user.pam_users](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/user) | data source |
-| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azuread_group_member.pam_desired_memberships](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/resources/group_member) | resource |
+| [azuread_group.pam_desired_groups](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/group) | data source |
+| [azuread_group.pam_groups](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/group) | data source |
+| [azuread_user.pam_desired_users](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/user) | data source |
+| [azuread_user.pam_users](https://registry.terraform.io/providers/hashicorp/azuread/2.53.1/docs/data-sources/user) | data source |
 
 ## Inputs
 
diff --git a/kit/azure/pam/main.tf b/kit/azure/pam/main.tf
index da1a95e3..ec651de6 100644
--- a/kit/azure/pam/main.tf
+++ b/kit/azure/pam/main.tf
@@ -1,7 +1,3 @@
-data "azuread_client_config" "current" {}
-
-data "azurerm_subscription" "current" {}
-
 # We have to do some pre-processing here in order to produce nice documentation.
 
 # fetch data about all actual PAM groups
diff --git a/kit/azure/pam/versions.tf b/kit/azure/pam/versions.tf
index 1f004dd0..075f9ba5 100644
--- a/kit/azure/pam/versions.tf
+++ b/kit/azure/pam/versions.tf
@@ -4,12 +4,12 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 3.71.0"
+      version = "3.116.0"
     }
 
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 2.41.0"
+      version = "2.53.1"
     }
   }
 }