For tfstate to reside in an azure storage account, a vnet and subnet must already exist. It seems like a shame to not be able to manage the vnet with Terraform though.
Is it improper for one account to have access to both provision resource groups and create SPNs?