Solution Atlas
EverydayUser storyConsultative playbook

We need to fix the cloud foundation before any team builds on top of it

A growing engineering team wants to stop developers spinning up Azure resources at will. The CIO has asked for one controlled Azure environment — sign-in, network, spending limits, policy — before any team gets its own area to work in.

Trigger
CIO is sponsoring the work; engineering teams are paused on going to production until the foundation is ready.
Good outcome
A new team can be given its own Azure area in hours instead of weeks. Spending limits and policy rules apply automatically, sign-in works the same way everywhere, and Finance can see costs as they grow.
Discovery — signals and questions

Signals validating this story

  • ·Engineering teams provisioning Azure subscriptions directly without platform-team guardrails
  • ·CFO seeing cost variability that nobody can explain at workload level
  • ·No subscription-vending pipeline; provisioning is ad-hoc
  • ·Identity Conditional Access partial; not enforced tenant-wide
  • ·CIO sponsorship for a foundation programme

Discovery questions

  1. 1.Today, how does a team get a new Azure subscription, end to end?

    WhySurfaces governance maturity. "Email a person" or "ServiceNow ticket" both signal this story.

  2. 2.What policy guardrails are enforced tenant-wide today?

    WhyEstablishes whether Azure Policy is operational, advisory, or absent.

  3. 3.How does cost get attributed back to teams?

    WhyTagging discipline is the cost-visibility prerequisite.

    Listen for: “no tags” · “inconsistent tags” · “per-subscription only”

  4. 4.What is your hub-and-spoke story today, if any?

    WhyDrives Virtual WAN vs self-built decision.

  5. 5.Who owns day-2 operations — central platform team or each workload team?

    WhyTests platform-as-product readiness.

  6. 6.When did engineering last get blocked by governance — what happened?

    WhyReal story of the cost of poor foundation.

Baseline architectureTarget architecture
Baseline architecture

Direct subscription provisioning per request. Inconsistent tagging. No central network hub. Entra ID P1 partial. Defender for Cloud at the free tier only. Azure Policy as advisory, not enforced. Cost surprises common.

Typical concerns

  • ·Cost spikes nobody can attribute
  • ·Inconsistent identity posture across workloads
  • ·Network topology drifting per team
  • ·Manual subscription onboarding bottleneck
  • ·Policy as advisory rather than guardrail

Capability gaps

  • ·Subscription-vending pipeline
  • ·Policy as code with denial-mode
  • ·Centralised hub-and-spoke or Virtual WAN
  • ·Tag taxonomy enforced
  • ·Defender CSPM tenant-wide
Target architecture

Bicep-templated subscription-vending pipeline with policy guardrails applied at landing. Azure Virtual WAN as the managed hub. Entra ID P1 tenant-wide with Conditional Access. Defender for Cloud CSPM live and producing secure-score. Azure Monitor + Cost Management with team-level tag enforcement.

Key capabilities

  • Subscription-vending pipeline
  • Azure Policy enforced at landing
  • Managed Virtual WAN hub
  • Tenant-wide Conditional Access
  • Tag-driven cost allocation
Architecture decisions
  1. 1.Network hub — Azure Virtual WAN vs self-built hub-and-spoke

    Virtual WAN

    Fits whenMulti-region or >5 spokes; engineering capacity scarce.

    Trade-offsManaged premium; less customisation than custom hub.

    Self-built hub-and-spoke

    Fits whenSingle region; deep network engineering team; bespoke routing requirements.

    Trade-offsOperational burden; harder to scale to multi-region.

    Default recommendationVirtual WAN above 5 spokes or multi-region; self-built otherwise.

  2. 2.Policy enforcement — Initiative pack + deny mode vs audit mode only

    Initiative + deny

    Fits whenGreenfield estate; teams expecting guardrails.

    Trade-offsHigher initial friction; needs exception process.

    Audit mode only

    Fits whenBrownfield with significant existing non-compliant resources.

    Trade-offsPosture stays advisory; drift continues.

    Default recommendationDeny mode for new subscriptions; audit mode for existing during phase 1.

  3. 3.Subscription vending — Bicep pipeline vs ServiceNow workflow vs Azure Lighthouse

    Bicep + pipeline

    Fits whenEngineering-led organisation; comfort with IaC.

    Trade-offsEngineering ownership of the workflow.

    ServiceNow workflow

    Fits whenMature ITSM org; non-engineering requesters.

    Trade-offsSlower to iterate; IaC abstraction layer needed.

    Default recommendationBicep pipeline behind a ServiceNow front door for requester UX.

Low-risk trial — proof of value

6-week Landing Zone foundation deployment

~6 weeks

Deploy 5-subscription pilot landing zone. Policy initiative pack live in deny mode. Virtual WAN hub provisioned. Entra ID P1 Conditional Access policies applied. Defender for Cloud free + paid CSPM. Tag taxonomy + Cost Management dashboard.

Success criteria

  • Pipeline provisions a fully-governed subscription in <30 minutes
  • Policy compliance score above 85% on the pilot subscriptions
  • Tagged spend coverage above 90% on the pilot estate
  • Secure-score baseline + first-week trend captured

InvestmentAdvisory engagement + Azure consumption for the pilot. Existing subscriptions untouched.

Proof metrics

  • ·Time-to-subscription reduced from days to <30 minutes
  • ·Policy compliance score above 85% on pilot
  • ·Tagged spend coverage above 90%
  • ·Defender secure-score baseline established

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Back to Cloud landing zone