Azure Landing Zone — Architecture Decisions Map

The architecture-decisions companion to the Azure Landing Zone Foundations executive briefing. Same four pillars, framed around the architectural choices, trade-offs, and irreversibility rather than the programme.

ForCIO

Compass

Businesspersona, use case, outcome
Capabilitywhat the org needs to do
Technologythe technology choices
Sourcewhere the evidence sits

Guided journey · Step 1 of 4

Landing Zone — Identity Foundation

Identity topology decision: single vs multi-tenant Entra ID, management group hierarchy, RBAC scope. Most irreversible at scale.

~ 1 weeks

Search any SKU, capability, risk, or source on this map.

Filter by type

All maps

Narrative intro

The Azure Landing Zone executive briefing organises the programme. This map organises the architecture decisions — same four pillars, viewed through the lens of what's being decided, what the trade-offs are, and which decisions are irreversible at scale. Use this for architecture review boards, decision workshops, and the design phase that precedes delivery. The four-week duration on each pillar is the architecture-decision time, not the delivery time — the implementation of those decisions is the 12–36 week delivery captured in the executive briefing.

Key takeaways

Identity decisions are the most irreversible at scale. Tenant strategy and management group hierarchy carry years of consequence.
Network topology is the second-most-irreversible — IP address overlap and DNS architecture changes are expensive once workloads land.
Governance decisions are reversible but carry operational cost. Policy scope at management group vs subscription is the canonical example.
Operations decisions are most reversible but tend to compound through accreted complexity. Workspace consolidation is painful even when technically possible.

Programme shape

Estimated duration: 4–12 weeks
Estimated FTE: Architecture decision workshop — enterprise architect, network architect, identity architect, security architect, FinOps partner. Decision-making sequence, not a delivery programme.
Spend tier: minimal
Risk level: moderate

This map is a decision-making exercise, not a delivery programme. The decisions made here drive 12–36 weeks of delivery work captured in the Landing Zone Foundations map. Several decisions are irreversible at scale — tenant strategy, management group hierarchy, network topology, IP address management.

Source references

Azure Landing Zone reference architecture — Reference architecture for landing zones.
Azure Well-Architected Framework — Architecture-decision framework that complements landing-zone reference architectures.

Back to all maps