Azure Landing Zone Foundations for CIOs

A CIO's view of the platform layer every Azure workload will stand on — identity, network, governance, operations. The Cloud Adoption Framework gives the target architecture; this briefing covers what to decide first, what to defer, and where the irreversible choices live.

ForCIO

Compass

Businesspersona, use case, outcome
Capabilitywhat the org needs to do
Technologythe technology choices
Sourcewhere the evidence sits

Guided journey · Step 1 of 4

Landing Zone — Identity Foundation

Decide tenant and management group strategy first. These are the hardest decisions to reverse — multi-tenant and subscription-scope RBAC choices made for expedience become permanent constraints as the estate grows. Without a coherent identity layer, every later RBAC and policy choice fragments.

~ 6 weeks

Search any SKU, capability, risk, or source on this map.

Filter by type

All maps

Narrative intro

An Azure landing zone is the foundation everything else stands on. Get it right and every subsequent workload inherits a coherent estate — a shared identity model, consistent network topology, predictable policy, unified observability. Get it wrong and every new project pays the carrying cost. The Microsoft Cloud Adoption Framework is well-documented. The hard part isn't knowing what to build — it's deciding what to defer, what to centralise, and where the irreversible choices are. Most CIO regrets come from deferring identity and policy decisions (which become irreversible as scale grows) or centralising too aggressively early on (which makes the platform team a bottleneck for the workload teams it's meant to serve). This briefing covers the four pillars a CIO should have a credible answer to before approving the first wave of production workloads: identity foundation, network foundation, governance and policy, operations and FinOps. The featured SKUs below are the load-bearing commitments behind the architecture — the rest of the Azure catalogue lands on top of these.

Key takeaways

Identity and policy decisions are the hardest to undo at scale. Front-load them — multi-tenant choices and subscription-scope RBAC made for expedience become permanent.
Network topology should follow workload patterns and operational reality, not vendor enthusiasm. Hand-built hub-spoke is often cheaper at small scale; VWAN earns its premium beyond 5–6 spokes or multi-region.
Defender for Cloud secure score is the right ongoing maturity metric — board-comprehensible, continuously updated, and the substrate for the assurance function.
A platform team that operates landing zones as a standing product is the durable model. Project-based delivery produces v1 then accumulates debt.
The CAF is a guidebook, not a blueprint. Adapt deliberately to your organisation — the reference architectures are useful starting points, not target end states.

Programme shape

Estimated duration: 12–36 weeks
Estimated FTE: Platform lead, network architect, identity architect, security architect, FinOps partner. Mid-market scale 2–4 FTE for v1; enterprise 6–10 plus part-time SMEs. The team stays standing once v1 lands — this is not a project.
Spend tier: moderate
Risk level: moderate

Risk shifts from moderate to elevated if production workloads are landed onto half-built foundations. Most CIO regrets come from deferring identity and policy decisions (which become irreversible as scale grows) or centralising too aggressively (which makes the platform team a bottleneck). The CAF is a guidebook; the wisdom is in pacing the build.

Source references

Microsoft Cloud Adoption Framework — The canonical Microsoft framework. Treat the landing zone section as a curriculum, not a recipe.
Azure Landing Zone reference architecture — Reference architecture and accelerators — starting points, not target end states.
Azure Well-Architected Framework — The complement to CAF — how to design well-architected workloads onto the landing zone.
Microsoft Cost Management and FinOps Framework guidance — Operating-model guidance for the FinOps pillar.

Back to all maps