Solution Atlas
EverydayUser storyConsultative playbook

We need a governed Azure foundation before any team builds a workload

A growing engineering organisation wants to stop teams provisioning Azure resources directly. The CIO has asked for a landing zone with identity, network segmentation, policy, and cost visibility in place before any team is offered a subscription.

Trigger
CIO sponsorship; engineering teams blocked from production until governance lands.
Good outcome
Subscription-vending pipeline live with policy + cost guardrails, identity, and a paved-road network.
Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

  • ·Engineering teams provisioning Azure subscriptions directly without platform-team guardrails
  • ·CFO seeing cost variability that nobody can explain at workload level
  • ·No subscription-vending pipeline; provisioning is ad-hoc
  • ·Identity Conditional Access partial; not enforced tenant-wide
  • ·CIO sponsorship for a foundation programme

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

  1. 1.Today, how does a team get a new Azure subscription, end to end?

    WhySurfaces governance maturity. "Email a person" or "ServiceNow ticket" both signal this story.

  2. 2.What policy guardrails are enforced tenant-wide today?

    WhyEstablishes whether Azure Policy is operational, advisory, or absent.

  3. 3.How does cost get attributed back to teams?

    WhyTagging discipline is the cost-visibility prerequisite.

    Listen for: “no tags” · “inconsistent tags” · “per-subscription only”

  4. 4.What is your hub-and-spoke story today, if any?

    WhyDrives Virtual WAN vs self-built decision.

  5. 5.Who owns day-2 operations — central platform team or each workload team?

    WhyTests platform-as-product readiness.

  6. 6.When did engineering last get blocked by governance — what happened?

    WhyReal story of the cost of poor foundation.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

Direct subscription provisioning per request. Inconsistent tagging. No central network hub. Entra ID P1 partial. Defender for Cloud at the free tier only. Azure Policy as advisory, not enforced. Cost surprises common.

Typical concerns

  • ·Cost spikes nobody can attribute
  • ·Inconsistent identity posture across workloads
  • ·Network topology drifting per team
  • ·Manual subscription onboarding bottleneck
  • ·Policy as advisory rather than guardrail

Capability gaps

  • ·Subscription-vending pipeline
  • ·Policy as code with denial-mode
  • ·Centralised hub-and-spoke or Virtual WAN
  • ·Tag taxonomy enforced
  • ·Defender CSPM tenant-wide
Target architecture

Bicep-templated subscription-vending pipeline with policy guardrails applied at landing. Azure Virtual WAN as the managed hub. Entra ID P1 tenant-wide with Conditional Access. Defender for Cloud CSPM live and producing secure-score. Azure Monitor + Cost Management with team-level tag enforcement.

Key capabilities

  • Subscription-vending pipeline
  • Azure Policy enforced at landing
  • Managed Virtual WAN hub
  • Tenant-wide Conditional Access
  • Tag-driven cost allocation

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

  1. Decision 1.Network hub — Azure Virtual WAN vs self-built hub-and-spoke

    Virtual WAN

    When it fitsMulti-region or >5 spokes; engineering capacity scarce.

    Trade-offsManaged premium; less customisation than custom hub.

    Self-built hub-and-spoke

    When it fitsSingle region; deep network engineering team; bespoke routing requirements.

    Trade-offsOperational burden; harder to scale to multi-region.

    Default recommendationVirtual WAN above 5 spokes or multi-region; self-built otherwise.

  2. Decision 2.Policy enforcement — Initiative pack + deny mode vs audit mode only

    Initiative + deny

    When it fitsGreenfield estate; teams expecting guardrails.

    Trade-offsHigher initial friction; needs exception process.

    Audit mode only

    When it fitsBrownfield with significant existing non-compliant resources.

    Trade-offsPosture stays advisory; drift continues.

    Default recommendationDeny mode for new subscriptions; audit mode for existing during phase 1.

  3. Decision 3.Subscription vending — Bicep pipeline vs ServiceNow workflow vs Azure Lighthouse

    Bicep + pipeline

    When it fitsEngineering-led organisation; comfort with IaC.

    Trade-offsEngineering ownership of the workflow.

    ServiceNow workflow

    When it fitsMature ITSM org; non-engineering requesters.

    Trade-offsSlower to iterate; IaC abstraction layer needed.

    Default recommendationBicep pipeline behind a ServiceNow front door for requester UX.

Low-risk trial — proof of value

6-week Landing Zone foundation deployment

6 weeks

Deploy 5-subscription pilot landing zone. Policy initiative pack live in deny mode. Virtual WAN hub provisioned. Entra ID P1 Conditional Access policies applied. Defender for Cloud free + paid CSPM. Tag taxonomy + Cost Management dashboard.

Success criteria

  • Pipeline provisions a fully-governed subscription in <30 minutes
  • Policy compliance score above 85% on the pilot subscriptions
  • Tagged spend coverage above 90% on the pilot estate
  • Secure-score baseline + first-week trend captured

InvestmentAdvisory engagement + Azure consumption for the pilot. Existing subscriptions untouched.

Proof metrics

  • ·Time-to-subscription reduced from days to <30 minutes
  • ·Policy compliance score above 85% on pilot
  • ·Tagged spend coverage above 90%
  • ·Defender secure-score baseline established

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

The identity foundation. Conditional Access and MFA before any workload sees production data — the load-bearing first decision.

Why for this story

CSPM secure-score and Azure Policy compliance. Start with the free tier tenant-wide; layer paid Defender CSPM as the estate grows.

Why for this story

Day-2 operations substrate. Logs, alerts, and metrics for the platform team. Underpins the subscription-vending pipeline.

Why for this story

Tag-driven cost allocation by team. Visibility is the prerequisite to every other FinOps lever.

Why for this story

Managed hub-and-spoke at scale. Saves operating burden vs hand-built hubs once you have multi-region or many spokes.

Back to Cloud landing zone