Azure had grown across disconnected subscriptions. I designed a landing zone and migration path that brought the whole estate under one governable model.
Context
The group adopted Azure quickly across several business units. Subscriptions, networks, and identity grew independently, leaving an estate that was hard to secure and harder to govern.
Challenge
No shared platform foundation. Network, policy, and access differed everywhere, audits were painful, and every new workload inherited the inconsistency.
Scope
- Assess the existing subscription and network topology
- Design a landing zone and target operating model
- Migrate workloads without business disruption
- Establish policy and RBAC guardrails
Constraints
- Regulated environment with strict change control
- Limited maintenance windows
- Mixed maturity across business unit teams
Approach
- 01Mapped the estate and grouped workloads by risk and dependency
- 02Designed a management group hierarchy and landing zone foundation
- 03Introduced Azure Policy initiatives and a clear RBAC model
- 04Sequenced migration so each wave left the estate more governed
Technologies
Azure Landing ZonesEntra IDAzure PolicyBicep
Azure Landing Zones
Entra ID
Azure PolicyOutcome
- A fragmented estate brought under one governable landing zone
- Network, policy, and access standardized across business units
- Stronger audit readiness and less configuration drift
Lessons
Governance designed late is expensive to retrofit. Sequencing migration around a landing zone turns each wave into an improvement, not a cleanup.
What made it complex
Regulated change control across several semi-autonomous teams, with workloads that had to stay available.
Microsoft Sentinel
Defender XDR
KQL
Conditional Access
Microsoft Purview