Azure Landing Zone Review

Azure Landing Zone Review

Review whether the Azure platform is ready to host workloads consistently. Check the management group model, subscription roles, identity and access, connectivity, policy inheritance, diagnostics, security baseline, cost ownership, and workload onboarding path.

ESLZ-aligned checks Platform guardrails Subscription model Landing zone report

Landing zone assessment

Ready
Hygiara landing zone review scorecard showing landing zone domains and failed checks.

Review Focus

Start with the platform contract

Question to answer

Can a new workload land in Azure and inherit the right guardrails without every team rebuilding the platform by hand?

Evidence
Management groups, subscription placement, platform subscriptions, policy assignments, remediation tasks, RBAC model, hub networking, private DNS, firewall or egress pattern, diagnostics, budgets, tags, and shared-service boundaries.
Decision
Decide whether the gap is a platform design issue, an onboarding issue, an exception, or a workload-specific decision.

What is an Azure landing zone review?

An Azure landing zone review looks at the platform foundation that workloads depend on: management groups, subscriptions, identity, networking, policy, security, management, governance, and automation.

The review is not about whether a diagram exists. It checks whether a workload can be onboarded and inherit the right controls without a team inventing its own network path, policy set, logging pattern, or access model.

Good output separates platform issues from workload issues. That distinction matters because the remediation owner is often different.

What good looks like

The platform should have an explainable management group and subscription model, clear platform and workload boundaries, inherited policy, controlled network paths, central diagnostic expectations, and a known way to create new subscriptions.

Exceptions can be valid, especially in smaller estates or during transition. They still need an owner, reason, expiry or review date, and a target-state decision.

The review should tell the platform team where the foundation is strong, where onboarding is fragile, and which gaps will repeat across future workloads.

Reviewer Notes

  1. 01

    Test the operating model

    Ask how a new production workload gets a subscription, network path, policy baseline, diagnostics, budget, tags, and access. If the answer depends on manual memory, the landing zone is fragile.

  2. 02

    Compare intent with deployed state

    Review the target design, then check management group paths, subscription roles, policy inheritance, private DNS links, hub connectivity, diagnostics, and shared-service placement.

  3. 03

    Be fair to small estates

    A small environment may intentionally combine platform roles. The finding should explain why separation is needed now, not blindly apply an enterprise pattern.

Review Process

From evidence to decision

  1. 01 Document the intended landing zone model: management groups, platform subscriptions, workload subscription pattern, connectivity model, identity boundary, and control baseline.
  2. 02 Review management groups, subscription placement, policy assignments, remediation tasks, RBAC, hub networking, private DNS, firewall and egress paths, diagnostics, budgets, tags, and shared-service placement.
  3. 03 Check whether a new workload can be onboarded through a repeatable path instead of a series of one-off platform requests.
  4. 04 Separate platform findings from workload findings. Platform findings should describe the repeated pattern and the guardrail that needs to change.
  5. 05 Produce findings with target state, remediation owner, affected scopes, and whether the issue blocks scalable workload onboarding.

Review Checks

What to check in Azure

Use the checks as a review path, not a raw inventory. Start with the checks most likely to affect architecture risk, then open each item to see the evidence to collect, the failure pattern to look for, and the decision the review should produce.

How to read this section

Collect the Azure evidence first.

Compare it with the expected operating model.

Decide whether to fix, accept, investigate, or redesign.

Primary review path

Open a check when you need the evidence and decision criteria.

20 of 20 checks shown first

01 Management group hierarchy assessed Review platform, landing zone, sandbox, and decommissioned scopes for clear inheritance. High +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.

Query Examples

Use these only as a starting point for evidence collection.

1 example

Export the management group and subscription placement

Landing zone review starts with where subscriptions sit and what controls they inherit.

CLI

This proves

How management groups and subscriptions are currently placed.

It does not prove

Whether the hierarchy is appropriate for the organisation, whether policy inheritance is correct, or whether exceptions are approved.

Hygiara adds

Hygiara uses placement evidence with landing zone checks to explain whether hierarchy, inheritance, and platform ownership are ready to scale.

az account management-group entities list \
  --query "[].{name:name,type:type,parent:properties.parent.displayName,displayName:properties.displayName}" \
  --output table

How to read it

Look for production, platform, sandbox, and decommissioned subscriptions under ambiguous branches. If placement is unclear, policy inheritance and ownership will be unclear too.

02 Subscription model reviewed Validate connectivity, management, identity, and workload subscription separation. High +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.

Query Examples

Use these only as a starting point for evidence collection.

1 example

Export the management group and subscription placement

Landing zone review starts with where subscriptions sit and what controls they inherit.

CLI

This proves

How management groups and subscriptions are currently placed.

It does not prove

Whether the hierarchy is appropriate for the organisation, whether policy inheritance is correct, or whether exceptions are approved.

Hygiara adds

Hygiara uses placement evidence with landing zone checks to explain whether hierarchy, inheritance, and platform ownership are ready to scale.

az account management-group entities list \
  --query "[].{name:name,type:type,parent:properties.parent.displayName,displayName:properties.displayName}" \
  --output table

How to read it

Look for production, platform, sandbox, and decommissioned subscriptions under ambiguous branches. If placement is unclear, policy inheritance and ownership will be unclear too.

03 Subscription vending checked Confirm new subscriptions inherit baseline policy, RBAC, diagnostic, budget, and tagging controls. High +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
04 Policy inheritance validated Review initiatives, assignments, exemptions, and remediation tasks across hierarchy levels. High +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
05 Identity baseline checked Review privileged roles, PIM, managed identities, emergency access, and guest access. High +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
06 Hub network assessed Validate hub placement, inspection, route tables, DNS, firewall, and connectivity design. High +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.

Query Examples

Use these only as a starting point for evidence collection.

1 example

Check private DNS zones and VNet links

Private endpoint designs fail when private DNS is local, duplicated, or not linked to the right networks.

ARG

This proves

Which private DNS zones and virtual network links exist.

It does not prove

Whether name resolution works for every private endpoint, whether ownership is clear, or whether the design matches the intended hub-spoke model.

Hygiara adds

Hygiara turns DNS and network evidence into landing zone readiness findings instead of leaving reviewers with disconnected exports.

Resources
| where type in~ (
  'microsoft.network/privatednszones',
  'microsoft.network/privatednszones/virtualnetworklinks'
)
| extend linkedVnet = tostring(properties.virtualNetwork.id)
| project subscriptionId, resourceGroup, type, name, linkedVnet, id
| order by subscriptionId, resourceGroup, type, name

How to read it

A mature landing zone usually has an explainable private DNS ownership model. Many local zones with inconsistent links often mean workload teams are solving platform DNS themselves.

07 Spoke connectivity reviewed Check peering, routing, egress, private endpoint, and shared services access patterns. Medium +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.

Query Examples

Use these only as a starting point for evidence collection.

1 example

Check private DNS zones and VNet links

Private endpoint designs fail when private DNS is local, duplicated, or not linked to the right networks.

ARG

This proves

Which private DNS zones and virtual network links exist.

It does not prove

Whether name resolution works for every private endpoint, whether ownership is clear, or whether the design matches the intended hub-spoke model.

Hygiara adds

Hygiara turns DNS and network evidence into landing zone readiness findings instead of leaving reviewers with disconnected exports.

Resources
| where type in~ (
  'microsoft.network/privatednszones',
  'microsoft.network/privatednszones/virtualnetworklinks'
)
| extend linkedVnet = tostring(properties.virtualNetwork.id)
| project subscriptionId, resourceGroup, type, name, linkedVnet, id
| order by subscriptionId, resourceGroup, type, name

How to read it

A mature landing zone usually has an explainable private DNS ownership model. Many local zones with inconsistent links often mean workload teams are solving platform DNS themselves.

08 Private DNS model checked Confirm central private DNS zones, links, ownership, and workload integration. Medium +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.

Query Examples

Use these only as a starting point for evidence collection.

1 example

Check private DNS zones and VNet links

Private endpoint designs fail when private DNS is local, duplicated, or not linked to the right networks.

ARG

This proves

Which private DNS zones and virtual network links exist.

It does not prove

Whether name resolution works for every private endpoint, whether ownership is clear, or whether the design matches the intended hub-spoke model.

Hygiara adds

Hygiara turns DNS and network evidence into landing zone readiness findings instead of leaving reviewers with disconnected exports.

Resources
| where type in~ (
  'microsoft.network/privatednszones',
  'microsoft.network/privatednszones/virtualnetworklinks'
)
| extend linkedVnet = tostring(properties.virtualNetwork.id)
| project subscriptionId, resourceGroup, type, name, linkedVnet, id
| order by subscriptionId, resourceGroup, type, name

How to read it

A mature landing zone usually has an explainable private DNS ownership model. Many local zones with inconsistent links often mean workload teams are solving platform DNS themselves.

09 Firewall and egress pattern reviewed Validate controlled outbound routing, firewall policy, logging, and exception handling. High +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
10 DDoS protection assessed Check whether public workload exposure uses the expected DDoS protection model. Medium +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
11 Central logging checked Confirm platform and workload diagnostics route to the intended monitoring foundation. High +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
12 Activity log export reviewed Validate subscription activity logs are exported centrally. Medium +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
13 Alerting and action groups assessed Review standard alert routing and incident ownership. Medium +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
14 Security baseline validated Check Defender coverage, security contacts, Key Vault controls, storage controls, and policy enforcement. High +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
15 Backup baseline reviewed Validate recovery services, vault placement, backup policies, and retention expectations. Medium +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
16 Cost governance checked Review budgets, tags, cost allocation, and ownership from the landing zone model. Medium +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
17 Naming and taxonomy reviewed Assess whether naming, resource groups, and tags make platform ownership understandable. Low +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
18 Shared services boundaries checked Confirm platform services are not deployed into arbitrary workload subscriptions. High +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
19 Workload onboarding pattern assessed Review how teams consume landing zone services without bypassing guardrails. Medium +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.
20 Exception process reviewed Confirm landing zone deviations have owner, rationale, expiry, and compensating controls. High +
Collect
Collect management group hierarchy, subscription role signals, policy assignments, remediation tasks, VNet and route topology, private DNS zones and links, firewall/NAT evidence, diagnostics, budgets, tags, and shared-service placement.
Look For
The platform has resources that look like a landing zone, but workload onboarding still relies on manual exceptions, duplicated controls, unclear subscription roles, or inconsistent network and logging patterns.
Decide
Decide whether the issue requires platform redesign, subscription reclassification, policy inheritance change, network/DNS standardisation, or a documented exception for a small or transitional estate.

Microsoft Learn Sources

Framework references

Microsoft Learn and the Cloud Adoption Framework define the landing zone design areas and platform guidance used to shape this page.

Automate the Azure review with Hygiara

Hygiara runs landing zone checks and presents failed controls by domain and severity, with the evidence needed to discuss them.

Frequently Asked Questions

Common questions about azure landing zone review

What is the purpose of an Azure landing zone review? +

It checks whether the Azure platform can host workloads consistently with inherited governance, identity boundaries, secure connectivity, logging, monitoring, cost ownership, and a repeatable subscription onboarding path.

How is a landing zone review different from an architecture review? +

A landing zone review focuses on the shared platform foundation. An architecture review focuses on workload design and operation through the Well-Architected pillars. They are related, but they answer different questions.

What are common landing zone anti-patterns? +

Common anti-patterns include flat hierarchy, shared services in workload subscriptions, duplicated policy assignments, unmanaged exceptions, inconsistent private DNS, unclear egress routing, and missing subscription vending controls.

Does every organization need a full enterprise-scale landing zone? +

No. Smaller estates may not need every enterprise pattern immediately. They still need clear ownership, inherited guardrails, secure connectivity, logging, and a known path for onboarding workloads.

Can Hygiara generate a landing zone report? +

Yes. When landing zone assessment is selected, Hygiara can generate landing-zone-specific output alongside the broader Azure review.

Related Azure Resources

Continue the Azure review workflow

Run a free Azure review with Hygiara

Generate a professional architecture and governance report in minutes from read-only Azure evidence.