The Azure Landing Zone (ALZ) is Microsoft's reference architecture for enterprise Azure. This guide covers assessing your Azure environment against ALZ — management groups, hub-spoke, policy and AI readiness.
💡 Quick start: TCOIQ gives you instant AI-powered results in 60 seconds. Free plan available at tcoiq.com. Built by Wekams.
ALZ defines: management group hierarchy (Root→Platform→Workloads), subscription design (identity/connectivity/management/workload), hub-spoke network with Azure Firewall, Entra ID, and Azure Policy for governance.
Mature structure: Root → Platform (Identity, Connectivity, Management) → Workloads (Corp, Online, SAP). Most orgs start flat — all resources in 1-2 subscriptions with no policies. TCOIQ assesses and recommends hierarchy.
Hub VNet with Azure Firewall, Azure Bastion, ExpressRoute/VPN. Spoke VNets peered to hub. Many Azure environments have ad-hoc VNets with direct internet access — significant security and governance risk.
Key policies: require tags, deny public IPs on workload VMs, enforce encryption, require Defender, restrict VM sizes/regions. TCOIQ identifies which policies are in place and which are missing.
Fabric requires: dedicated capacity subscription, OneLake governance, private endpoints, Microsoft Purview data controls. Azure OpenAI: private endpoint, API Management gateway, managed identity, content filtering.
AI-powered results in 60 seconds. No consultant needed. Free plan available.
Run Azure LZ Assessment →