Composite Service Example
Turning Landing Zone Drift Into an Approved Standard
This is a composite example, not a real client story. It shows how landing zone drift across identity, networking, policy, and cost can move from scattered exceptions into an assessment, one approved standard, and named exception owners.
Starting Point
Every Subscription Had Its Own Rules.
Findings
Owners Came Before a Redesign.
One Standard Before More Workloads
The team did not need a new reference architecture. It needed to choose the standard its current estate could actually follow.
Exceptions Need Owners
Drift was not the problem. Unreviewed, unowned exceptions were. Each one needed an owner and a status: approved, temporary, or cleanup.
Identity and Policy Before Network
Fixing network drift alone would have missed the higher risk in identity, public exposure, and policy gaps.
Target Standard
From Drift to an Approved Standard.
Management Groups
Subscription structure
Policy and Guardrails
Reviewed exceptions
Identity and Access
RBAC, PIM, owners
Monitoring and Cost
Telemetry and budgets
Diagram examples use sanitized Azure components and architecture notes.
Actions
Assessment Set the Cleanup Sequence.
- Confirm the highest risk drift in identity, exposure, logging, cost, and policy before redesigning anything.
- Pick the structure the current estate can follow, not a full reference rebuild.
- Mark each exception approved, temporary, or cleanup, with a named owner.
- Take the agreed target structure and backlog into Architecture Blueprint Sprint for approval.
Start With Assessment
Bring Your Landing Zone Drift to the First Call.
Bring the subscription list, current policies, identity model, and the drift that is blocking work. The first architecture call is free for qualified teams and confirms the right starting point.