Quick Answer
Azure landing zone drift happens when subscriptions, identity, policy, networking, logging, cost controls, and ownership move away from the agreed platform standard.
Drift is normal after teams ship real work. The issue is not that exceptions exist. The issue is that no one knows which exceptions are approved, temporary, risky, or expensive.
When This Matters
Review landing zone drift when Azure has moved beyond one workload or one team.
Common signs:
- Subscriptions no longer follow the intended management group structure.
- Policy assignments exist, but exceptions are not reviewed.
- Public endpoints or private networking decisions differ by workload.
- Log retention, budgets, and alerts vary without a clear reason.
- Teams cannot explain who owns platform decisions after launch.
What To Decide
The team should decide:
- Which landing zone standard applies now?
- Which subscriptions and workloads are in scope?
- Which exceptions are approved and which need cleanup?
- Which controls should become policy, documentation, or a backlog item?
- Which owner approves future exceptions?
Azure Components
Landing zone drift usually touches:
- Management groups and subscriptions.
- Azure Policy and initiatives.
- RBAC, PIM, managed identities, and break glass access.
- Hub and spoke networking, private endpoints, DNS, firewall, and routing.
- Defender for Cloud, Azure Monitor, Log Analytics, and alerts.
- Tags, budgets, reservations, and cost allocation.
Management Groups
Structure and subscriptions
Azure Policy
Guardrails and exceptions
Identity & Access
RBAC, PIM, managed identities
Networking
Hub-spoke, private endpoints, DNS
Monitoring
Defender, Monitor, Log Analytics
Cost
Tags, budgets, reservations
Diagram examples use sanitized Azure components and architecture notes.
Microsoft Alignment
Use Azure Landing Zone guidance to review structure, identity, management, connectivity, and governance. Use Cloud Adoption Framework (CAF) govern and manage guidance to decide who owns exceptions and recurring review.
The goal is not to copy a reference architecture. The goal is to choose the standard your current Azure estate can follow.
Common Mistakes
- Calling every deviation a problem.
- Fixing network drift without reviewing identity and policy.
- Cleaning up cost without changing ownership.
- Treating landing zone work as a one-time project.
- Adding more workloads before the exception process is clear.
RedDogSME Recommendation
Start with the highest risk drift: identity, public exposure, logging, cost ownership, and policy exceptions. Do not redesign everything at once.
If the drift is blocking production work, start with an Azure Architecture Assessment to confirm the scope, the owners, and the highest-risk exceptions. The assessment names what to fix now and what routes into a Blueprint Sprint or governance — so the team books one call, not three.
See a composite example: Turning Landing Zone Drift Into an Approved Standard.
Related Topics
Related guides
What Should an Azure Architecture Assessment Cover?
A practical guide to the Azure cost, governance, landing zone, security, AI, ownership, and implementation questions an assessment answers before production work expands.
Read nextHow to Run an Azure Architecture Board With a Recurring Review Cadence
A practical model for recurring Azure architecture decisions, owner actions, ADRs, cost review, AI governance, and implementation oversight.
Read nextAzure Cost Governance: Fix Ownership Before You Buy More Capacity
Connect Azure spend to owners, budgets, reservations, tags, retention, and cleanup decisions before cost grows again — and decide what is safe to buy.
Read next
