Skip to main content

Azure Landing Zone Setup Checklist

An enterprise-scale Azure landing zone checklist covering management groups, Azure Policy guardrails, Entra ID hardening, hub-and-spoke networking, and centralized logging, all codified in Terraform or Bicep.

Estimated Time
2-3 days
Type
pre flight
Category
Cloud Architecture
Steps
12

When to Use This Checklist

Use this when adopting Azure at enterprise scale, following Microsoft's Cloud Adoption Framework enterprise-scale landing zone model. It establishes the governance, identity, and networking foundation that all Azure workloads inherit, so complete it before migrating or building production workloads.

It fits both greenfield estates and the harder job of bringing structure to an estate of sprawling subscriptions.

How to Use This Checklist

Begin with the management group hierarchy and subscription topology; policy, RBAC, and cost controls all attach to it. Apply Azure Policy initiatives early so guardrails govern every subscription from creation. Treat identity hardening (conditional access, Privileged Identity Management) and centralized logging as required.

Deploy with the official Azure Landing Zone Terraform or Bicep modules rather than the portal, so the environment is reproducible. Finish by validating your compliance posture against the frameworks your organization must meet.

What Good Looks Like

A strong Azure landing zone has a deliberate management-group hierarchy, policy-enforced guardrails, and least-privilege access through Entra ID with just-in-time elevation. Networking follows a hub-and-spoke pattern with a central firewall, logs land in a shared Log Analytics workspace, and Defender for Cloud watches the whole estate. Resources are consistently tagged and named, and a new subscription can be vended through a documented, codified process.

Common Pitfalls

A flat subscription model without management groups makes policy and cost governance unmanageable. Granting standing owner access instead of using PIM widens the attack surface. Building networking ad hoc rather than hub-and-spoke leads to overlapping address space and brittle routing. Skipping centralized logging cripples incident response, and portal-built landing zones drift away from their intended state within weeks.

Related Resources

Ground the design in the Azure Well-Architected Framework and the cloud landing-zone best practice. Use zero-trust architecture guidance for identity and network segmentation, and the tagging practice to enable cost allocation.