The six landing zone components — what each does and why it matters

The Microsoft Enterprise-Scale Landing Zone is composed of six structural components. Together they form the governance, networking, identity, security, and observability backbone every workload migrates into. The reference architecture is opinionated by design — EPC Group customizes naming, tagging, and policy posture per customer, but the structural pattern remains consistent across the engagement portfolio.

Management group hierarchy

The governance backbone of the tenant. Management groups are how Azure Policy, Defender for Cloud plans, RBAC role assignments, and cost ownership inherit downward across every subscription in the estate.

•Tenant Root → Microsoft ALZ intermediate root → platform, landing zones, decommissioned, sandbox branches per the canonical Enterprise-Scale topology
•Platform branch holds connectivity, identity, and management subscriptions — the shared services every workload depends on
•Landing zones branch holds corp (internal-only) and online (internet-facing) workload subscriptions, each with its own policy posture
•Decommissioned management group is the parking lot for subscriptions being deprovisioned; sandbox holds short-lived experimentation with looser policy
•EPC Group ships the hierarchy via Bicep ALZ accelerator with customer-specific naming conventions and tagging taxonomy applied at deploy time

Subscription strategy and naming

Subscriptions are the unit of billing, the unit of policy enforcement boundary, and the unit of cost ownership. The strategy that picks how many subscriptions to provision and how to name them sets the operating model for the next decade.

•Three platform subscriptions at minimum — Connectivity (hub VNets, ExpressRoute, Azure Firewall), Identity (domain controllers, Entra Connect, Microsoft Entra Private Access), Management (Log Analytics, Automation, Update Manager)
•Workload landing zone subscriptions provisioned per application portfolio, per environment, or per business unit depending on the operating model the customer has chosen
•Naming convention codifies environment (prod/nonprod/dev), region (eastus/westus/centralus), workload archetype (corp/online), and business unit identifier as a hyphenated string parsed by Azure Policy initiatives at deploy time
•EPC Group recommends the per-application-portfolio model for enterprises with mature FinOps practice; per-business-unit for organizations earlier in the cloud maturity curve
•M&A-driven enterprises often inherit a per-acquisition subscription pattern that consolidates onto the ALZ subscription strategy during the integration program

Azure Policy and Defender for Cloud baseline

The enforcement layer that keeps the landing zone defensible at scale. Policy assigned at the management group level evaluates every resource created anywhere in the descendant subscriptions — and the Defender for Cloud regulatory compliance dashboard reports the evidence.

•Microsoft Cloud Security Benchmark assigned at the ALZ intermediate root — the floor every subscription inherits regardless of workload archetype
•Microsoft Defender for Cloud enabled at subscription level across the eight Defender plans appropriate to the workload — Servers Plan 2, Containers, SQL, Storage, App Service, APIs, Key Vault, Resource Manager and DNS
•Custom policy initiatives layered for industry framework alignment — HIPAA HITRUST, PCI-DSS 4.0, FedRAMP Moderate or High, CMMC Level 2, FFIEC, SOX, GxP — mapped to the regulatory compliance dashboard
•Deny-effect policies on the highest-risk surfaces — public IP creation, public storage account exposure, weak TLS, region restriction, and unencrypted disks — enforced at the corp landing zone tier
•Exception management workflow stood up before any deny policy is enforced so the platform team can adjudicate genuine business need without breaking app teams

Hub-spoke networking topology

The networking backbone that delivers shared egress, shared inspection, and shared connectivity to on-premises while letting workload teams operate inside isolated spoke virtual networks they actually control.

•Hub virtual network in the Connectivity platform subscription per Azure region the customer deploys to — typically two regions for active-active or active-passive disaster recovery
•Azure Firewall Premium or third-party next-generation firewall NVA in the hub providing centralized egress inspection, TLS termination, and IDPS coverage
•ExpressRoute private peering or site-to-site VPN connections terminate in the hub, with Virtual Network Gateways sized for the regional aggregate throughput
•Spoke virtual networks in workload subscriptions peer to the regional hub through VNet peering — no spoke-to-spoke direct peering, all east-west traffic transits the hub firewall
•Azure Virtual WAN is the alternative topology for global mesh requirements with three or more regions; EPC Group recommends classic hub-spoke for two-region deployments and Virtual WAN once global region count exceeds three
•Private DNS zones centralized in the hub with hub-spoke VNet links so private endpoint name resolution works consistently across the estate — covered in depth on our /azure-expressroute-virtual-wan-enterprise-networking-2026 hub

Identity boundary and privileged access

The identity plane that controls who can do what across the Azure estate. The Identity platform subscription, the Entra ID tenant configuration, and the privileged access workstation pattern collectively form the identity boundary that protects the entire landing zone.

•Microsoft Entra ID tenant configured with conditional access baselines — geographic, device compliance, sign-in risk, and break-glass account exemption — covered on our /microsoft-defender-for-identity-itdr-enterprise-2026 hub
•Entra Privileged Identity Management (PIM) governing every privileged role with time-bound activation, MFA enforcement on activation, and named approver requirement on the most sensitive roles
•Entra Connect or Entra Cloud Sync deployed in the Identity platform subscription, never in a workload subscription, so identity availability is decoupled from workload deployment risk
•Microsoft Entra Private Access and Microsoft Entra Internet Access (Global Secure Access) replacing legacy VPN for users and shifting east-west and outbound to identity-aware proxies
•Privileged access workstation (PAW) requirement codified in conditional access — administrative roles only activate from compliant, isolated PAW devices, never from a general-purpose laptop
•Break-glass account pattern with two cloud-only Global Administrator accounts excluded from conditional access, FIDO2-secured, monitored every sign-in, with credentials sealed in a documented break-glass procedure

Security + monitoring backbone

The observability layer that makes everything else accountable. Log Analytics, Microsoft Sentinel, Azure Monitor, and Microsoft Defender for Cloud collectively form the security and operations backbone of the landing zone.

•Two central Log Analytics workspaces in the Management platform subscription — one for security telemetry (Sentinel-connected), one for operational telemetry (Azure Monitor + Application Insights)
•Microsoft Sentinel deployed on the security workspace with native data connectors for Defender XDR, Defender for Cloud, Entra ID, and Activity Logs across every subscription — covered on our /microsoft-defender-xdr-enterprise-2026 hub
•Activity log diagnostic settings forwarded from every subscription to the security workspace via Azure Policy DeployIfNotExists assignment at the ALZ intermediate root
•Resource diagnostic settings forwarded to the operational workspace per resource-type pattern — Key Vault, SQL, Storage, App Service, AKS, and Front Door each have a default data collection profile
•Azure Monitor Workbooks, Sentinel Workbooks, and Defender for Cloud workbooks operationalized as the SOC and platform team daily-driver dashboards
•Cost Management exports forwarded to a storage account in the Management subscription and ingested into Power BI or Microsoft Fabric for executive FinOps reporting

The Cloud Adoption Framework — Strategy through Manage

The Microsoft Cloud Adoption Framework is the methodology that walks the enterprise from business motivation through steady-state operation. Six methodologies — Strategy, Plan, Ready, Adopt, Govern, Manage — define the work product at each phase and the decisions the executive sponsor makes between phases. EPC Group runs each methodology as a fixed-fee workshop or build engagement with documented deliverables.

Stage 1 of 6 — Strategy

Why we are moving to Azure — business motivation written down

The Strategy methodology of the Cloud Adoption Framework is the business case. EPC Group facilitates a fixed-fee Strategy workshop that produces a documented set of business outcomes, financial considerations, technical considerations, and adoption sponsorship — the artifact that gets quoted in every steering committee for the next three years.

•Documented business outcomes mapped to measurable KPIs the executive sponsor will be accountable for
•Documented financial considerations including expected total cost of ownership, expected operating model shift, and CapEx-to-OpEx flip
•Documented technical considerations including target architecture archetype (greenfield, brownfield, regulated, hybrid), workload portfolio segmentation, and risk register
•Documented adoption sponsorship — the executive owner, the steering committee membership, and the decision cadence

Stage 2 of 6 — Plan

Rationalize the workload portfolio and pick the operating model

The Plan methodology translates the strategy into an actionable cloud adoption plan. EPC Group runs the workload rationalization exercise — the R5 framework of rehost, refactor, rearchitect, rebuild, replace — across the customer application inventory, then maps the resulting rationalized portfolio onto the cloud operating model.

•Workload rationalization output covering every in-scope application with R5 disposition and migration archetype
•Cloud operating model selection — centralized, decentralized, enterprise, distributed, or platform-team-as-product
•Skills readiness plan covering platform engineering, security engineering, FinOps, application modernization, and DevSecOps capability gaps
•Cloud adoption plan with phasing, dependencies, and quarterly milestones the steering committee tracks against the strategy

Stage 3 of 6 — Ready

Deploy the landing zone before any workload migrates

The Ready methodology is where the Azure Landing Zone gets built. EPC Group ships the Microsoft Enterprise-Scale Landing Zone reference architecture via Bicep, Terraform, or ARM accelerator — customized for the customer naming convention, tagging taxonomy, region selection, regulatory framework, and operating model that came out of Plan.

•Management group hierarchy and subscription strategy deployed via IaC accelerator
•Hub-spoke networking topology and central identity platform stood up in the platform subscriptions
•Azure Policy initiatives, Defender for Cloud plans, and regulatory compliance dashboard activated against the management group hierarchy
•Central Log Analytics workspaces, Microsoft Sentinel, and Azure Monitor backbone operational and forwarding telemetry from every subscription

Stage 4 of 6 — Adopt

Migrate or modernize workloads into the landing zone

The Adopt methodology covers the actual workload migration and modernization work. EPC Group sequences workloads from the rationalized portfolio through a wave model — early waves prove the landing zone, later waves carry the bulk of the regulated workloads. Migration tooling depends on the workload archetype.

•Migrate methodology for rehost and refactor workloads — covered in depth on our /azure-migrate-assessment-modernization-enterprise-2026 hub
•Modernize methodology for rearchitect and rebuild workloads — containerization to AKS or Container Apps, refactor to PaaS, rebuild as cloud-native serverless
•Innovate methodology for the AI and data modernization workloads — Microsoft Fabric, Azure OpenAI, Azure AI Foundry — sequenced into later waves
•Decommission methodology for the workloads being replaced — sunset planning, data preservation, and license harvest

Stage 5 of 6 — Govern

Continuous policy, cost, and risk governance

The Govern methodology operationalizes the policy and cost guardrails that prevent the landing zone from drifting under load. EPC Group implements the CAF Govern disciplines — cost management, security baseline, identity baseline, resource consistency, and deployment acceleration — as continuous functions, not one-time deployments.

•Cost management discipline — FinOps practice covering tagging enforcement, budget alerts, reservation strategy, and savings plan strategy
•Security baseline discipline — Microsoft Cloud Security Benchmark plus regulatory framework overlays with continuous compliance reporting
•Identity baseline discipline — conditional access posture, PIM coverage, and break-glass procedure tested quarterly
•Resource consistency and deployment acceleration disciplines — IaC modules in a customer-owned registry, with policy-as-code review gates in the platform engineering pipeline

Stage 6 of 6 — Manage

Operations baseline and platform team as product

The Manage methodology covers steady-state operations. EPC Group ships an operations baseline that covers inventory and visibility, operational compliance, protect and recover, and platform health — then layers a Platform Team as Product operating model on top, treating the landing zone as an internal product the application teams consume through a published service catalog.

•Operations baseline — inventory and tagging, patch management via Azure Update Manager, monitoring via Azure Monitor and Sentinel, backup via Azure Backup
•Operational compliance — Defender for Cloud secure score uplift sprints, regulatory dashboard quarterly review, audit evidence package automation
•Protect and recover — site recovery posture per workload tier, recovery time and recovery point objectives codified per landing zone tier
•Platform Team as Product — service catalog, customer experience metrics, and platform engineering roadmap published to application teams

The Well-Architected Framework — five pillars per workload

The Microsoft Azure Well-Architected Framework is the workload-tier methodology every individual workload inside the landing zone is reviewed against. Five pillars — Reliability, Security, Cost Optimization, Operational Excellence, Performance Efficiency — define the architecture review surface. EPC Group runs WAF reviews per workload archetype and translates the pillar guidance into architecture decisions the platform team enforces through Azure Policy and the engineering review pipeline.

Pillar — Reliability

Designed for the resilience the business actually needs

The Reliability pillar covers availability zones, disaster recovery, fault tolerance, and the recovery objectives every workload is held to. EPC Group runs the reliability review per workload and translates the business RTO and RPO into Azure architecture choices — zone-redundant deployments, paired-region replication, and chaos engineering practice for the highest-availability tier.

•Availability zone targeting per workload tier — zone-redundant for tier-1, single-zone with paired region for tier-2
•Paired-region replication via Azure Site Recovery, geo-redundant storage, or active-active multi-region deployment depending on RTO and RPO
•Health modeling and chaos engineering practice for tier-1 workloads using Azure Chaos Studio
•Backup and disaster recovery policy assigned via Azure Policy at the management group tier

Pillar — Security

Defense in depth applied per landing zone tier

The Security pillar of the Well-Architected Framework maps to the Microsoft Cloud Security Benchmark and the broader Zero Trust posture. The landing zone enforces the baseline at platform tier — workload teams cannot turn it off — and workload teams layer workload-specific security on top.

•Microsoft Cloud Security Benchmark inherited across every subscription from the ALZ intermediate root
•Microsoft Defender for Cloud activated per workload archetype — covered on our /microsoft-defender-for-cloud-cnapp-enterprise-2026 hub
•Zero Trust identity, network, and device posture enforced through Entra conditional access and Microsoft Entra Suite
•Customer-managed encryption keys in Azure Key Vault HSM for the regulated workload tier with key rotation policy and access logging

Pillar — Cost Optimization

FinOps practice embedded in the landing zone from day one

The Cost Optimization pillar is where the most enterprise landing zones leak money. EPC Group ships the FinOps practice as part of the landing zone — tagging enforcement at provisioning, reservation and savings plan strategy at the enterprise agreement tier, budget alerts at the subscription tier, and continuous rightsizing automation.

•Tagging policy enforced at the management group tier with DeployIfNotExists remediation tasks
•Reservation and savings plan strategy reviewed quarterly against the rolling forecast — three-year reservations layered with one-year savings plans for the right blend
•Azure Advisor cost recommendations triaged weekly by the platform team with rightsizing automation for stateless workloads
•Cost Management exports forwarded to Microsoft Fabric for executive FinOps reporting — covered in our cost optimization guidance

Pillar — Operational Excellence

DevOps, IaC, and observability as platform capabilities

The Operational Excellence pillar covers how the landing zone is operated day to day. EPC Group ships the landing zone with platform engineering, IaC pipelines, observability stack, and incident response runbooks already in place, so application teams arrive into a fully operated platform rather than building it themselves.

•Infrastructure as Code via Bicep, Terraform, or ARM modules in a customer-owned registry with semantic versioning
•GitHub Actions or Azure Pipelines deployment pipelines with policy-as-code gates, drift detection, and what-if previews
•Azure Monitor and Microsoft Sentinel observability backbone with workload-specific data collection rules
•Incident response runbooks covering platform incidents, security incidents, and workload incidents with named owners and escalation paths

Pillar — Performance Efficiency

Right-sized, autoscaled, and benchmark-tested

The Performance Efficiency pillar covers compute selection, autoscaling, data tier performance, and the discipline of continuous performance review. EPC Group ships the landing zone with autoscale defaults per workload archetype and benchmark baselines that the platform team uses to enforce performance budgets across application teams.

•Compute SKU selection guidance per workload archetype — virtual machine, App Service, AKS, Container Apps, Functions
•Autoscale rules per workload archetype with reservation-aware scaling so reserved capacity is consumed before on-demand
•Data tier performance guidance — Azure SQL Hyperscale, Cosmos DB partition strategy, Storage tier selection
•Performance benchmark baselines and load testing practice via Azure Load Testing in the platform team CI pipeline

Six enterprise landing zone patterns — pick the one that fits your reality

The canonical Enterprise-Scale Landing Zone is an opinionated reference architecture, not a one-size-fits-all blueprint. Six enterprise patterns cover the engagement archetypes EPC Group has shipped repeatedly across the 70+ Fortune 500 portfolio. Most enterprises fit cleanly into one pattern; some — particularly M&A-driven enterprises — combine two or three.

Pattern 1 of 6

Greenfield Azure entry — net-new tenant, no legacy estate

The greenfield pattern is the cleanest deployment. EPC Group ships the full Microsoft Enterprise-Scale Landing Zone via the Bicep accelerator into a brand-new Entra tenant, with no legacy subscription debt to inherit. The Strategy and Plan methodologies of the Cloud Adoption Framework finish in six to eight weeks, the Ready methodology delivers the landing zone in four to six weeks, and the first wave of Adopt migrations begins within twelve weeks of program kickoff. Greenfield is the rare modern enterprise scenario — typically a startup scaling past one hundred employees, a carve-out from a larger acquirer post-divestiture, or a regulated industry net-new business line. The discipline that matters is to resist the temptation to skip the Strategy methodology because there is no legacy to inherit — the strategy decisions made in the first eight weeks set the operating model for the next decade.

Pattern 2 of 6

Brownfield existing estate — retrofit to CAF alignment

The brownfield pattern is the most common enterprise scenario. The customer already has dozens or hundreds of Azure subscriptions provisioned over the past five to seven years, with inconsistent naming, mixed policy enforcement, and a tangle of peerings nobody fully understands. EPC Group runs the CAF Assess and Govern methodologies in parallel — the Assess output identifies which existing subscriptions become landing zones in the ALZ topology, which become decommissioned, and which need re-platforming. The Govern output codifies the policy posture and the management group hierarchy that the existing estate inherits as it migrates onto the ALZ. The brownfield retrofit typically runs six to twelve months and is the engagement archetype EPC Group has delivered most frequently across the F500 portfolio. The discipline that matters is to refuse the easy path of leaving the legacy subscriptions untouched — every subscription left outside the ALZ topology is a permanent governance exception.

Pattern 3 of 6

Regulated industries — FedRAMP, HIPAA, CMMC landing zone

The regulated industry pattern adds compliance-specific overlays to the canonical Enterprise-Scale Landing Zone. HIPAA, SOC 2, FedRAMP, FINRA and similar framework requirements drive the design of the management group hierarchy, the policy initiative selection, the Defender for Cloud plan portfolio, and the conditional access posture. Microsoft Azure Government is the destination for federal workloads requiring FedRAMP authorized cloud isolation; Microsoft 365 GCC High and Azure Government are the destinations for DoD contractor and CMMC Level 2 workloads — covered on our /microsoft-365-gcc-high-dod-migration-consulting-2026 hub. EPC Group ships customer-specific policy initiative bundles mapped to the regulatory framework portfolio, regulatory compliance dashboard configuration aligned to the auditor evidence package, and BAA-aligned operating procedures for the platform team. The discipline that matters in regulated landing zones is to enforce the framework controls through Azure Policy deny effects rather than detective controls only — auditors increasingly expect preventive control evidence, not just detective evidence.

Pattern 4 of 6

Multi-region active-active — global resilience and data residency

The multi-region active-active pattern serves global enterprises with hard residency requirements or tier-1 availability targets that exceed single-region SLAs. EPC Group deploys paired regional landing zones — typically East US 2 and West US 2 for North America, North Europe and West Europe for EMEA, Southeast Asia and East Asia for APAC — with active-active workload deployments behind Azure Front Door for global request routing. Each regional landing zone is a full hub-spoke topology with its own ExpressRoute or VPN connectivity, its own Azure Firewall, and its own Defender for Cloud subscription scope. Data tier residency is enforced through paired-region replication for Azure SQL, Cosmos DB multi-region writes, and Azure Storage geo-redundant tiers aligned to the residency map. The pattern is materially more expensive than active-passive (roughly 60 to 80 percent infrastructure cost premium) and is the right pattern only for workloads where the business case justifies the spend.

Pattern 5 of 6

Hybrid landing zone — on-premises and Azure Arc-enrolled estate

The hybrid landing zone pattern serves enterprises with permanent on-premises footprint that connects into the Azure landing zone via ExpressRoute private peering and Azure Arc enrollment. The on-premises servers, Kubernetes clusters, and SQL Server instances are Arc-enrolled into the same management group hierarchy as the Azure-native resources, inheriting the same Azure Policy initiatives, the same Defender for Cloud plans, and the same Microsoft Sentinel telemetry pipeline. The hybrid landing zone is the path for enterprises with regulated on-premises workloads that cannot migrate (mainframe-adjacent SQL Server estates, factory floor OT systems, regulated lab equipment), and for enterprises in mid-migration where the cloud-first commitment is real but the on-premises footprint will exist for the next five-plus years. EPC Group ships the Arc-at-scale onboarding accelerator alongside the ALZ deployment so the on-premises estate gets governance parity from day one.

Pattern 6 of 6

M&A landing zone consolidation — multiple acquired tenants into one ALZ

The M&A consolidation pattern is the EPC Group specialty — 216+ tenant migrations covering 1.83 million users across the past 24 months. The pattern starts with two or more acquired entities each holding their own Entra tenant, Azure subscription portfolio, and divergent governance posture, and ends with a single consolidated ALZ that absorbs all in-scope subscriptions into one management group hierarchy. The technical path involves tenant-to-tenant migration of identities via Entra B2B and cross-tenant synchronization, subscription transfer via Microsoft Cost Management, network re-homing of workload VNets into the consolidated hub-spoke topology, and policy re-enforcement at the new management group parent. The governance path involves the much harder work of consolidating divergent operating models, naming conventions, tagging taxonomies, and FinOps practice into a single platform-team-as-product operating model. EPC Group has shipped this pattern across the post-acquisition integration program portfolio repeatedly and treats it as a six-to-eighteen-month sustained engagement rather than a single migration project.

IaC accelerator — Bicep, Terraform, or ARM

The Azure Landing Zone deploys via Infrastructure as Code. Microsoft publishes official accelerators for Bicep, Terraform, and ARM. The choice between the three is a function of multi-cloud scope, platform engineering team skills, and the customer tooling estate. EPC Group ships ALZ accelerators across all three and customizes per customer naming, tagging, and policy posture.

Bicep — Microsoft-first IaC, native ARM superset

Bicep is the Microsoft-published IaC language for Azure — a transparent superset of ARM template JSON with a clean declarative syntax. The Azure Landing Zone Bicep accelerator (the Azure-Landing-Zones/bicep GitHub repository) is the Microsoft-supported starting point that EPC Group ships customized for the customer naming convention, tagging taxonomy, region selection, regulatory framework, and operating model. Bicep is the right choice for Azure-only enterprises that value the closest possible alignment to Microsoft product release cadence — new Azure resource properties show up in Bicep within days of Azure API availability, well ahead of Terraform provider release.

•Native ARM superset — every Bicep template compiles to ARM JSON deterministically
•Closest alignment to Microsoft product release cadence — fastest support for new Azure features
•Azure-Landing-Zones/bicep accelerator is the Microsoft-published starting point with full ALZ topology
•Best fit for Azure-only enterprises with a Microsoft-aligned platform engineering team

Terraform — multi-cloud IaC, HashiCorp-aligned platform engineering

Terraform is the HashiCorp-published cloud-agnostic IaC language and remains the dominant choice for multi-cloud enterprises and for platform engineering teams that standardized on HashiCorp tooling pre-2022. The Microsoft Azure Verified Modules program now publishes Terraform modules in parity with Bicep, and the Azure-Landing-Zones/terraform-azurerm-caf-enterprise-scale module is the Microsoft-supported ALZ accelerator for Terraform. EPC Group ships the Terraform ALZ pattern customized for the customer state backend (Terraform Cloud, Azure Storage backend, or HashiCorp Cloud Platform) and the customer module registry strategy.

•Cloud-agnostic — the right choice for multi-cloud enterprises with AWS and GCP estates alongside Azure
•Azure Verified Modules program publishes Terraform modules in parity with Bicep modules
•terraform-azurerm-caf-enterprise-scale is the Microsoft-supported ALZ accelerator for Terraform
•Best fit for multi-cloud enterprises and for platform teams with deep HashiCorp tooling investment

ARM templates — legacy estates still under maintenance

ARM template JSON is the legacy Microsoft-published IaC format. Bicep compiles to ARM JSON, so any new Azure landing zone is properly written in Bicep and the ARM JSON is the build output. EPC Group continues to maintain ARM template estates where the customer platform engineering team has not yet upskilled to Bicep, but the engineering recommendation is to migrate to Bicep at the next material refactor window. The Microsoft Azure Quickstart Templates GitHub repository remains the canonical ARM source library for customers who must continue maintaining ARM-native deployments.

•Legacy Microsoft-published IaC format that Bicep is a transparent superset of
•Continued support for existing ARM estates where the platform team has not yet migrated to Bicep
•Microsoft Azure Quickstart Templates remain the canonical ARM source library
•Engineering recommendation is to migrate to Bicep at the next material refactor window

The EPC Group Azure CAF Accelerator — fixed-fee five phases

EPC Group delivers the full Azure Landing Zone build under a fixed-fee five-phase accelerator. Each phase has a defined scope, defined deliverables, and a defined decision gate. The full program runs $250,000 to $1,200,000 depending on customer estate complexity, with the costed roadmap delivered after the Phase 1 Strategy and Plan workshops complete in week one and two.

Phase 1 of 5 — Phase 1 — Assess (3-5 weeks)

CAF Strategy and Plan workshops plus current-state inventory

Phase one is a fixed-fee CAF Strategy and Plan engagement. EPC Group facilitates the strategy workshop, ships the workload rationalization output, inventories the existing Azure estate (if any), and produces the costed landing zone roadmap. The deliverable is a board-ready decision package the executive sponsor uses to authorize the build phase.

•CAF Strategy workshop output with documented business outcomes, financial considerations, technical considerations, and adoption sponsorship
•CAF Plan workshop output with workload rationalization, cloud operating model selection, and skills readiness plan
•Current-state Azure estate inventory with subscription, resource, policy, and identity baseline scan
•Costed landing zone roadmap with phasing, dependencies, and risk register

Phase 2 of 5 — Phase 2 — Design (3-4 weeks)

Management group hierarchy, networking, identity, and policy posture designed

Phase two is the design phase. EPC Group produces the management group hierarchy diagram, subscription strategy and naming convention, hub-spoke or Virtual WAN network topology, identity boundary and conditional access posture, Azure Policy initiative selection, Defender for Cloud plan portfolio, and IaC tool choice (Bicep, Terraform, or ARM). The deliverable is a signed design document the build phase deploys from.

•Management group hierarchy diagram and subscription naming convention
•Hub-spoke or Virtual WAN network topology with ExpressRoute or VPN connectivity design
•Identity boundary design with Entra tenant configuration, PIM scope, and conditional access posture
•Azure Policy initiative selection mapped to regulatory framework portfolio
•IaC tool selection (Bicep, Terraform, or ARM) with customer state backend and module registry decision

Phase 3 of 5 — Phase 3 — Build (6-10 weeks)

ALZ accelerator deployed via Bicep, Terraform, or ARM

Phase three is the build phase. EPC Group deploys the Microsoft Enterprise-Scale Landing Zone via the selected IaC accelerator, customized for the customer naming convention, tagging taxonomy, region selection, regulatory framework, and operating model. The platform subscriptions stand up first, the workload landing zone subscriptions stand up second, and the policy posture activates as the workload subscriptions populate.

•Management group hierarchy deployed via IaC accelerator with full inheritance posture
•Platform subscriptions (Connectivity, Identity, Management) deployed with hub VNet, Entra Connect, and Log Analytics workspaces operational
•Workload landing zone subscriptions provisioned per the subscription strategy with spoke VNets peered to regional hub
•Azure Policy initiatives, Defender for Cloud plans, and Microsoft Sentinel ingestion activated across every subscription

Phase 4 of 5 — Phase 4 — Adopt (parallel waves)

Workload migration and modernization waves into the landing zone

Phase four is the adopt phase, typically running parallel waves of workload migration and modernization. EPC Group sequences workloads from the rationalized portfolio through wave gates — wave one carries the early-mover workloads that prove the landing zone, wave two through wave N carry the bulk of the regulated workloads at sustained throughput. Migration tooling depends on the workload archetype and the CAF Adopt methodology.

•Wave one migration of two to four early-mover workloads to prove the landing zone end-to-end
•Wave two through wave N migration at sustained throughput per the cloud adoption plan
•Modernize-track workload refactor to PaaS, AKS, or Container Apps in parallel with the migrate-track waves
•Innovate-track AI and data modernization workloads sequenced into later waves once the platform is steady

Phase 5 of 5 — Phase 5 — Operate ($25K-$120K/month managed)

Platform Team as Product steady-state operation

Phase five is steady-state operation. EPC Group provides managed Azure platform services covering Defender for Cloud secure score uplift, policy exception adjudication, FinOps optimization, regulatory compliance dashboard reporting, and platform engineering capability augmentation. The operating model is Platform Team as Product — the EPC Group senior architects operate as an extension of the customer platform team, treating the landing zone as an internal product the application teams consume.

•Monthly Defender for Cloud secure score uplift sprints targeted at the highest-leverage findings
•Quarterly Azure Policy exception adjudication review with named owner, expiration, and review cadence
•Monthly FinOps optimization covering reservation tuning, savings plan strategy, and rightsizing automation
•Quarterly regulatory compliance dashboard review and auditor evidence package refresh
•Senior-architect escalation on platform incidents, security incidents, and capacity planning decisions

Frequently asked questions — Azure Landing Zone, CAF, and WAF

The eight questions EPC Group fields most often from executive sponsors and platform engineering leaders evaluating the Azure Landing Zone build.

What is the difference between the Cloud Adoption Framework and the Well-Architected Framework?

The Cloud Adoption Framework (CAF) and the Well-Architected Framework (WAF) are the two complementary Microsoft methodologies that together define how enterprises adopt and operate Azure. CAF is the enterprise-scale methodology — it covers Strategy, Plan, Ready, Adopt, Govern, and Manage across the entire cloud journey from business motivation through steady-state operation. WAF is the workload-scale methodology — it covers the five pillars (Reliability, Security, Cost Optimization, Operational Excellence, Performance Efficiency) that every individual workload is reviewed against. CAF answers the question of how the organization adopts the cloud; WAF answers the question of how each individual workload is architected for excellence. The two are deeply integrated — the CAF Ready methodology deploys the Azure Landing Zone, and every workload that migrates into the landing zone is reviewed against the WAF pillars. EPC Group runs CAF Strategy and Plan engagements at the enterprise tier and WAF reviews at the workload tier.

How does the Azure Landing Zone compare to AWS Landing Zone and Control Tower?

AWS Landing Zone (legacy) and AWS Control Tower (current) are the AWS-published equivalents to the Microsoft Azure Landing Zone. The conceptual mapping is similar — AWS Organizations maps to Azure management group hierarchy, AWS accounts map to Azure subscriptions, AWS Service Control Policies map to Azure Policy, AWS Config and AWS Security Hub map to Microsoft Defender for Cloud, and AWS GuardDuty plus AWS Inspector map to the Defender plan portfolio. The substantive differences are: Azure Policy is more flexible than SCPs (deny, audit, append, modify, deployIfNotExists effects versus SCP deny-only), the Azure Landing Zone IaC accelerators (Bicep and Terraform) ship as a single coherent deployment versus AWS Control Tower's blueprint approach, and the Azure regulatory compliance dashboard delivers a richer out-of-box framework portfolio. For multi-cloud enterprises, EPC Group ships parallel landing zones across both clouds with Azure Arc enrolling the AWS estate into the Azure governance posture for unified policy and security — covered on our /microsoft-cloud-orchestrator hub.

What is the realistic cost of running a multi-region active-active landing zone?

Multi-region active-active is materially more expensive than single-region or active-passive — typically 60 to 80 percent infrastructure cost premium over single-region for the same workload portfolio. The premium comes from duplicated compute footprint across regions, paired-region storage replication, multi-region data tier replication (Azure SQL geo-replication, Cosmos DB multi-region writes, Storage geo-redundant tiers), Azure Front Door or Traffic Manager global routing, and the ExpressRoute or VPN connectivity duplicated per region. For a mid-size enterprise running a 2,000-server workload portfolio, the multi-region premium can run $1.5 million to $3 million per year on top of the single-region baseline. EPC Group recommends multi-region active-active only for the workload tier where the business case explicitly justifies the spend — tier-1 customer-facing revenue systems with documented availability targets, and workloads with hard data residency requirements that single-region cannot meet. For everything else, active-passive with Azure Site Recovery and paired-region storage delivers materially better cost-per-resilience-unit.

How do we choose between Bicep, Terraform, and ARM for the landing zone IaC?

The decision rests on three factors — multi-cloud scope, platform engineering team skills, and the customer tooling estate. For Azure-only enterprises with a Microsoft-aligned platform engineering team, Bicep is the right choice because of the closest possible alignment to Microsoft product release cadence (new Azure features appear in Bicep within days of API availability, weeks or months ahead of Terraform). For multi-cloud enterprises with AWS or GCP estates alongside Azure, Terraform is the right choice because the cloud-agnostic language and provider ecosystem deliver consistency across the full estate. For enterprises with a deep HashiCorp tooling investment (Terraform Cloud, Vault, Consul), Terraform is the right choice regardless of multi-cloud scope. ARM template JSON is a maintenance-only path — every new landing zone should be Bicep, and existing ARM estates should migrate to Bicep at the next material refactor window. EPC Group ships ALZ accelerators across all three and customizes per customer; the choice is a function of platform team skills and tooling estate, not a function of capability.

How does the regulated industry landing zone differ for FedRAMP, HIPAA, and CMMC workloads?

Regulated industry landing zones add framework-specific overlays to the canonical Enterprise-Scale Landing Zone. For FedRAMP Moderate and High workloads, Microsoft Azure Government is the destination cloud — physically isolated from commercial Azure with FedRAMP authorized cloud isolation, and the landing zone deploys into Azure Government via the same Bicep or Terraform ALZ accelerator. For HIPAA HITRUST workloads, commercial Azure is the destination with the HIPAA HITRUST regulatory compliance dashboard activated, the BAA in place with Microsoft, and customer-managed keys in Azure Key Vault HSM for the data tier. For CMMC Level 2 workloads, Microsoft 365 GCC High or Azure Government is the destination, and the landing zone integrates with the GCC High tenant covered on our /microsoft-365-gcc-high-dod-migration-consulting-2026 hub. The shared pattern is that regulatory framework controls get enforced through Azure Policy deny effects rather than detective controls only, and the Defender for Cloud regulatory compliance dashboard is configured to produce auditor-ready evidence. EPC Group is FedRAMP-aligned and BAA-aligned across the regulated industry portfolio.

How does the landing zone integrate with on-premises through Azure Arc and ExpressRoute?

Hybrid landing zones connect the on-premises estate into the Azure landing zone through two complementary paths. The connectivity path uses ExpressRoute private peering or site-to-site VPN terminating in the Connectivity platform subscription hub VNet, with the on-premises data center routed into the spoke VNets through the central Azure Firewall — covered in depth on our /azure-expressroute-virtual-wan-enterprise-networking-2026 hub. The governance path uses Azure Arc to enroll on-premises servers, Kubernetes clusters, and SQL Server instances into the same management group hierarchy as the Azure-native resources, inheriting the same Azure Policy initiatives, the same Microsoft Defender for Cloud plans, and the same Microsoft Sentinel telemetry pipeline. The result is a single governance posture across the Azure-native and Azure Arc-enrolled on-premises estate. EPC Group ships the Arc-at-scale onboarding accelerator alongside the ALZ deployment so the on-premises estate gets governance parity from day one rather than as a deferred phase.

What is the EPC Group fixed-fee price range for the full landing zone build?

The EPC Group Azure CAF Accelerator runs fixed-fee in the $250,000 to $1,200,000 range depending on the complexity of the customer estate. The lower bound applies to greenfield engagements with a single region, single regulatory framework, and a small workload portfolio — a tight CAF Strategy and Plan, a Bicep ALZ deployment, and a single migration wave. The upper bound applies to brownfield consolidation engagements with multiple regions, regulated industry framework portfolios, large existing subscription estates to retrofit, and parallel multi-wave migrations into the new landing zone. Managed Operate phase runs $25,000 to $120,000 per month depending on workload portfolio size and SOC and FinOps service depth. EPC Group quotes the full five-phase price after the Strategy and Plan workshops complete in week one and two, so the customer sees the costed roadmap before committing to the build phase.

How does the landing zone evolve once it is operational?

A well-designed landing zone is not a static deployment — it evolves with Microsoft product release cadence, with the customer regulatory framework portfolio, and with the workload portfolio mix. EPC Group treats the landing zone as a platform product and ships continuous evolution under the managed Operate phase. Quarterly the platform team reviews new Azure regions for in-scope inclusion, new Defender for Cloud plans for activation, new Azure Verified Modules for accelerator refresh, and new regulatory framework releases for policy initiative update. Annually the management group hierarchy gets reviewed against the operating model — many enterprises evolve from per-business-unit subscription model to per-application-portfolio as FinOps practice matures. The Platform Team as Product operating model treats application teams as internal customers consuming the landing zone through a published service catalog, with platform team capacity sized to a roadmap the application teams influence — covered on our /standards-alignment page.

Microsoft Solutions Partner — Azure Infrastructure · 11,000+ engagements

Azure Landing Zone, CAF & WAF Enterprise Guide (2026)

The canonical Microsoft Enterprise-Scale Landing Zone, the Cloud Adoption Framework, and the Well-Architected Framework — management groups, hub-spoke, policy and Defender baseline, IaC accelerators, six enterprise patterns, delivered by a senior-architect-led 29-year Microsoft Solutions Partner.

Book an Azure Landing Zone briefing Call 888-381-9725

What is the Azure Landing Zone and how do enterprises deploy it under the Cloud Adoption Framework and Well-Architected Framework? The Azure Landing Zone (ALZ) is the Microsoft Enterprise-Scale reference architecture covering management groups, subscription strategy, hub-spoke networking, identity boundary, Azure Policy baseline, Microsoft Defender for Cloud activation, and the central Log Analytics plus Microsoft Sentinel observability backbone. The Cloud Adoption Framework (CAF) is the methodology — Strategy, Plan, Ready, Adopt, Govern, Manage — that gets the enterprise from business motivation through steady-state operation. The Well-Architected Framework (WAF) is the workload-tier review across Reliability, Security, Cost Optimization, Operational Excellence, and Performance Efficiency. EPC Group ships the ALZ via Bicep, Terraform, or ARM accelerator and delivers the full CAF program under a fixed-fee five-phase accelerator between $250,000 and $1,200,000.

The Azure Landing Zone (ALZ) is the Microsoft Enterprise-Scale reference architecture for governance, networking, identity, security, and observability across the Azure estate. The Cloud Adoption Framework (CAF) is the lifecycle methodology — Strategy → Plan → Ready → Adopt → Govern → Manage. The Well-Architected Framework (WAF) is the workload review across Reliability, Security, Cost, Operations, Performance. EPC Group ships the full program under a fixed-fee five-phase accelerator between $250K and $1.2M.

Key Facts

Microsoft Enterprise-Scale Landing Zone deploys via Bicep, Terraform, or ARM accelerator into the canonical management group hierarchy
CAF six methodologies — Strategy, Plan, Ready, Adopt, Govern, Manage — span business motivation through steady-state operation
WAF five pillars — Reliability, Security, Cost Optimization, Operational Excellence, Performance Efficiency — review every workload
Hub-spoke networking topology centralizes egress, inspection, and connectivity in the Connectivity platform subscription
Six enterprise patterns covered — greenfield, brownfield, regulated, multi-region, hybrid, M&A consolidation
Azure Arc enrolls on-premises servers, Kubernetes, and SQL Server into the same management group hierarchy as Azure-native resources
29-year Microsoft Solutions Partner, 70+ Fortune 500 clients, 216+ M&A tenant consolidations covering 1.83 million users
EPC Group fixed-fee five-phase Azure CAF Accelerator delivers full landing zone in 12 to 24 weeks, $250K to $1.2M

The six landing zone components — what each does and why it matters

Management group hierarchy

•Tenant Root → Microsoft ALZ intermediate root → platform, landing zones, decommissioned, sandbox branches per the canonical Enterprise-Scale topology
•Platform branch holds connectivity, identity, and management subscriptions — the shared services every workload depends on
•Landing zones branch holds corp (internal-only) and online (internet-facing) workload subscriptions, each with its own policy posture
•Decommissioned management group is the parking lot for subscriptions being deprovisioned; sandbox holds short-lived experimentation with looser policy
•EPC Group ships the hierarchy via Bicep ALZ accelerator with customer-specific naming conventions and tagging taxonomy applied at deploy time

Subscription strategy and naming

•Three platform subscriptions at minimum — Connectivity (hub VNets, ExpressRoute, Azure Firewall), Identity (domain controllers, Entra Connect, Microsoft Entra Private Access), Management (Log Analytics, Automation, Update Manager)
•Workload landing zone subscriptions provisioned per application portfolio, per environment, or per business unit depending on the operating model the customer has chosen
•Naming convention codifies environment (prod/nonprod/dev), region (eastus/westus/centralus), workload archetype (corp/online), and business unit identifier as a hyphenated string parsed by Azure Policy initiatives at deploy time
•EPC Group recommends the per-application-portfolio model for enterprises with mature FinOps practice; per-business-unit for organizations earlier in the cloud maturity curve
•M&A-driven enterprises often inherit a per-acquisition subscription pattern that consolidates onto the ALZ subscription strategy during the integration program

Azure Policy and Defender for Cloud baseline

•Microsoft Cloud Security Benchmark assigned at the ALZ intermediate root — the floor every subscription inherits regardless of workload archetype
•Microsoft Defender for Cloud enabled at subscription level across the eight Defender plans appropriate to the workload — Servers Plan 2, Containers, SQL, Storage, App Service, APIs, Key Vault, Resource Manager and DNS
•Custom policy initiatives layered for industry framework alignment — HIPAA HITRUST, PCI-DSS 4.0, FedRAMP Moderate or High, CMMC Level 2, FFIEC, SOX, GxP — mapped to the regulatory compliance dashboard
•Deny-effect policies on the highest-risk surfaces — public IP creation, public storage account exposure, weak TLS, region restriction, and unencrypted disks — enforced at the corp landing zone tier
•Exception management workflow stood up before any deny policy is enforced so the platform team can adjudicate genuine business need without breaking app teams

Hub-spoke networking topology

•Hub virtual network in the Connectivity platform subscription per Azure region the customer deploys to — typically two regions for active-active or active-passive disaster recovery
•Azure Firewall Premium or third-party next-generation firewall NVA in the hub providing centralized egress inspection, TLS termination, and IDPS coverage
•ExpressRoute private peering or site-to-site VPN connections terminate in the hub, with Virtual Network Gateways sized for the regional aggregate throughput
•Spoke virtual networks in workload subscriptions peer to the regional hub through VNet peering — no spoke-to-spoke direct peering, all east-west traffic transits the hub firewall
•Azure Virtual WAN is the alternative topology for global mesh requirements with three or more regions; EPC Group recommends classic hub-spoke for two-region deployments and Virtual WAN once global region count exceeds three
•Private DNS zones centralized in the hub with hub-spoke VNet links so private endpoint name resolution works consistently across the estate — covered in depth on our /azure-expressroute-virtual-wan-enterprise-networking-2026 hub

Identity boundary and privileged access

•Microsoft Entra ID tenant configured with conditional access baselines — geographic, device compliance, sign-in risk, and break-glass account exemption — covered on our /microsoft-defender-for-identity-itdr-enterprise-2026 hub
•Entra Privileged Identity Management (PIM) governing every privileged role with time-bound activation, MFA enforcement on activation, and named approver requirement on the most sensitive roles
•Entra Connect or Entra Cloud Sync deployed in the Identity platform subscription, never in a workload subscription, so identity availability is decoupled from workload deployment risk
•Microsoft Entra Private Access and Microsoft Entra Internet Access (Global Secure Access) replacing legacy VPN for users and shifting east-west and outbound to identity-aware proxies
•Privileged access workstation (PAW) requirement codified in conditional access — administrative roles only activate from compliant, isolated PAW devices, never from a general-purpose laptop
•Break-glass account pattern with two cloud-only Global Administrator accounts excluded from conditional access, FIDO2-secured, monitored every sign-in, with credentials sealed in a documented break-glass procedure

Security + monitoring backbone

•Two central Log Analytics workspaces in the Management platform subscription — one for security telemetry (Sentinel-connected), one for operational telemetry (Azure Monitor + Application Insights)
•Microsoft Sentinel deployed on the security workspace with native data connectors for Defender XDR, Defender for Cloud, Entra ID, and Activity Logs across every subscription — covered on our /microsoft-defender-xdr-enterprise-2026 hub
•Activity log diagnostic settings forwarded from every subscription to the security workspace via Azure Policy DeployIfNotExists assignment at the ALZ intermediate root
•Resource diagnostic settings forwarded to the operational workspace per resource-type pattern — Key Vault, SQL, Storage, App Service, AKS, and Front Door each have a default data collection profile
•Azure Monitor Workbooks, Sentinel Workbooks, and Defender for Cloud workbooks operationalized as the SOC and platform team daily-driver dashboards
•Cost Management exports forwarded to a storage account in the Management subscription and ingested into Power BI or Microsoft Fabric for executive FinOps reporting

The Cloud Adoption Framework — Strategy through Manage

Stage 1 of 6 — Strategy

Why we are moving to Azure — business motivation written down

•Documented business outcomes mapped to measurable KPIs the executive sponsor will be accountable for
•Documented financial considerations including expected total cost of ownership, expected operating model shift, and CapEx-to-OpEx flip
•Documented technical considerations including target architecture archetype (greenfield, brownfield, regulated, hybrid), workload portfolio segmentation, and risk register
•Documented adoption sponsorship — the executive owner, the steering committee membership, and the decision cadence

Stage 2 of 6 — Plan

Rationalize the workload portfolio and pick the operating model

•Workload rationalization output covering every in-scope application with R5 disposition and migration archetype
•Cloud operating model selection — centralized, decentralized, enterprise, distributed, or platform-team-as-product
•Skills readiness plan covering platform engineering, security engineering, FinOps, application modernization, and DevSecOps capability gaps
•Cloud adoption plan with phasing, dependencies, and quarterly milestones the steering committee tracks against the strategy

Stage 3 of 6 — Ready

Deploy the landing zone before any workload migrates

•Management group hierarchy and subscription strategy deployed via IaC accelerator
•Hub-spoke networking topology and central identity platform stood up in the platform subscriptions
•Azure Policy initiatives, Defender for Cloud plans, and regulatory compliance dashboard activated against the management group hierarchy
•Central Log Analytics workspaces, Microsoft Sentinel, and Azure Monitor backbone operational and forwarding telemetry from every subscription

Stage 4 of 6 — Adopt

Migrate or modernize workloads into the landing zone

•Migrate methodology for rehost and refactor workloads — covered in depth on our /azure-migrate-assessment-modernization-enterprise-2026 hub
•Modernize methodology for rearchitect and rebuild workloads — containerization to AKS or Container Apps, refactor to PaaS, rebuild as cloud-native serverless
•Innovate methodology for the AI and data modernization workloads — Microsoft Fabric, Azure OpenAI, Azure AI Foundry — sequenced into later waves
•Decommission methodology for the workloads being replaced — sunset planning, data preservation, and license harvest

Stage 5 of 6 — Govern

Continuous policy, cost, and risk governance

•Cost management discipline — FinOps practice covering tagging enforcement, budget alerts, reservation strategy, and savings plan strategy
•Security baseline discipline — Microsoft Cloud Security Benchmark plus regulatory framework overlays with continuous compliance reporting
•Identity baseline discipline — conditional access posture, PIM coverage, and break-glass procedure tested quarterly
•Resource consistency and deployment acceleration disciplines — IaC modules in a customer-owned registry, with policy-as-code review gates in the platform engineering pipeline

Stage 6 of 6 — Manage

Operations baseline and platform team as product

•Operations baseline — inventory and tagging, patch management via Azure Update Manager, monitoring via Azure Monitor and Sentinel, backup via Azure Backup
•Operational compliance — Defender for Cloud secure score uplift sprints, regulatory dashboard quarterly review, audit evidence package automation
•Protect and recover — site recovery posture per workload tier, recovery time and recovery point objectives codified per landing zone tier
•Platform Team as Product — service catalog, customer experience metrics, and platform engineering roadmap published to application teams

The Well-Architected Framework — five pillars per workload

Pillar — Reliability

Designed for the resilience the business actually needs

•Availability zone targeting per workload tier — zone-redundant for tier-1, single-zone with paired region for tier-2
•Paired-region replication via Azure Site Recovery, geo-redundant storage, or active-active multi-region deployment depending on RTO and RPO
•Health modeling and chaos engineering practice for tier-1 workloads using Azure Chaos Studio
•Backup and disaster recovery policy assigned via Azure Policy at the management group tier

Pillar — Security

Defense in depth applied per landing zone tier

•Microsoft Cloud Security Benchmark inherited across every subscription from the ALZ intermediate root
•Microsoft Defender for Cloud activated per workload archetype — covered on our /microsoft-defender-for-cloud-cnapp-enterprise-2026 hub
•Zero Trust identity, network, and device posture enforced through Entra conditional access and Microsoft Entra Suite
•Customer-managed encryption keys in Azure Key Vault HSM for the regulated workload tier with key rotation policy and access logging

Pillar — Cost Optimization

FinOps practice embedded in the landing zone from day one

•Tagging policy enforced at the management group tier with DeployIfNotExists remediation tasks
•Reservation and savings plan strategy reviewed quarterly against the rolling forecast — three-year reservations layered with one-year savings plans for the right blend
•Azure Advisor cost recommendations triaged weekly by the platform team with rightsizing automation for stateless workloads
•Cost Management exports forwarded to Microsoft Fabric for executive FinOps reporting — covered in our cost optimization guidance

Pillar — Operational Excellence

DevOps, IaC, and observability as platform capabilities

•Infrastructure as Code via Bicep, Terraform, or ARM modules in a customer-owned registry with semantic versioning
•GitHub Actions or Azure Pipelines deployment pipelines with policy-as-code gates, drift detection, and what-if previews
•Azure Monitor and Microsoft Sentinel observability backbone with workload-specific data collection rules
•Incident response runbooks covering platform incidents, security incidents, and workload incidents with named owners and escalation paths

Pillar — Performance Efficiency

Right-sized, autoscaled, and benchmark-tested

•Compute SKU selection guidance per workload archetype — virtual machine, App Service, AKS, Container Apps, Functions
•Autoscale rules per workload archetype with reservation-aware scaling so reserved capacity is consumed before on-demand
•Data tier performance guidance — Azure SQL Hyperscale, Cosmos DB partition strategy, Storage tier selection
•Performance benchmark baselines and load testing practice via Azure Load Testing in the platform team CI pipeline

Six enterprise landing zone patterns — pick the one that fits your reality

Pattern 1 of 6

Greenfield Azure entry — net-new tenant, no legacy estate

Pattern 2 of 6

Brownfield existing estate — retrofit to CAF alignment

Pattern 3 of 6

Regulated industries — FedRAMP, HIPAA, CMMC landing zone

Pattern 4 of 6

Multi-region active-active — global resilience and data residency

Pattern 5 of 6

Hybrid landing zone — on-premises and Azure Arc-enrolled estate

Pattern 6 of 6

M&A landing zone consolidation — multiple acquired tenants into one ALZ

IaC accelerator — Bicep, Terraform, or ARM

Bicep — Microsoft-first IaC, native ARM superset

•Native ARM superset — every Bicep template compiles to ARM JSON deterministically
•Closest alignment to Microsoft product release cadence — fastest support for new Azure features
•Azure-Landing-Zones/bicep accelerator is the Microsoft-published starting point with full ALZ topology
•Best fit for Azure-only enterprises with a Microsoft-aligned platform engineering team

Terraform — multi-cloud IaC, HashiCorp-aligned platform engineering

•Cloud-agnostic — the right choice for multi-cloud enterprises with AWS and GCP estates alongside Azure
•Azure Verified Modules program publishes Terraform modules in parity with Bicep modules
•terraform-azurerm-caf-enterprise-scale is the Microsoft-supported ALZ accelerator for Terraform
•Best fit for multi-cloud enterprises and for platform teams with deep HashiCorp tooling investment

ARM templates — legacy estates still under maintenance

•Legacy Microsoft-published IaC format that Bicep is a transparent superset of
•Continued support for existing ARM estates where the platform team has not yet migrated to Bicep
•Microsoft Azure Quickstart Templates remain the canonical ARM source library
•Engineering recommendation is to migrate to Bicep at the next material refactor window

The EPC Group Azure CAF Accelerator — fixed-fee five phases

Phase 1 of 5 — Phase 1 — Assess (3-5 weeks)

CAF Strategy and Plan workshops plus current-state inventory

•CAF Strategy workshop output with documented business outcomes, financial considerations, technical considerations, and adoption sponsorship
•CAF Plan workshop output with workload rationalization, cloud operating model selection, and skills readiness plan
•Current-state Azure estate inventory with subscription, resource, policy, and identity baseline scan
•Costed landing zone roadmap with phasing, dependencies, and risk register

Phase 2 of 5 — Phase 2 — Design (3-4 weeks)

Management group hierarchy, networking, identity, and policy posture designed

•Management group hierarchy diagram and subscription naming convention
•Hub-spoke or Virtual WAN network topology with ExpressRoute or VPN connectivity design
•Identity boundary design with Entra tenant configuration, PIM scope, and conditional access posture
•Azure Policy initiative selection mapped to regulatory framework portfolio
•IaC tool selection (Bicep, Terraform, or ARM) with customer state backend and module registry decision

Phase 3 of 5 — Phase 3 — Build (6-10 weeks)

ALZ accelerator deployed via Bicep, Terraform, or ARM

•Management group hierarchy deployed via IaC accelerator with full inheritance posture
•Platform subscriptions (Connectivity, Identity, Management) deployed with hub VNet, Entra Connect, and Log Analytics workspaces operational
•Workload landing zone subscriptions provisioned per the subscription strategy with spoke VNets peered to regional hub
•Azure Policy initiatives, Defender for Cloud plans, and Microsoft Sentinel ingestion activated across every subscription

Phase 4 of 5 — Phase 4 — Adopt (parallel waves)

Workload migration and modernization waves into the landing zone

•Wave one migration of two to four early-mover workloads to prove the landing zone end-to-end
•Wave two through wave N migration at sustained throughput per the cloud adoption plan
•Modernize-track workload refactor to PaaS, AKS, or Container Apps in parallel with the migrate-track waves
•Innovate-track AI and data modernization workloads sequenced into later waves once the platform is steady

Phase 5 of 5 — Phase 5 — Operate ($25K-$120K/month managed)

Platform Team as Product steady-state operation

•Monthly Defender for Cloud secure score uplift sprints targeted at the highest-leverage findings
•Quarterly Azure Policy exception adjudication review with named owner, expiration, and review cadence
•Monthly FinOps optimization covering reservation tuning, savings plan strategy, and rightsizing automation
•Quarterly regulatory compliance dashboard review and auditor evidence package refresh
•Senior-architect escalation on platform incidents, security incidents, and capacity planning decisions

Why EPC Group for the Azure landing zone build

EPC Group has been a Microsoft Solutions Partner continuously since 1997. The credential stack matters when the landing zone you are about to build will operate the regulated estate for the next decade. Senior-architect-led delivery, four Microsoft Press titles, and a 100 NPS customer satisfaction score across the Fortune 500 portfolio set the bar.

29 years

consulting since 1997, Microsoft Solutions Partner status maintained continuously

11,000+

enterprise Microsoft engagements delivered across healthcare, finance, government, and Fortune 500 manufacturing

70+

Fortune 500 clients with active managed-platform retainers

216+

M&A tenant consolidations covering 1.83 million users in the past 24 months

4 books

Microsoft Press titles authored by Errin O’Connor — SharePoint, Power BI, Azure, large-scale migrations

G2 Leader — six consecutive quarters

independent peer-reviewed Leader recognition

100 NPS

on independently verified customer satisfaction surveys

EPC Group is FedRAMP-aligned and BAA-aligned across the regulated industry portfolio. The platform engineering practice covers Bicep, Terraform, and ARM IaC, and the managed Operate phase covers the HIPAA, SOC 2, FedRAMP, FINRA, CMMC, GxP regulatory framework portfolio. See our /standards-alignment page for the full evidence package.

Related EPC Group hubs

Microsoft Cloud Orchestrator

The cross-cloud orchestration story spanning Azure, AWS, and GCP estates.

Azure Consulting Services

The full Azure consulting service line spanning architecture, migration, and managed operations.

Azure Migrate Assessment & Modernization 2026

The CAF Adopt-phase migration tooling story — Azure Migrate, App Service Migration, AKS modernization.

Azure ExpressRoute & Virtual WAN 2026

Enterprise networking — ExpressRoute private peering, Virtual WAN, hub-spoke connectivity.

Microsoft Defender for Cloud (CNAPP) 2026

The CNAPP layer the landing zone activates — eight Defender plans, multi-cloud, DevSecOps.

Microsoft 365 GCC High & DoD Migration 2026

Regulated landing zones for CMMC Level 2, FedRAMP authorized, and DoD workloads.

Standards Alignment

The full EPC Group compliance and standards evidence package.