Azure Landing Zone on Steroids: Why You Need a Dedicated Security Subscription and Management Group

What just happened?

Microsoft introduced a new management group called Platform, along with a dedicated subscription solely for core platform and security services in Azure Landing Zone. Why? To cleanly separate foundational security services from the app mess.

Why this matters

Security and infrastructure are like the skeleton of your cloud. If it’s weak, everything breaks. Until now, security bits were scattered across other groups. Now, they sit in a clean, centralized structure:

  1. Management Group “Platform” collects:

    • Security services like Azure Sentinel, Defender, etc.

    • Monitoring and governance tools.

    • Network perimeters: firewalls, DDoS, threat detection.

  2. Separate subscription for these — so they don’t get tangled with business apps and dev environments.

What you get

  • Clear responsibility split — the platform team owns Platform, app teams own their zones.

  • Faster threat response — security updates happen without waiting on app deployments.

  • Access isolation — roles are cleanly scoped to platform vs workload.

  • Cost transparency — platform subscription is visible and separate from workloads.

How it works in real life

  • Use Azure Policy and RBAC to keep control tight and logical.

  • With CAF Enterprise-Scale or your own Terraform/Bicep templates, build this hierarchy:

    pgsql
    Tenant Root
    └─ Platform (Management Group)
    └─ Platform Subscription

  • Below that, you’ve got Identity, Connectivity, Management, and your Landing Zones (Corp, Online, Sandbox). These inherit from Platform but can be managed independently.

Gotchas

  • More moving parts — this adds one more layer to manage.

  • Billing separation — platform subscription = new billing line. That needs governance.

  • Discipline is key — sloppy RBAC or poor tagging will ruin the party.

Real talk

This isn’t some arbitrary Microsoft suggestion. It’s a battle-tested move toward scalable, secure cloud architecture. The Azure Landing Zone becomes less of a template and more of a structural blueprint. But — and it’s a big but — if you implement it without a solid access model or tagging strategy, it’ll backfire.

What you should do next:

  • Audit your structure — if you don’t have a Platform group yet, make one. Move Sentinel, Defender, and other core services into their own subscription.

  • Lock down access — only the platform team should touch the Platform group. App teams manage their zones only.

  • Track spend & risk — with all security tools in one subscription, cost reporting and threat hunting just got easier.

Bottom line? This is Azure growing up. If your cloud looks like spaghetti, this is your chance to untangle it — one group and one subscription at a time.