About This Architecture

Azure CAF Landing Zone with full management group hierarchy enforces Azure Security Benchmark policies across tenant root, platform, and landing zone management groups. The Tenant Root Group cascades the Azure Security Benchmark Policy Initiative to Platform MG (Management, Connectivity, Identity subscriptions) and Landing Zones MG (Corp, Online, Sandbox, Decommissioned groups), ensuring consistent security posture inheritance. This hierarchical policy model eliminates manual compliance overhead and prevents security drift across hundreds of subscriptions. Fork this diagram on Diagrams.so to customize management group structure, add additional policy initiatives, or adapt spoke VNet configurations for your organization's governance requirements.

People also ask

How do I structure Azure management groups and implement policy inheritance across a landing zone hierarchy?

This diagram shows the complete Azure CAF landing zone hierarchy with Tenant Root Group cascading Azure Security Benchmark policies to Platform MG (Management, Connectivity, Identity) and Landing Zones MG (Corp, Online, Sandbox, Decommissioned). Policy inheritance ensures all subscriptions inherit security policies automatically, eliminating manual compliance work and enforcing consistent governan