Azure Citadel
  • Blogs
  • Azure Arc
    • Overview
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure landing zone
    • Overview
    • Run the ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Browse the deployed resources
    • Deploy an Azure landing zone
      • What is the Azure landing zone?
      • Create an initial ALZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Understanding libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Reference configs
      • Azure landing zone library
      • Azure landing zone library with overrides
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
      • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • User and guest IDs
    • Service principals with credentials
    • CI/CD pipelines & OpenID Connect
    • Using AzAPI in Terraform
    • PAL tagging with a service principal
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Sovereign landing zone
    • Overview
    • Run the ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy Sovereign landing zone
      • Create an initial SLZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Understanding libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Reference configs
      • Sovereign landing zone
      • Sovereign landing zone library with overrides
      • SLZ extended with a country pack
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Get set up for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Blog
  3. Azure landing zones & Sovereign landing zones

Table of Contents

  • Introduction
  • Next

Azure landing zones & Sovereign landing zones

Richard Cheney • 22 Apr 2026

Table of Contents

  • Introduction
  • Next

Introduction

Announcing a new and large set of labs to help partners and customers with understanding and adopting Azure landing zones and also the Sovereign landing zone variant.

I have been massively impressed by the work done by the Customer Architecture and Engineering (CAE) team in Microsoft on the updated approach for Azure landing zones, the move to Azure Verified Modules, the ALZ Accelerator and more. A big call out to Jack Tracey, Matt White and Jared Holgate as the core of that team for overall strategy and the content that these new labs cover.

Before moving on to the content in the Azure landing zone and Sovereign landing zone areas, here is a selection of additional resources that I would recommend.

Useful Links

  • aka.ms/alz

  • aka.ms/alz/repo

  • aka.ms/alz/library

  • aka.ms/alz/accelerator

  • aka.ms/avm

  • aka.ms/amba

  • aka.ms/caf

  • aka.ms/caf/ready

  • aka.ms/waf

  • aka.ms/microsoftsovereigncloud

  • aka.ms/slz

  • aka.ms/sovereign/slz

What is in these labs?

The Azure landing zone and Sovereign landing zone areas contain linked lab series that are designed to help you go deeper on Azure policy at scale. Here is a quick overview of what they cover.

  • Overview

    A brief overview of the various moving parts with Azure landing zones and Sovereign landing zones. Start here!

  • Run the ALZ Accelerator

    This series focuses purely on the ALZ Accelerator and the intention is to create a working CI/CD pattern that is suitable for a production environment. Note that the ALZ Accelerator is also usually used to generate the starter configs, but these pages intentionally create an empty config, ready for the next stage.

  • Deploy an Azure or Sovereign landing zone

    You will start with that empty config created by the ALZ Accelerator. The idea is to build up your knowledge on how the Azure Verified Modules (AVM) are used to deploy the core Azure Landing Zone management group and management configurations. Learn about the Azure Landing Zone pattern modules in the Terraform Registry, including the examples you can reference to build up your own config. Learn how to add in a custom library so that you can override the archetypes in the ALZ library.

  • Understanding libraries

    OK, time to backtrack. The ALZ platform library (plus SLZ and AMBA) are core to how this all works, and you can create your own ALZ libraries as well, which can be very useful for partners. This allows you to create your own custom libraries if you want to offer a standard set of additional policy controls for customers, or policy packs for sovereign requirements in specific regions or industries. This deep dive will take you into the assets and constructs, plus some useful commands for testing that your custom policies and RBAC role definitions are valid JSON.

  • Reference configs

    OK, so now you have the core understanding. But you don’t want to have to read through all of the pages if you come back at a later point, you just want to get straight to the core info and see how your files should be configured for different library scenarios. Here are a few pages for you to reference.

Next

This is the first pass of the content which I have refined as I’ve used it with partners, and I will keep updating it as both Azure landing zones and Sovereign landing zones continue to evolve.

One exciting area is the updated version of the Azure MCP server that is now fully grounded in all things in this area, so expect to see something new in that space very soon.

Source: https://www.azurecitadel.com/blog/2026-04-22-alz-and-slz/
Author: Richard Cheney
Published: 22 Apr 2026
Printed: