Updated Sovereign landing zone

Richard Cheney • 29 Apr 2026

Introduction

The platform library has been updated to 2026.04.2. This update brings two notable changes: a new Local management group in the landing zones hierarchy, and a cleaner, layered naming convention for the sovereign policy sets.

Details from the Microsoft team are in the Tech Community blog post. Sovereign landing zone has a dependency on Azure landing zone and that has also been updated and gets the Local management group. The releases are found on the front page of the ALZ library.

Note that this update to the Azure Citadel documentation was created by GitHub Agent. I like to be explicit when I use AI to create content. I figured this was a good use case as it is an update without changing the flow of the labs and what they are trying to help you achieve in your learning. If you are interested in the issue, agent assignment, and pull request flow then I’ll blog separately about that.

New Local management group

Both ALZ and SLZ now include a Local management group under Landing zones. This provides a dedicated place for workloads that must stay within a specific geographical boundary or that have specific local compliance requirements that differ from the standard Corp and Online archetypes.

Updated sovereign policy set naming

The sovereign archetypes have been renamed to clearly reflect the layered L1 / L2 / L3 policy set model:

Old archetype	New archetype	Scope
`sovereign_root`	`sovereign_l1_controls`	Root management group only
(implicit on platform/landing zone MGs)	`sovereign_l2_controls`	Platform children + Corp, Online, Confidential MGs
(implicit on confidential MGs)	`sovereign_l3_controls`	Confidential Corp and Confidential Online only

The new naming makes the scope of each policy set immediately obvious:

L1 – broadest controls applied at the SLZ root
L2 – standard sovereign controls applied across platform and landing zone management groups
L3 – the most restrictive controls reserved for confidential workloads

Updated architecture

The updated SLZ architecture now looks like this:

flowchart TD slz["Sovereign landing zone (root, sovereign_l1_controls)"] slz --> decommissioned decommissioned["Decommissioned (decommissioned)"] slz --> landingzones landingzones["Landing zones (landing_zones)"] landingzones --> confidential_corp confidential_corp["Confidential Corp (corp, sovereign_l2_controls, sovereign_l3_controls)"] landingzones --> confidential_online confidential_online["Confidential Online (online, sovereign_l2_controls, sovereign_l3_controls)"] landingzones --> corp corp["Corp (corp, sovereign_l2_controls)"] landingzones --> local local["Local (local)"] landingzones --> online online["Online (online, sovereign_l2_controls)"] landingzones --> public public["Public (public)"] slz --> platform platform["Platform (platform)"] platform --> connectivity connectivity["Connectivity (connectivity, sovereign_l2_controls)"] platform --> identity identity["Identity (identity, sovereign_l2_controls)"] platform --> management management["Management (management, sovereign_l2_controls)"] platform --> security security["Security (security, sovereign_l2_controls)"] slz --> sandbox sandbox["Sandbox (sandbox)"]

Updating your configuration

Update the ref in your provider block to point to the new release:

provider "alz" {
  library_overwrite_enabled = true
  library_references = [
    {
      path = "platform/slz"
      ref  = "2026.04.2"
    }
  ]
}

If you are using a local override library, update the dependency in your lib/alz_library_metadata.json:

{
  "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/library_metadata.json",
  "name": "local",
  "display_name": "ALZ Accelerator - Azure Verified Modules for SLZ Platform Landing Zone",
  "description": "This library allows overriding policies, archetypes, and management group architecture in the ALZ Accelerator.",
  "dependencies": [
    {
      "path": "platform/slz",
      "ref": "2026.04.2"
    }
  ]
}

Remember to update your local architecture definition and archetype override files to include the new local management group and to rename sovereign_root_custom override files to sovereign_l1_controls_custom.

The updated Sovereign landing zone examples have been refreshed to reflect the 2026.04.2 release. Head there for complete worked examples.

Table of Contents