Azure Citadel
  • Blogs
  • Azure Arc
    • Overview
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy an Azure Landing Zone
      • Create an initial ALZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Example Library Configs
      • Azure Landing Zone library
      • Azure Landing Zone library with overrides
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
      • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • Service principals with credentials
    • PAL tagging with a service principal
    • CI/CD pipelines & OpenID Connect
    • User and guest IDs
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Sovereign Landing Zones
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy Sovereign Landing Zone
      • Create an initial SLZ config
      • Add a local override library
      • Test locally
      • Run through the CI/CD workflow
    • Libraries
      • What is a library?
      • Policies, Assignments and Roles
      • Archetypes, Overrides and Architecture
      • Metadata and Policy Default Values
      • Custom libraries
    • Reference Library Configs
      • Sovereign Landing Zone
      • Sovereign Landing Zone library with overrides
      • SLZ extended with a country pack
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Get set up for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Sovereign Landing Zones
  3. Libraries
  4. What is a library?
What is a library?
What is a library?
Libraries
What is a library?
Policies, Assignments and Roles
Archetypes, Overrides and Architecture
Metadata and Policy Default Values
Custom libraries
  • Library structure
  • Next

What is a library?

Overview of the Azure Landing Zones Library system.

Table of Contents

  • Library structure
  • Next

Introduction

The Azure Landing Zones library format is a prescribed structure containing JSON and YAML files to provide assets and controls for use by the Terraform alz provider. Understanding libraries and how they are used is vital when going beyond the defaults for governed Azure environment and when you are looking to override, modify and extend.

The sole purpose of a library is to help define the management group structure - and the associated policies and roles - used to govern environments assets.

  • The architecture describes the management group names and display names, plus the list of archetypes that are used at that management group scope.

  • Archetypes are collections of assets that are used at that scope point. Multiple archetypes can be used at any management group. You can also define archetype overrides that define a delta from the base archetype.

  • Assets are comprised of

    • policy definitions

    • policy set definitions (also known as policy initiatives)

    • policy assignments

    • RBAC role definitions

      The policy assignments can assign any combination of built-in and custom policy and policy initiatives.

  • The metadata JSON file defined the library’s name, display name, description, and any dependencies it has on other libraries.

  • Finally, the optional policy default values file allows the definition of policy assignment values that can be used consistently across multiple policy assignments in the library.

Library structure

--- title: Azure Landing Zone structure --- graph TD M([Metadata]) A([Architecture]) V([Policy Default Values]) A --> AT[Archetype] A --> AO(Archetype Overrides) AO --> AT AT --> PA[Policy Assignments] AT --> PS[Policy Set Definitions] AT --> PD[Policy Definitions] AT --> RD[Role Definitions]

Note that there can be multiple of all files. The bottom row are collectively called assets.

Example Libraries

Platform Libraries

These libraries are maintained by Microsoft’s Customer Architecture and Engineering team (CAE) and are hosted in the main Azure Landing Zone library repo and supporting documentation. They are semantically versions with controlled releases, changelogs, and issue tracking.

  • Azure Landing Zones Library (alz)
  • Sovereign Landing Zones Library (slz)
  • Azure Landing Zones Library (amba)

Modularity and extensibility

The system supports multiple library sources and dependency chains, enabling organizations to build upon Microsoft baselines while adding custom requirements.

All library components follow semantic versioning principles, ensuring predictable updates and backward compatibility.

Links

  • https://aka.ms/alz/repo
  • https://aka.ms/alz/library
  • https://aka.ms/alz/library/site
  • https://aka.ms/alz/issues

Next

We’ll look at the example BIO custom library for The Netherlands.

Source: https://www.azurecitadel.com/slz/libraries/overview/
Published: 07 Jan 2026
Printed:
Libraries What is a library? Policies, Assignments and Roles