Share via

Azure Platform Landing Zone Accelerator Issue

Ashish Sharma 0 Reputation points
2026-03-17T15:58:06.9633333+00:00

I am doing a POC for Azure Platform Landing Zone Accelerator. I was able to customize the stuff using "alz_custom.alz_architecture_definition.yaml" and using "inputs.yaml", however please guide me on how can I customize the blob storage account and tfstate file and what can be done to include default static and built-in policies and policy sets assignment along with the default role assignments which is not getting done using below command while bootstrapping and then also not getting done post running the CI Plan and CD Apply pipeline that bootstrapping creates. I also observed it is just creating the customized management group hierarchy and doing the subscriptions placement into their respective MGs and also created only connectivity resources plus the managed identities, blob storage and and tfstate under it but not doing anything into security like Azure Sentinal deployment, not doing anything in Management subscription like defender for cloud (just updating bootstrapping related data). So I want to also know on how can I leverage the customized .tfstate file in case we need to run separate AVM terraform modules for these things including Azure monitor and all above mentioned which cannot be done using below

Deploy-Accelerator `

-inputs "C:\accelerator\config\inputs.yaml", "C:\accelerator\config\platform-landing-zone.tfvars" `

-starterAdditionalFiles "C:\accelerator\config\lib" `

-output "C:\accelerator\output"

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suchitra Suregaunkar 11,470 Reputation points Microsoft External Staff Moderator
    2026-03-17T19:33:59.3233333+00:00

    Hello Ashish Sharma

    What you are observing during your POC is expected and by design for the Azure Platform Landing Zone Accelerator (Terraform).

    The ALZ Accelerator’s purpose is to bootstrap a governed Infrastructure‑as‑Code (IaC) environment and provide starter Terraform code for Azure Landing Zones. Specifically, it:

    • Bootstraps CI/CD (Azure DevOps or GitHub)
    • Creates:
      • Terraform backend (storage account, container, state RG)
        • Managed identities for Plan / Apply
          • Initial repository structure and pipelines
          • Deploys only the platform components explicitly enabled in the starter module configuration

    This is documented in Microsoft’s official ALZ Accelerator documentation: Azure Landing Zone IaC Accelerator – Overview

    Why only MG hierarchy, subscription placement, connectivity resources are created?

    When using the Terraform ALZ Accelerator:

    • Management group hierarchy
    • Subscription placement
    • Connectivity resources

    are deployed only if they are enabled in the Terraform starter module inputs and archetypes.

    The accelerator does not automatically deploy all CAF design‑area services (Security, Management, Monitoring). This separation is intentional.

    Reference: Azure Landing Zones – IaC Accelerator documentation

    Policy and role assignments in ALZ are archetype‑driven, not automatic.

    • alz_custom.alz_architecture_definition.yaml defines management group structure
    • Policy assignments and RBAC come from archetype definitions
    • If your custom archetypes do not inherit or explicitly include policy/role assignments, nothing will be applied

    This behavior is documented in Microsoft’s ALZ override library guidance: Azure Landing Zone library with overrides

    The Terraform Platform Landing Zone (AVM) modules:

    • Do NOT deploy Microsoft Sentinel
    • Do NOT enable Defender for Cloud plans
    • Do NOT deploy Azure Monitor / Log Analytics by default

    Reason: These services are subscription‑specific, region‑dependent, and workload‑dependent, and Microsoft intentionally keeps them out of the core platform deployment to avoid forced assumptions.

    Official references:

    Microsoft’s recommendation is to deploy these using separate Terraform stacks or AVM modules, once the platform foundation is in place.

    The Terraform backend (storage account, container, tfstate) is created and controlled by the bootstrap module, not by:

    • alz_architecture_definition.yaml
    • Starter module logic

    Backend customization (naming, SKU, RG) is supported only during the bootstrap configuration phase.

    Official documentation: Advanced Bootstrap – Azure Landing Zone Accelerator

    Microsoft recommends:

    • Use separate Terraform deployments (separate states)
    • Reuse the same backend storage account
    • Deploy:
      • Microsoft Sentinel
        • Defender for Cloud
          • Azure Monitor / Log Analytics
            • Additional policy initiatives

    This separation is a documented ALZ design principle, not a limitation.

    Source: Azure Landing Zones – Implementation options

    The Azure Platform Landing Zone Accelerator is working as designed. It bootstraps a governed Terraform environment and deploys only the components explicitly enabled in the starter module and archetypes.

    Azure Policy assignments, RBAC, Microsoft Sentinel, Defender for Cloud, and Azure Monitor are not deployed automatically and must be implemented using separate Terraform modules or stacks, as recommended by Microsoft.

    Terraform backend resources are created during the bootstrap phase and are not controlled by architecture YAML files.

    Thanks,
    Suchitra.

  2. Vinodh247 41,966 Reputation points MVP Volunteer Moderator
    2026-03-17T16:11:06.9166667+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    The Azure Landing Zones Accelerator bootstrap only sets up core platform scaffolding like management groups, subscriptions, connectivity, and tfstate storage, and does not deploy security services such as Microsoft Sentinel or configure Microsoft Defender for Cloud, since those are treated as Day-2 operations. Customisation of the storage account and tfstate is limited through inputs.yaml, so for full control you need to modify or fork the bootstrap module or provision your own backend separately. Policy and initiative assignments will not happen unless you explicitly include CAF archetypes or define policy blocks in your configuration.

    For security, monitoring, and additional governance, the recommended approach is to use separate Terraform stacks leveraging Azure Verified Modules, reusing the same backend with different state keys and optionally referencing ALZ outputs via remote state, which gives better modularity and aligns with enterprise landing zone design. 

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.