Kinetic Gain · Azure Landing Zone Drift Radar
synthetic landing-zone baselines · drift packets
azure · landing zones · management groups · platform governance
Wave 11 · Cloud Identity and Device Control Azure / Landing Zone / Guardrail proof Synthetic management-group + subscription drift exports

Azure landing-zone drift, policy guardrails, and platform hygiene that stay operator-readable.

This control plane turns Azure landing-zone snapshots into one platform-governance surface: missing policy assignments, owner-role drift, public ingress, Defender coverage, diagnostic gaps, stale baselines, and the remediation packets needed before audit or rollout windows drift.

OverviewZone LaneGuardrail RisksDrift PostureVerificationDocs

Drift Posture

packet readiness · blocker · cleanup window
61%
Cloud Governance

Policy assignment recovery

Deny-public-IP guardrail is missing from analytics sandbox inheritance.

  • Landing-zone inheritance is incomplete across the affected management group.
  • 12 hours to the next cleanup checkpoint
  • Status: red
AZ-PA-14
58%
Azure IAM

Owner role rollback

Direct contractor owner access is active outside the approved PIM path.

  • Owner privilege needs rollback before the next admin change window.
  • 8 hours to the next cleanup checkpoint
  • Status: red
AZ-ID-07
64%
Network Security

Perimeter repair

NSG ingress and UDR bypass both drifted away from the expected hub firewall design.

  • Firewall path must be restored before external traffic posture is called healthy.
  • 10 hours to the next cleanup checkpoint
  • Status: red
AZ-NW-22
79%
Platform Reliability

Baseline and telemetry refresh

Diagnostics and stale baselines can clear once the logging lane is reattached.

  • Key Vault diagnostics and stale sandbox baseline need one coordinated refresh cycle.
  • 24 hours to the next cleanup checkpoint
  • Status: yellow
AZ-OB-31
azure-landing-zone-drift-radar · synthetic sample data only
routes: / · /zone-lane · /guardrail-risks · /drift-posture · /verification · /docs