Wave 11 · Cloud Identity and Device Control Azure / Landing Zone / Guardrail proof Synthetic management-group + subscription drift exports

Azure landing-zone drift, policy guardrails, and platform hygiene that stay operator-readable.

This control plane turns Azure landing-zone snapshots into one platform-governance surface: missing policy assignments, owner-role drift, public ingress, Defender coverage, diagnostic gaps, stale baselines, and the remediation packets needed before audit or rollout windows drift.

Overview Zone Lane Guardrail Risks Drift Posture Verification Docs

Commercial Front Door

Azure landing-zone, management-group, and guardrail operations for platform, identity, and security teams.
Audit-safe visibility into policy inheritance, network exposure, Defender posture, and baseline freshness without exposing tenant credentials.

Proof Layer

Offline drift analyzer + CLI + dashboard surface.
This repo includes a reusable analyzer that reads landing-zone drift exports and turns them into owner, guardrail, and remediation packets.

Why it matters

Recruiters looking for Azure / Microsoft 365 / Entra / Intune / AWS / GCP should see real cloud-admin work: policy inheritance, route integrity, owner-role hygiene, and audit-safe cleanup proof.

Guardrail Risks

severity · owner · control family

Risk	Owner	Subject	Control family	Message
high stale-baseline	Platform Reliability	/providers/Microsoft.Management/managementGroups/kg-analytics-sbx	—	Baseline snapshot for "Analytics Sandbox Zone" is stale and should be refreshed before certifying landing-zone posture.
high public-ingress-open	Network Security	/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/resourceGroups/rg-edge-prod/providers/Microsoft.Network/networkSecurityGroups/nsg-edge-frontdoor	Network NetworkSecurityGroup	Internet-exposed ingress is active on "/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/resourceGroups/rg-edge-prod/providers/Microsoft.Network/networkSecurityGroups/nsg-edge-frontdoor" and no longer matches the expected Azure landing-zone guardrail.
high owner-role-drift	Azure IAM	/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/providers/Microsoft.Authorization/roleAssignments/ops-contractor-owner	Identity RoleAssignment	Owner-level identity drift is active on "/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/providers/Microsoft.Authorization/roleAssignments/ops-contractor-owner" and should be rolled back before wider admin posture expands.
high policy-assignment-missing	Cloud Governance	/providers/Microsoft.Management/managementGroups/kg-analytics-sbx/providers/Microsoft.Authorization/policyAssignments/deny-public-ip-paas	Policy PolicyAssignment	Required policy assignment is missing from "/providers/Microsoft.Management/managementGroups/kg-analytics-sbx/providers/Microsoft.Authorization/policyAssignments/deny-public-ip-paas", weakening the Azure landing-zone guardrail pack.
high defender-plan-disabled	Defender Operations	/subscriptions/1c6f73b3-66cf-41be-b0af-2ebfd10b1c44/providers/Microsoft.Security/pricings/VirtualMachines	Defender DefenderPlan	Defender coverage is disabled on "/subscriptions/1c6f73b3-66cf-41be-b0af-2ebfd10b1c44/providers/Microsoft.Security/pricings/VirtualMachines" and should be restored before this zone is called healthy.
high public-ingress-open	Network Security	/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/resourceGroups/rg-net-prod/providers/Microsoft.Network/routeTables/rt-spoke-checkout	Connectivity RouteTable	Internet-exposed ingress is active on "/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/resourceGroups/rg-net-prod/providers/Microsoft.Network/routeTables/rt-spoke-checkout" and no longer matches the expected Azure landing-zone guardrail.
high hub-spoke-route-drift	Network Security	/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/resourceGroups/rg-net-prod/providers/Microsoft.Network/routeTables/rt-spoke-checkout	Connectivity RouteTable	Hub-spoke connectivity drift is bypassing the expected firewall path on "/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/resourceGroups/rg-net-prod/providers/Microsoft.Network/routeTables/rt-spoke-checkout".
medium stale-drift-window	Platform Reliability	/subscriptions/1c6f73b3-66cf-41be-b0af-2ebfd10b1c44/providers/Microsoft.Security/pricings/VirtualMachines	Defender DefenderPlan	Drift on "/subscriptions/1c6f73b3-66cf-41be-b0af-2ebfd10b1c44/providers/Microsoft.Security/pricings/VirtualMachines" has remained unresolved for 77 hours.
medium diagnostic-settings-missing	Platform Reliability	/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/resourceGroups/rg-secrets-prod/providers/Microsoft.KeyVault/vaults/kv-payments-prod	Logging KeyVault	Diagnostic settings are missing on "/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/resourceGroups/rg-secrets-prod/providers/Microsoft.KeyVault/vaults/kv-payments-prod", reducing auditability for Azure control-plane events.
low stale-drift-window	Platform Reliability	/providers/Microsoft.Management/managementGroups/kg-analytics-sbx/providers/Microsoft.Authorization/policyAssignments/deny-public-ip-paas	Policy PolicyAssignment	Drift on "/providers/Microsoft.Management/managementGroups/kg-analytics-sbx/providers/Microsoft.Authorization/policyAssignments/deny-public-ip-paas" has remained unresolved for 42 hours.
low stale-drift-window	Platform Reliability	/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/resourceGroups/rg-secrets-prod/providers/Microsoft.KeyVault/vaults/kv-payments-prod	Logging KeyVault	Drift on "/subscriptions/2f91d9f9-e629-46cb-8b62-d82f93de31f0/resourceGroups/rg-secrets-prod/providers/Microsoft.KeyVault/vaults/kv-payments-prod" has remained unresolved for 28 hours.