Now Reading: From Beginner to Cloud Arc…
-
01
From Beginner to Cloud Arc…
1
00:00:00,000 –> 00:00:04,420
Most organizations treat Azure administration as a simple stack of technical certifications
2
00:00:04,420 –> 00:00:08,060
where you just keep adding more knowledge, more roles and more responsibility.
3
00:00:08,060 –> 00:00:08,780
They are wrong.
4
00:00:08,780 –> 00:00:12,580
This perspective is a fundamental misunderstanding of what actually happens as you move from
5
00:00:12,580 –> 00:00:15,800
a junior administrator to an enterprise architect.
6
00:00:15,800 –> 00:00:19,660
The truth is structural and it has nothing to do with learning more services or passing
7
00:00:19,660 –> 00:00:20,740
more exams.
8
00:00:20,740 –> 00:00:23,340
You have to face a single uncomfortable reality.
9
00:00:23,340 –> 00:00:25,860
Azure administration is the management of entropy.
10
00:00:25,860 –> 00:00:30,340
That entropy always wins unless you architect systems that make non-compliant states impossible
11
00:00:30,340 –> 00:00:31,420
to reach.
12
00:00:31,420 –> 00:00:35,460
This episode maps your journey through seven distinct levels of understanding and each
13
00:00:35,460 –> 00:00:38,060
level is marked by a moment of disillusionment.
14
00:00:38,060 –> 00:00:41,720
These are the moments when what you thought was architecture reveals itself as nothing
15
00:00:41,720 –> 00:00:43,900
more than high stakes improvisation.
16
00:00:43,900 –> 00:00:47,100
Every step forward also marks a shift in how you view your own job.
17
00:00:47,100 –> 00:00:50,020
At level one, you believe you are an administrator but you are not.
18
00:00:50,020 –> 00:00:55,900
In reality, you are a human API call with inconsistent latency and catastrophic failure modes.
19
00:00:55,900 –> 00:00:59,480
By the time you reach level seven, you are no longer an administrator at all.
20
00:00:59,480 –> 00:01:02,340
You have become the curator of a distributed decision engine.
21
00:01:02,340 –> 00:01:05,880
That distinction matters because it determines whether your organization survives the next
22
00:01:05,880 –> 00:01:08,020
incident or becomes a cautionary tale.
23
00:01:08,020 –> 00:01:12,260
The architecture of this episode follows the same structure as Azure itself, moving from
24
00:01:12,260 –> 00:01:15,780
the surface level down through the layers where control actually lives.
25
00:01:15,780 –> 00:01:19,460
We will start with the comfortable illusions of the portal, then move through automation
26
00:01:19,460 –> 00:01:21,460
infrastructure as code and policy.
27
00:01:21,460 –> 00:01:24,980
From there we look at identity and landing zones before finally reaching the edge where
28
00:01:24,980 –> 00:01:27,460
artificial intelligence operates autonomously.
29
00:01:27,460 –> 00:01:32,020
At that level, the system makes decisions and takes actions without waiting for human approval.
30
00:01:32,020 –> 00:01:36,060
By the end, you will understand something most Azure administrators never grasp.
31
00:01:36,060 –> 00:01:37,980
The job is not to manage resources.
32
00:01:37,980 –> 00:01:42,740
Your job is to design systems where the wrong thing is architecturally impossible.
33
00:01:42,740 –> 00:01:46,260
When you reach that point, administration becomes orchestration, orchestration becomes
34
00:01:46,260 –> 00:01:49,700
governance and governance eventually becomes invisibility.
35
00:01:49,700 –> 00:01:53,100
The best administrators are the ones whose work is so well designed that no one even notices
36
00:01:53,100 –> 00:01:54,100
they exist.
37
00:01:54,100 –> 00:01:55,780
This is not a tutorial or a how-to guide.
38
00:01:55,780 –> 00:01:59,820
This is an argument for why your current approach to Azure is a design omission and we are
39
00:01:59,820 –> 00:02:02,580
going to look at exactly what that costs you.
40
00:02:02,580 –> 00:02:03,780
The comfortable lie.
41
00:02:03,780 –> 00:02:05,340
You have been promoted three times.
42
00:02:05,340 –> 00:02:08,780
You manage the budgets and you own the tenant, yet you are still clicking buttons.
43
00:02:08,780 –> 00:02:12,580
It might not happen every day and you certainly don’t do it deliberately, but you always end
44
00:02:12,580 –> 00:02:14,500
up back there when something breaks.
45
00:02:14,500 –> 00:02:19,180
When a policy blocks a deployment or an agent accesses the wrong data, you find yourself
46
00:02:19,180 –> 00:02:22,500
in the portal creating exceptions and adjusting settings.
47
00:02:22,500 –> 00:02:26,100
You are manually moving things around, clicking and hoping because you never actually designed
48
00:02:26,100 –> 00:02:27,100
the system.
49
00:02:27,100 –> 00:02:30,820
You inherited it, you maintained it and you patched it, but you never truly governed it.
50
00:02:30,820 –> 00:02:34,220
This is the comfortable lie that tells you that if you have the right certifications and
51
00:02:34,220 –> 00:02:37,380
understand the services you can manage Azure, you cannot.
52
00:02:37,380 –> 00:02:38,660
Azure is not manageable.
53
00:02:38,660 –> 00:02:40,020
It is only governable.
54
00:02:40,020 –> 00:02:44,260
That distinction matters because governance requires architecture rather than just knowledge.
55
00:02:44,260 –> 00:02:48,700
The real problem is that you never defined what should be true about your infrastructure.
56
00:02:48,700 –> 00:02:52,780
You defined what you wanted to deploy, but you never defined what was forbidden.
57
00:02:52,780 –> 00:02:54,420
You never made the wrong thing impossible.
58
00:02:54,420 –> 00:02:57,460
You just made it expensive, slow and dependent on exceptions.
59
00:02:57,460 –> 00:03:00,660
By the end of this conversation, you will see your role entirely differently.
60
00:03:00,660 –> 00:03:04,980
You won’t just learn new services or features, but you will finally understand that you haven’t
61
00:03:04,980 –> 00:03:06,300
been administering Azure.
62
00:03:06,300 –> 00:03:09,420
You have been managing entropy and entropy is the enemy of architecture.
63
00:03:09,420 –> 00:03:13,380
This is the first uncomfortable truth of the seven levels and it only gets worse from
64
00:03:13,380 –> 00:03:14,380
here.
65
00:03:14,380 –> 00:03:16,020
The portal clicker illusion.
66
00:03:16,020 –> 00:03:18,820
Most Azure careers begin with a mouse and a search box.
67
00:03:18,820 –> 00:03:22,980
You create a resource group, search for a storage account, click through a few fields and
68
00:03:22,980 –> 00:03:24,060
hit deploy.
69
00:03:24,060 –> 00:03:28,340
When the notification pops up saying deployment succeeded, you feel a sense of accomplishment.
70
00:03:28,340 –> 00:03:31,420
You believe you understand the system because you saw it happen.
71
00:03:31,420 –> 00:03:32,820
You do not.
72
00:03:32,820 –> 00:03:35,940
The Azure portal is not a window into the architecture of the cloud.
73
00:03:35,940 –> 00:03:40,340
It is a facade specifically designed to make that architecture invisible.
74
00:03:40,340 –> 00:03:45,220
You feel you feel and every check box you toggle represents an abstraction stacked on top of
75
00:03:45,220 –> 00:03:46,340
another abstraction.
76
00:03:46,340 –> 00:03:50,340
The portal shows you only the thin slice of data needed to complete a single transaction
77
00:03:50,340 –> 00:03:52,460
while hiding the machinery underneath.
78
00:03:52,460 –> 00:03:57,380
What it hides is exactly where your future production outages and security holes live.
79
00:03:57,380 –> 00:04:00,260
When you click create in the portal, you aren’t actually building anything.
80
00:04:00,260 –> 00:04:04,860
You are sending a request to an API which calls the Azure resource manager, which then
81
00:04:04,860 –> 00:04:09,420
evaluates policies and checks or back permissions against hundreds of organizational rules you
82
00:04:09,420 –> 00:04:10,700
never see.
83
00:04:10,700 –> 00:04:13,700
If the request passes this gauntlet, a resource appears.
84
00:04:13,700 –> 00:04:19,260
If it fails, the portal hands you a generic error like authorization failed or invalid parameter.
85
00:04:19,260 –> 00:04:24,740
It refuses to show you the actual system state or the decision logic that led to that failure.
86
00:04:24,740 –> 00:04:29,860
Every manual click is a decision point that bypasses versioning, logging and intent.
87
00:04:29,860 –> 00:04:34,260
The system makes decisions on your behalf, but those decisions remain invisible to you because
88
00:04:34,260 –> 00:04:35,500
they are hidden.
89
00:04:35,500 –> 00:04:36,900
You cannot replicate them.
90
00:04:36,900 –> 00:04:40,740
You cannot audit them and you certainly cannot explain them during a high stakes compliance
91
00:04:40,740 –> 00:04:41,740
review.
92
00:04:41,740 –> 00:04:43,860
You are left to click again and simply hope for the same result.
93
00:04:43,860 –> 00:04:47,340
Believing that clicking a button equates to understanding a system is the first level
94
00:04:47,340 –> 00:04:48,860
of the architectural illusion.
95
00:04:48,860 –> 00:04:50,260
This is the uncomfortable truth.
96
00:04:50,260 –> 00:04:51,580
You are not an architect.
97
00:04:51,580 –> 00:04:56,740
In this model, you are a human API call with high latency and inconsistent behavior.
98
00:04:56,740 –> 00:05:00,980
You think you are making architectural choices, but you are actually just submitting requests
99
00:05:00,980 –> 00:05:04,460
to a system designed to process them in one specific way.
100
00:05:04,460 –> 00:05:09,140
The system does the heavy lifting while you act as a slow, forgetful input device.
101
00:05:09,140 –> 00:05:12,060
The real cost of portal administration isn’t the time you waste.
102
00:05:12,060 –> 00:05:13,780
It is the entropy you create.
103
00:05:13,780 –> 00:05:18,820
Each manual click generates a resource that exists outside of version control and organizational
104
00:05:18,820 –> 00:05:19,820
intent.
105
00:05:19,820 –> 00:05:23,740
It exists as a fact on the ground that you have to reverse engineer later just to understand
106
00:05:23,740 –> 00:05:25,300
why it was built that way.
107
00:05:25,300 –> 00:05:29,180
When you scale this to 10 resources, you have 10 invisible decision points.
108
00:05:29,180 –> 00:05:32,740
When a team does this for a year, you end up with a sprawling environment that no one
109
00:05:32,740 –> 00:05:34,300
can explain or predict.
110
00:05:34,300 –> 00:05:35,860
The architectural law is simple.
111
00:05:35,860 –> 00:05:38,300
If it is not declarative, it is not managed.
112
00:05:38,300 –> 00:05:41,980
Declarative management means you define what should be true and the system enforces that
113
00:05:41,980 –> 00:05:42,980
state.
114
00:05:42,980 –> 00:05:49,060
Most organizations, however, rely on imperative administration, the click and hope method.
115
00:05:49,060 –> 00:05:52,940
It works until it doesn’t and when the system breaks, the investigation takes weeks because
116
00:05:52,940 –> 00:05:55,060
the original decisions were never recorded.
117
00:05:55,060 –> 00:05:59,500
Eventually, you realize clicking is inefficient, so you move to PowerShell.
118
00:05:59,500 –> 00:06:01,660
The scripting apprentices trap.
119
00:06:01,660 –> 00:06:04,580
You realize clicking is a waste of time, so you start writing scripts.
120
00:06:04,580 –> 00:06:08,100
You handcraft a hundred lines of logic to deploy network security groups and assign
121
00:06:08,100 –> 00:06:09,380
R-back roles.
122
00:06:09,380 –> 00:06:13,420
When the script runs successfully, you feel like an architect because you finally automated
123
00:06:13,420 –> 00:06:14,420
your workflow.
124
00:06:14,420 –> 00:06:15,900
This is where the trap closes.
125
00:06:15,900 –> 00:06:19,540
Scripts feel like progress because they are faster than the portal, but speed is not
126
00:06:19,540 –> 00:06:20,860
the same as stability.
127
00:06:20,860 –> 00:06:24,500
You can now deploy in minutes what used to take hours and you can even check that code
128
00:06:24,500 –> 00:06:25,980
into Git.
129
00:06:25,980 –> 00:06:30,060
Administrators often believe they have solved the problem of manual work at this stage,
130
00:06:30,060 –> 00:06:32,860
but in reality, they have only scaled the chaos.
131
00:06:32,860 –> 00:06:36,660
Scripts are imperative, meaning they describe how to do something rather than what the end
132
00:06:36,660 –> 00:06:37,940
stage should be.
133
00:06:37,940 –> 00:06:42,100
When you write a PowerShell script to create a storage account, you are issuing a sequence
134
00:06:42,100 –> 00:06:43,100
of commands.
135
00:06:43,100 –> 00:06:46,700
You are not saying a storage account must exist with this configuration.
136
00:06:46,700 –> 00:06:49,380
There is a massive architectural gulf between those two ideas.
137
00:06:49,380 –> 00:06:53,700
In the real world, as you never stop changing, and a script that worked perfectly six months
138
00:06:53,700 –> 00:06:58,860
ago will eventually fail because an API response format changed or a module updated.
139
00:06:58,860 –> 00:07:02,420
The danger isn’t just that the script is brittle, it’s that you won’t know when it fails
140
00:07:02,420 –> 00:07:03,420
silently.
141
00:07:03,420 –> 00:07:07,220
You aren’t checking for the actual existence of a correctly configured resource.
142
00:07:07,220 –> 00:07:09,660
You are merely checking the exit code of a command.
143
00:07:09,660 –> 00:07:14,260
If the command reports success but the configuration is wrong, you have successfully automated
144
00:07:14,260 –> 00:07:16,140
your own misunderstandings at scale.
145
00:07:16,140 –> 00:07:19,380
This creates massive technical debt because scripts are rarely competent.
146
00:07:19,380 –> 00:07:23,860
If you run a procedural script twice, you might end up with duplicate resources or a wall
147
00:07:23,860 –> 00:07:26,660
of red error text because a resource already exists.
148
00:07:26,660 –> 00:07:30,620
To fix this, you start writing complex error handling and retry logic.
149
00:07:30,620 –> 00:07:35,140
Your hundred lines script balloons into 400 lines of maintenance heavy code.
150
00:07:35,140 –> 00:07:39,660
You are no longer managing infrastructure, you are babysitting a fragile code base.
151
00:07:39,660 –> 00:07:43,460
Imperative automation is just a faster way to create architectural erosion.
152
00:07:43,460 –> 00:07:47,740
Consider a common scenario where a dev team leads VMs with public IPs for a quick test.
153
00:07:47,740 –> 00:07:52,140
You write a script that handles the deployment and the team is happy, but six months later,
154
00:07:52,140 –> 00:07:55,380
you have 47 exposed VMs scattered across the environment.
155
00:07:55,380 –> 00:07:58,900
You are retired, summer forgotten, and all of them are security risks.
156
00:07:58,900 –> 00:08:03,620
When an auditor asks why these public IPs exist, the script offers no answers.
157
00:08:03,620 –> 00:08:07,540
It doesn’t explain the why or enforce any organizational policy.
158
00:08:07,540 –> 00:08:10,740
It just executes API calls without any awareness of intent.
159
00:08:10,740 –> 00:08:14,500
There are no guardrails to prevent the next person from running the same script and making
160
00:08:14,500 –> 00:08:15,580
the same mistake.
161
00:08:15,580 –> 00:08:19,380
Your security model relies entirely on your personal discipline and memory, both of which
162
00:08:19,380 –> 00:08:20,620
will eventually fail.
163
00:08:20,620 –> 00:08:24,860
Once you realize how fragile these scripts are, you finally look toward infrastructure
164
00:08:24,860 –> 00:08:27,020
as code.
165
00:08:27,020 –> 00:08:29,460
The ISE revelation and its trap.
166
00:08:29,460 –> 00:08:33,780
You eventually discover infrastructure as code, bicep, terraform, or arm templates enter
167
00:08:33,780 –> 00:08:37,340
your workflow and suddenly the entire landscape changes.
168
00:08:37,340 –> 00:08:41,740
You stop writing imperative commands and start writing declarative definitions.
169
00:08:41,740 –> 00:08:45,300
Instead of telling the cloud what to do, you describe what should exist and the system
170
00:08:45,300 –> 00:08:46,460
simply makes it so.
171
00:08:46,460 –> 00:08:50,740
This feels like real architecture and in that moment you believe you have finally grasped
172
00:08:50,740 –> 00:08:53,060
a fundamental truth about cloud infrastructure.
173
00:08:53,060 –> 00:08:54,060
You have not.
174
00:08:54,060 –> 00:08:56,580
You have already moved one layer up the stack.
175
00:08:56,580 –> 00:09:00,460
Infrastructure as code represents the first real step toward deterministic infrastructure,
176
00:09:00,460 –> 00:09:01,820
which is a valid improvement.
177
00:09:01,820 –> 00:09:06,420
When you author a bicep template or a terraform module, you are defining a desired state
178
00:09:06,420 –> 00:09:12,340
and asserting that this specific configuration must exist once the template is applied.
179
00:09:12,340 –> 00:09:16,660
Because these templates are idempotent, you can execute them 100 times while consistently
180
00:09:16,660 –> 00:09:18,060
achieving the same result.
181
00:09:18,060 –> 00:09:21,380
The system ignores matching configurations, creates what is missing and corrects what
182
00:09:21,380 –> 00:09:25,460
is drifted making this approach categorically superior to manual scripting.
183
00:09:25,460 –> 00:09:27,500
But here is the uncomfortable truth.
184
00:09:27,500 –> 00:09:31,620
Most infrastructure as code implementations are just legacy scripts wearing a different
185
00:09:31,620 –> 00:09:32,620
language.
186
00:09:32,620 –> 00:09:34,820
The syntax has evolved and the tools have changed.
187
00:09:34,820 –> 00:09:37,580
But the underlying logic remains identical to the old ways.
188
00:09:37,580 –> 00:09:41,900
You still decide every detail that enters the template and those decisions usually stem
189
00:09:41,900 –> 00:09:45,660
from the same flawed assumptions that caused your original problems.
190
00:09:45,660 –> 00:09:49,980
You might build a sophisticated bicep template that deploys a storage account with perfect
191
00:09:49,980 –> 00:09:52,740
naming, replication settings and access tiers.
192
00:09:52,740 –> 00:09:57,260
You version it in Git and run it through a professional CICD pipeline feeling organized
193
00:09:57,260 –> 00:10:01,220
and repeatable, yet it remains nothing more than automation without intent.
194
00:10:01,220 –> 00:10:05,180
The architectural reality is that infrastructure as code is a necessary tool, but it is never
195
00:10:05,180 –> 00:10:06,700
a sufficient solution.
196
00:10:06,700 –> 00:10:10,500
Without policy, governance or a landing zone, your beautiful bicep template is just a
197
00:10:10,500 –> 00:10:13,900
high-speed vehicle for deploying non-compliant infrastructure.
198
00:10:13,900 –> 00:10:18,860
This scenario plays out constantly, where a developer creates a template that uses parameters,
199
00:10:18,860 –> 00:10:22,180
divides outputs and follows every naming convention perfectly.
200
00:10:22,180 –> 00:10:26,280
However, if no policy exists to prevent public access or mandate encryption, that template
201
00:10:26,280 –> 00:10:30,660
remains a liability that anyone in the organization can deploy to any subscription.
202
00:10:30,660 –> 00:10:34,660
Nothing stops a user from deploying that storage account and then manually opening it to the
203
00:10:34,660 –> 00:10:39,980
public internet, leaving you to wonder why the auditors are suddenly sending angry emails.
204
00:10:39,980 –> 00:10:44,580
The template defines the mechanics of creation, but it fails to define what is actually permitted
205
00:10:44,580 –> 00:10:45,580
to exist.
206
00:10:45,580 –> 00:10:49,420
While the template serves as documentation of your intent, intent without enforcement is
207
00:10:49,420 –> 00:10:50,940
nothing more than hope.
208
00:10:50,940 –> 00:10:54,220
This is the exact point where most organizations stall out.
209
00:10:54,220 –> 00:10:58,660
They invest heavily in infrastructure as code, by building vast libraries of patterns and
210
00:10:58,660 –> 00:11:02,300
educating their teams only to realize these templates prevent nothing.
211
00:11:02,300 –> 00:11:06,660
They simply make it faster to deploy resources, many of which violate internal standards or
212
00:11:06,660 –> 00:11:08,740
should never have been created in the first place.
213
00:11:08,740 –> 00:11:13,580
The real divide between meaningful IRC and basic automation comes down to one principle.
214
00:11:13,580 –> 00:11:14,980
The template is not the truth.
215
00:11:14,980 –> 00:11:16,340
The policy is the truth.
216
00:11:16,340 –> 00:11:21,540
Your bicep template describes how a resource looks, but organizational policy dictates whether
217
00:11:21,540 –> 00:11:24,340
that resource has a right to exist at all.
218
00:11:24,340 –> 00:11:28,340
Policy is the critical layer that separates true architecture from mere automation because
219
00:11:28,340 –> 00:11:31,780
it is the only mechanism that makes the wrong thing impossible.
220
00:11:31,780 –> 00:11:36,140
If a template attempts to enable public access on a storage account while a policy forbids
221
00:11:36,140 –> 00:11:38,180
it, the policy wins every time.
222
00:11:38,180 –> 00:11:41,860
A template can never override the fundamental intent of the organization.
223
00:11:41,860 –> 00:11:45,860
Most organizations possess neither the template nor the policy, while some have the template
224
00:11:45,860 –> 00:11:47,620
but ignore the governance.
225
00:11:47,620 –> 00:11:51,980
Almost no one realizes that the policy is the only part that actually matters for long-term
226
00:11:51,980 –> 00:11:52,980
stability.
227
00:11:52,980 –> 00:11:56,900
You can keep writing better templates, but they will continue to deploy non-compliant
228
00:11:56,900 –> 00:12:02,580
infrastructure as the gap between your perceived control and actual reality continues to widen.
229
00:12:02,580 –> 00:12:06,220
This realization proves that infrastructure as code is not the final answer.
230
00:12:06,220 –> 00:12:11,260
It is a tool, and tools used without an architectural framework are just faster ways to fail.
231
00:12:12,140 –> 00:12:13,660
The governance awakening.
232
00:12:13,660 –> 00:12:18,300
Once you realize your templates require guardrails, you finally discover a zooer policy.
233
00:12:18,300 –> 00:12:22,620
This marks a fundamental shift in your approach, not because you are adopting a new service,
234
00:12:22,620 –> 00:12:25,380
but because you are confronting a new architectural principle.
235
00:12:25,380 –> 00:12:29,940
The distinction between what you allow and what you permit defines the boundary between architecture
236
00:12:29,940 –> 00:12:30,940
and chaos.
237
00:12:30,940 –> 00:12:34,820
The common comfortable assumption is that policy is inherently restrictive and exists only
238
00:12:34,820 –> 00:12:37,100
to slow down innovation with bureaucracy.
239
00:12:37,100 –> 00:12:41,820
People claim it makes developers unhappy by forcing exception requests and creating friction,
240
00:12:41,820 –> 00:12:45,340
so they argue for minimizing constraints to let teams move fast.
241
00:12:45,340 –> 00:12:49,420
They treat policy as a necessary evil that should be kept to a minimum to avoid breaking
242
00:12:49,420 –> 00:12:50,420
the workflow.
243
00:12:50,420 –> 00:12:53,580
That assumption is exactly what kills organizations.
244
00:12:53,580 –> 00:12:55,860
Policy is not restrictive, it is clarifying.
245
00:12:55,860 –> 00:13:00,420
A deny policy is not a hurdle, but rather the active enforcement of architectural inevitability.
246
00:13:00,420 –> 00:13:04,460
When you implement a policy that denies public IPs or network interfaces you aren’t slowing
247
00:13:04,460 –> 00:13:09,500
down innovation, you are preventing a specific category of failure from ever occurring.
248
00:13:09,500 –> 00:13:13,300
You are stating that in this environment infrastructure exposed directly to the internet
249
00:13:13,300 –> 00:13:16,180
at the network layer is architecturally forbidden.
250
00:13:16,180 –> 00:13:20,700
It doesn’t require an approval or a ticket because the state itself is impossible to achieve.
251
00:13:20,700 –> 00:13:22,820
You must understand this distinction clearly.
252
00:13:22,820 –> 00:13:26,380
If you create a network interface without a deny policy, the system technically allows
253
00:13:26,380 –> 00:13:30,100
you to attach a public IP, even if it is a massive security vulnerability, someone will
254
00:13:30,100 –> 00:13:33,500
eventually do it, whether by accident or through a lack of understanding.
255
00:13:33,500 –> 00:13:38,060
That exposed infrastructure will be found by attackers, the environment will be breached,
256
00:13:38,060 –> 00:13:41,220
and the resulting failure will cascade through your entire system.
257
00:13:41,220 –> 00:13:45,540
When a deny policy is active, the control plane rejects the request to create that public
258
00:13:45,540 –> 00:13:46,740
IP immediately.
259
00:13:46,740 –> 00:13:51,340
The resource never exists, the state remains impossible, and no amount of accidental or deliberate
260
00:13:51,340 –> 00:13:53,300
effort can force it into being.
261
00:13:53,300 –> 00:13:56,900
Because the request fails at the source, the category of failure is effectively deleted
262
00:13:56,900 –> 00:13:58,380
from your environment.
263
00:13:58,380 –> 00:14:01,940
Consider the cost analysis that most organizations fail to perform correctly.
264
00:14:01,940 –> 00:14:07,420
A single misconfigured public IP can lead to a breach costing $4.5 million and requiring
265
00:14:07,420 –> 00:14:09,420
months of grueling incident response.
266
00:14:09,420 –> 00:14:14,020
You end up dealing with lawyers, regulators, and a damaged reputation while the board asks
267
00:14:14,020 –> 00:14:15,740
questions you cannot answer.
268
00:14:15,740 –> 00:14:19,780
That same policy, if enforced from day one, costs absolutely nothing to maintain.
269
00:14:19,780 –> 00:14:23,740
It requires no management overhead or complex approval workflows because the forbidden
270
00:14:23,740 –> 00:14:25,220
state simply cannot exist.
271
00:14:25,220 –> 00:14:27,900
The deeper insight here is purely architectural.
272
00:14:27,900 –> 00:14:32,180
The policy is the primary tool that transforms you from a resource manager into an architect
273
00:14:32,180 –> 00:14:33,340
of the control plane.
274
00:14:33,340 –> 00:14:37,300
The control plane is the space where every decision is made, and every template deployment
275
00:14:37,300 –> 00:14:39,980
is just a request sent to that decision engine.
276
00:14:39,980 –> 00:14:43,780
The control plane evaluates your policies and checks your RBAC before deciding whether
277
00:14:43,780 –> 00:14:45,340
to permit the request.
278
00:14:45,340 –> 00:14:49,380
Most administrators never actually touch the control plane, choosing instead to deploy templates
279
00:14:49,380 –> 00:14:51,220
and pray the results stay compliant.
280
00:14:51,220 –> 00:14:55,620
They spend their careers reacting to decisions, the system already made by monitoring, auditing,
281
00:14:55,620 –> 00:14:58,980
and attempting to remediate problems after they occur.
282
00:14:58,980 –> 00:15:01,340
Architects however design the control plane itself.
283
00:15:01,340 –> 00:15:05,660
They define the policies that the system evaluates before any resource is ever born.
284
00:15:05,660 –> 00:15:10,140
By making these decisions in code, they allow the system to enforce those rules autonomously
285
00:15:10,140 –> 00:15:12,660
and at scale without needing human intervention.
286
00:15:12,660 –> 00:15:16,780
Deny policies function at the control plane to stop non-compliant states before they take
287
00:15:16,780 –> 00:15:17,780
root.
288
00:15:17,780 –> 00:15:21,180
This is the line between governance that works and governance that fails.
289
00:15:21,180 –> 00:15:25,020
Effective governance prevents bad states from existing, while failed governance tries
290
00:15:25,020 –> 00:15:29,260
to stop people from creating them, which leads to a constant battle that the system eventually
291
00:15:29,260 –> 00:15:30,260
loses.
292
00:15:30,260 –> 00:15:35,140
When a deny policy for BIDs Public IPs, every single non-compliant request fails at the
293
00:15:35,140 –> 00:15:36,700
exact moment of creation.
294
00:15:36,700 –> 00:15:41,820
The policy wins, the organization remains secure, and the insecure state stays impossible.
295
00:15:41,820 –> 00:15:46,180
This isn’t bureaucracy, it is architecture, this is the moment you stop being an administrator
296
00:15:46,180 –> 00:15:50,500
and finally start being an architect, the landing zone ecosystem.
297
00:15:50,500 –> 00:15:54,220
Eventually you realize that policy is not enough to solve the problem on its own, while
298
00:15:54,220 –> 00:15:56,580
policy prevents specific actions from occurring.
299
00:15:56,580 –> 00:16:00,140
It still operates within an organizational structure and the uncomfortable truth is that
300
00:16:00,140 –> 00:16:02,580
most organizations have no structure at all.
301
00:16:02,580 –> 00:16:06,620
You start with a tenant, containing various subscriptions that people treat like simple
302
00:16:06,620 –> 00:16:07,620
storage containers.
303
00:16:07,620 –> 00:16:11,620
You put resources in them and assume they are roughly equivalent, labeling some as production
304
00:16:11,620 –> 00:16:16,060
and others as dev or test, but they remain fundamentally just subscriptions.
305
00:16:16,060 –> 00:16:19,380
This is the exact point where most architectural designs fail.
306
00:16:19,380 –> 00:16:23,660
The comfortable assumption is that a landing zone is just a subscription, with a few policies
307
00:16:23,660 –> 00:16:24,980
slapped on top of it.
308
00:16:24,980 –> 00:16:29,500
You create the subscription, attach some Azure policy initiatives, add a few RBAC assignments
309
00:16:29,500 –> 00:16:33,540
and tell yourself that you have successfully built a safe harbor for infrastructure.
310
00:16:33,540 –> 00:16:36,260
You believe the environment is secure because you follow the checklist.
311
00:16:36,260 –> 00:16:38,060
You are wrong.
312
00:16:38,060 –> 00:16:42,620
A landing zone is not a subscription, nor is it a single resource you can deploy and forget.
313
00:16:42,620 –> 00:16:48,100
In reality, it is a complex ecosystem where management groups, subscriptions, policies and
314
00:16:48,100 –> 00:16:51,700
RBAC must function as a unified control plane.
315
00:16:51,700 –> 00:16:57,020
It requires the integration of network, entipology, identity and automation to create a deterministic
316
00:16:57,020 –> 00:17:00,300
environment where security is not an accident.
317
00:17:00,300 –> 00:17:04,140
When you treat a subscription as a mere container, you are committing a fundamental architectural
318
00:17:04,140 –> 00:17:07,380
error by assuming these units are interchangeable.
319
00:17:07,380 –> 00:17:11,340
You are suggesting that the only real difference between environments is the workload running
320
00:17:11,340 –> 00:17:14,140
inside them, which is how an administrator thinks.
321
00:17:14,140 –> 00:17:16,780
Architects see subscriptions as blast radius controls.
322
00:17:16,780 –> 00:17:20,340
Creating a subscription is actually about building a boundary that limits the fallout
323
00:17:20,340 –> 00:17:23,300
from human error or malicious activity.
324
00:17:23,300 –> 00:17:27,220
Consider a developer working in a test subscription who accidentally runs a buggy script that triggers
325
00:17:27,220 –> 00:17:28,300
a master lesion.
326
00:17:28,300 –> 00:17:31,980
In a flat structure, that script might reach out in a Y-per-production database, resulting
327
00:17:31,980 –> 00:17:34,020
in a total company catastrophe.
328
00:17:34,020 –> 00:17:37,700
But with proper boundaries, that disaster stays contained within the test subscription
329
00:17:37,700 –> 00:17:41,580
while the production databases and their backups remain completely untouched.
330
00:17:41,580 –> 00:17:45,740
The developer has the authority to manage resources in their sandbox, but the subscription
331
00:17:45,740 –> 00:17:49,220
boundary ensures they lack the power to touch anything critical.
332
00:17:49,220 –> 00:17:53,300
This separation of authority is enforced by the architecture itself rather than a pinky
333
00:17:53,300 –> 00:17:55,140
promise or a manual process.
334
00:17:55,140 –> 00:17:59,020
Without this segmentation, you have no real boundary to protect your core assets.
335
00:17:59,020 –> 00:18:04,140
A single mistake in a script could theoretically reach every piece of critical infrastructure
336
00:18:04,140 –> 00:18:07,300
and delete your entire digital footprint in seconds.
337
00:18:07,300 –> 00:18:10,140
This is why subscriptions matter from an architectural perspective.
338
00:18:10,140 –> 00:18:11,820
They are not containers for your stuff.
339
00:18:11,820 –> 00:18:16,060
They are the walls you build to limit the radius of inevitable failures.
340
00:18:16,060 –> 00:18:20,060
Connecting zones enforce these boundaries using three specific mechanisms, starting with
341
00:18:20,060 –> 00:18:22,260
hierarchical policy.
342
00:18:22,260 –> 00:18:26,740
Management, group, level policies ensure that every subscription inherits specific guardrails
343
00:18:26,740 –> 00:18:31,540
automatically, so production environments always get strict security, while dev environments
344
00:18:31,540 –> 00:18:32,980
remain flexible.
345
00:18:32,980 –> 00:18:38,300
These policies cascade down the hierarchy, ensuring that intent is enforced at scale without
346
00:18:38,300 –> 00:18:40,700
manual intervention for every new resource.
347
00:18:40,700 –> 00:18:44,980
The second mechanism is RBAC, which defines exactly who can perform specific actions within
348
00:18:44,980 –> 00:18:45,980
those subscription boundaries.
349
00:18:45,980 –> 00:18:49,540
A developer might have broad permissions to create and delete resources in a dev environment,
350
00:18:49,540 –> 00:18:53,340
but that same identity is restricted to read only access in production.
351
00:18:53,340 –> 00:18:56,980
The subscription boundary acts as the hard line that prevents their elevated dev permissions
352
00:18:56,980 –> 00:18:58,980
from bleeding into sensitive areas.
353
00:18:58,980 –> 00:19:03,780
Finally, you have networking topology, where each subscription maintains its own isolated
354
00:19:03,780 –> 00:19:05,020
networks.
355
00:19:05,020 –> 00:19:09,100
Production workloads cannot simply reach across into another subscription over a private
356
00:19:09,100 –> 00:19:11,660
connection without going through a central hub.
357
00:19:11,660 –> 00:19:15,900
They must be explicitly authorized to cross that boundary, and every single crossing provides
358
00:19:15,900 –> 00:19:19,180
a new point where security policy can be enforced.
359
00:19:19,180 –> 00:19:22,940
Designing landing zones this way is an exercise in resilience and containment.
360
00:19:22,940 –> 00:19:26,600
You are building a system where the failure of one component cannot cascade through the
361
00:19:26,600 –> 00:19:28,100
rest of the environment.
362
00:19:28,100 –> 00:19:32,060
The real shift happens when you stop seeing landing zones as secure sandboxes and start seeing
363
00:19:32,060 –> 00:19:35,100
them as your organizational structure written in code.
364
00:19:35,100 –> 00:19:39,300
You are encoding your business boundaries into the Azure hierarchy, defining exactly
365
00:19:39,300 –> 00:19:41,380
where dev ends and production begins.
366
00:19:41,380 –> 00:19:45,860
You are deciding where policy changes and exactly how large the blast radius will be when
367
00:19:45,860 –> 00:19:47,500
something eventually goes wrong.
368
00:19:47,500 –> 00:19:51,100
Azure verified modules have become the new standard for this work because they are composable
369
00:19:51,100 –> 00:19:53,700
and aligned with how systems actually behave.
370
00:19:53,700 –> 00:19:57,740
The old enterprise scale models were often too monolithic, forcing you to fork massive templates
371
00:19:57,740 –> 00:19:59,020
just to make a small change.
372
00:19:59,020 –> 00:20:03,180
AVM allows you to build the specific landing zone you need by combining smaller verified
373
00:20:03,180 –> 00:20:04,860
modules into a cohesive whole.
374
00:20:04,860 –> 00:20:09,620
Once you accept that these boundaries are necessary, you realize they require identity to function.
375
00:20:09,620 –> 00:20:13,100
This is the moment you discover Entra ID is your true control plane.
376
00:20:13,100 –> 00:20:14,660
The network perimeter illusion.
377
00:20:14,660 –> 00:20:18,900
You now understand that landing zones require identity to work, which leads you to Entra ID.
378
00:20:18,900 –> 00:20:23,220
But before you can master that control plane, you have to kill the most dangerous and comfortable
379
00:20:23,220 –> 00:20:24,820
illusion in the industry.
380
00:20:24,820 –> 00:20:28,220
It is the belief that the network is your primary line of defense.
381
00:20:28,220 –> 00:20:32,620
Most Azure administrators still think like network engineers because that is how they protected
382
00:20:32,620 –> 00:20:34,420
organizations for 30 years.
383
00:20:34,420 –> 00:20:38,620
They build parameters with firewalls and DMZs, creating strict rules about which traffic
384
00:20:38,620 –> 00:20:40,180
could cross a physical boundary.
385
00:20:40,180 –> 00:20:44,420
That model works perfectly in a traditional data center where the walls are made of concrete
386
00:20:44,420 –> 00:20:45,980
and the cables are visible.
387
00:20:45,980 –> 00:20:49,700
The comfortable assumption is that your v-nets and firewalls are what actually protect
388
00:20:49,700 –> 00:20:51,100
your resources.
389
00:20:51,100 –> 00:20:54,580
Following this logic, you build a virtual network, configure your security groups and write
390
00:20:54,580 –> 00:20:57,140
complex firewall rules to lock everything down.
391
00:20:57,140 –> 00:21:01,020
You restrict traffic to corporate IP ranges and feel a sense of total control because you
392
00:21:01,020 –> 00:21:02,380
have built a digital fortress.
393
00:21:02,380 –> 00:21:05,420
This is the illusion that leads to catastrophic breaches.
394
00:21:05,420 –> 00:21:09,540
The architectural truth is that the traditional network is dead and the perimeter is no longer
395
00:21:09,540 –> 00:21:10,860
a physical location.
396
00:21:10,860 –> 00:21:13,500
In a cloud native world, the perimeter is a token.
397
00:21:13,500 –> 00:21:16,180
Think about how access actually works in Azure today.
398
00:21:16,180 –> 00:21:20,420
A user could be sitting in a coffee shop in Tokyo or a hotel in Moscow when they type
399
00:21:20,420 –> 00:21:22,180
a URL into their browser.
400
00:21:22,180 –> 00:21:27,460
When that application requests data from Azure, the request goes directly to the Azure Resource
401
00:21:27,460 –> 00:21:28,460
Manager.
402
00:21:28,460 –> 00:21:30,220
The system does not ask where the user is sitting.
403
00:21:30,220 –> 00:21:34,060
It asks if the request carries a valid token from a trusted provider.
404
00:21:34,060 –> 00:21:36,700
The network has almost nothing to do with this decision.
405
00:21:36,700 –> 00:21:40,540
If the token is valid and the identity is authorized, Azure grants access regardless
406
00:21:40,540 –> 00:21:44,060
of the user’s physical location or the security of their Wi-Fi.
407
00:21:44,060 –> 00:21:47,420
They could be on a compromised device using stolen credentials.
408
00:21:47,420 –> 00:21:49,660
But if the token checks out, the gate opens.
409
00:21:49,660 –> 00:21:53,900
The IP address and the network path are secondary details that the control plane largely ignores
410
00:21:53,900 –> 00:21:55,580
during the authorization phase.
411
00:21:55,580 –> 00:21:58,860
This scenario plays out constantly in real world environments.
412
00:21:58,860 –> 00:22:02,620
You might spend weeks perfecting a network security group with deep defense and outbound
413
00:22:02,620 –> 00:22:03,620
traffic restrictions.
414
00:22:03,620 –> 00:22:07,460
You have monitoring, logging, and every bell and whistle a network engineer could ever want.
415
00:22:07,460 –> 00:22:10,300
Then an attacker steals a single set of user credentials.
416
00:22:10,300 –> 00:22:13,980
That attacker could be thousands of miles away, operating from a device.
417
00:22:13,980 –> 00:22:16,540
You have never seen on a network you don’t control.
418
00:22:16,540 –> 00:22:21,260
They authenticate to enter ID, receive a valid token, and use it to bypass your entire network
419
00:22:21,260 –> 00:22:22,260
stack.
420
00:22:22,260 –> 00:22:25,100
They can open a PowerShell session to find your databases and export your data while
421
00:22:25,100 –> 00:22:27,460
your expensive firewall watches silently.
422
00:22:27,460 –> 00:22:31,740
The NSG never sees the attack because it is looking for network patterns, not API calls
423
00:22:31,740 –> 00:22:33,180
or identity claims.
424
00:22:33,180 –> 00:22:37,260
Since the attacker is using a legitimate token through a public endpoint, the network layer
425
00:22:37,260 –> 00:22:39,020
sees it as authorized traffic.
426
00:22:39,020 –> 00:22:40,940
Your security groups become irrelevant.
427
00:22:40,940 –> 00:22:43,900
The moment the identity is compromised at the control plane.
428
00:22:43,900 –> 00:22:47,740
This is not a failure of your firewall configuration, but a failure to realize that the network
429
00:22:47,740 –> 00:22:49,500
is now just a transport layer.
430
00:22:49,500 –> 00:22:52,820
The real perimeter has moved up the stack to the identity layer.
431
00:22:52,820 –> 00:22:57,300
Every single access decision in the Azure ecosystem is made by EntraID, which checks claims
432
00:22:57,300 –> 00:22:59,980
and device compliance rather than just IP addresses.
433
00:22:59,980 –> 00:23:04,300
It looks at whether a sign in is suspicious or if a device meets your security standards
434
00:23:04,300 –> 00:23:06,940
before it ever cares about the network path.
435
00:23:06,940 –> 00:23:10,580
These checks are the heart of the system, and none of them are enforced by a router or
436
00:23:10,580 –> 00:23:11,620
a switch.
437
00:23:11,620 –> 00:23:15,820
The architectural truth is that a zero trust requires explicit verification of every single
438
00:23:15,820 –> 00:23:17,620
request every time it occurs.
439
00:23:17,620 –> 00:23:21,980
That verification happens through EntraID conditional access, making the network a useful
440
00:23:21,980 –> 00:23:25,140
layer of defense in depth but not the seat of power.
441
00:23:25,140 –> 00:23:28,220
When you finally accept this, your entire strategy changes.
442
00:23:28,220 –> 00:23:32,780
You stop obsessing over firewalls and start focusing on the life cycle over token.
443
00:23:32,780 –> 00:23:36,940
You stop worrying about network topology and start thinking about who can be verified
444
00:23:36,940 –> 00:23:38,460
and under what conditions.
445
00:23:38,460 –> 00:23:40,620
Identity is no longer the last thing you configure.
446
00:23:40,620 –> 00:23:43,300
It is the first and most important control plane you own.
447
00:23:43,300 –> 00:23:47,660
You realize identity is the only perimeter that matters and you begin to see EntraID for
448
00:23:47,660 –> 00:23:48,780
what it truly is.
449
00:23:48,780 –> 00:23:50,420
The identity perimeter.
450
00:23:50,420 –> 00:23:52,060
EntraID is control plane.
451
00:23:52,060 –> 00:23:55,300
Most organizations operate under a comfortable but dangerous assumption.
452
00:23:55,300 –> 00:23:59,460
They treat EntraID as a simple utility for user authentication.
453
00:23:59,460 –> 00:24:03,740
In their minds, it is just an identity provider where you submit credentials, receive a token
454
00:24:03,740 –> 00:24:04,740
and go about your date.
455
00:24:04,740 –> 00:24:08,540
They view it as a basic piece of infrastructure sitting at the edge of the network to decide
456
00:24:08,540 –> 00:24:09,700
who gets through the door.
457
00:24:09,700 –> 00:24:13,580
That perspective is a fundamental misunderstanding of the system’s architecture.
458
00:24:13,580 –> 00:24:15,940
EntraID is not an identity provider.
459
00:24:15,940 –> 00:24:18,100
It is a distributed decision engine.
460
00:24:18,100 –> 00:24:21,620
Every single access request, whether it comes from a human and application, a service
461
00:24:21,620 –> 00:24:25,060
principle or an AI agent, must flow through this engine.
462
00:24:25,060 –> 00:24:30,100
And every micromanment of that flow, EntraID is actively making a choice to grant access,
463
00:24:30,100 –> 00:24:31,860
deny it or demand more proof.
464
00:24:31,860 –> 00:24:35,580
It might require device compliance, block a sign in a Deem’s risky or trigger a step-up
465
00:24:35,580 –> 00:24:36,860
authentication challenge.
466
00:24:36,860 –> 00:24:39,820
These decisions do not just happen once at the start of the day.
467
00:24:39,820 –> 00:24:42,700
They happen every single time a request is made.
468
00:24:42,700 –> 00:24:46,220
The architectural truth is that EntraID functions as your control plane.
469
00:24:46,220 –> 00:24:50,140
It does not sit at the perimeter of your systems because it is the actual center of your
470
00:24:50,140 –> 00:24:51,140
systems.
471
00:24:51,140 –> 00:24:54,540
Because every request is evaluated and logged in real time.
472
00:24:54,540 –> 00:24:58,620
Every single decision the system makes becomes a permanent, auditable record.
473
00:24:58,620 –> 00:25:02,300
To see what this looks like in practice, consider a conditional access policy that requires
474
00:25:02,300 –> 00:25:06,580
multifactor authentication if a user signs in from a new location.
475
00:25:06,580 –> 00:25:11,420
This logic is evaluated globally and continuously for every sign in attempt across the entire
476
00:25:11,420 –> 00:25:12,420
tenant.
477
00:25:12,420 –> 00:25:16,420
When a user in New York signs in from their usual office, the engine confirms the location
478
00:25:16,420 –> 00:25:18,820
is known and allows the session to proceed.
479
00:25:18,820 –> 00:25:23,820
However, if that same user appears to sign in from Tokyo only an hour later, the engine
480
00:25:23,820 –> 00:25:27,460
flags the new location and immediately triggers an MFA challenge.
481
00:25:27,460 –> 00:25:31,900
The user must then provide that second factor to prove their identity before the system
482
00:25:31,900 –> 00:25:33,700
grants them any level of access.
483
00:25:33,700 –> 00:25:38,540
This is not a static gate but a real time engine designed to handle millions of sign-ins
484
00:25:38,540 –> 00:25:41,620
while maintaining perfect logical consistency.
485
00:25:41,620 –> 00:25:43,220
But here is the uncomfortable part.
486
00:25:43,220 –> 00:25:46,820
Every exception you add to a policy acts as an entropy generator.
487
00:25:46,820 –> 00:25:51,340
When you build a policy requiring MFA for the entire company but then create an exclusion
488
00:25:51,340 –> 00:25:52,580
for executives.
489
00:25:52,580 –> 00:25:55,700
You have effectively engineered a back door into your environment.
490
00:25:55,700 –> 00:26:00,180
You are telling the system that a specific category of high value users is allowed to bypass
491
00:26:00,180 –> 00:26:04,500
your primary security controls while the policy still applies to everyone else that single
492
00:26:04,500 –> 00:26:06,940
whole is exactly what an attacker will look for.
493
00:26:06,940 –> 00:26:11,260
This scenario plays out constantly because an executive finds MFA inconvenient or believes
494
00:26:11,260 –> 00:26:14,220
their status should exempt them from standard procedures.
495
00:26:14,220 –> 00:26:18,540
You grant one exception, then the CFO asks for one and eventually the entire board is exempt
496
00:26:18,540 –> 00:26:20,980
from the very controls designed to protect them.
497
00:26:20,980 –> 00:26:24,820
If just one of those individuals has a compromised password an attacker can walk right into your
498
00:26:24,820 –> 00:26:28,980
tenant because MFA was never enforced for that specific account.
499
00:26:28,980 –> 00:26:33,220
The architectural reality is that every exception is just a vulnerability waiting for someone
500
00:26:33,220 –> 00:26:34,220
to find it.
501
00:26:34,220 –> 00:26:38,660
Organizations that actually understand this architecture do not deal in exceptions.
502
00:26:38,660 –> 00:26:40,340
They focus on uniform enforcement.
503
00:26:40,340 –> 00:26:44,020
When a policy proves to be a friction point the answer is never to create a special bypass
504
00:26:44,020 –> 00:26:45,100
for important people.
505
00:26:45,100 –> 00:26:49,540
The answer is to refine the policy for everyone so that the security model remains deterministic
506
00:26:49,540 –> 00:26:51,260
rather than probabilistic.
507
00:26:51,260 –> 00:26:56,460
This principle becomes an unavoidable reality on October 1, 2026, which is when Microsoft
508
00:26:56,460 –> 00:27:00,340
will begin enforcing MFA for all Azure Portal access.
509
00:27:00,340 –> 00:27:04,380
This mandate includes global administrators and offers no room for exceptions or administrative
510
00:27:04,380 –> 00:27:05,380
overrides.
511
00:27:05,380 –> 00:27:09,180
After that date anyone attempting to reach the Azure Portal will be met with a mandatory
512
00:27:09,180 –> 00:27:13,580
MFA requirement regardless of their title or perceived importance.
513
00:27:13,580 –> 00:27:18,220
Organizations that wait until the last minute to address this will face a total catastrophe.
514
00:27:18,220 –> 00:27:22,020
They will deal with portal denials, broken CLI tools and power shell scripts that suddenly
515
00:27:22,020 –> 00:27:25,700
fail, leading to halted automations and stranded deployments.
516
00:27:25,700 –> 00:27:27,460
This deadline is not a suggestion.
517
00:27:27,460 –> 00:27:31,100
It is an architectural shift being enforced directly at the control plane.
518
00:27:31,100 –> 00:27:35,180
You should not view conditional access policies as traditional security controls but rather
519
00:27:35,180 –> 00:27:38,500
as the digital enforcement of your architectural intent.
520
00:27:38,500 –> 00:27:42,660
By designing these policies you are defining exactly what is allowed to exist within your
521
00:27:42,660 –> 00:27:43,820
organization.
522
00:27:43,820 –> 00:27:48,180
You are stating that no one signs in from untrusted spots without MFA and no one touches
523
00:27:48,180 –> 00:27:50,620
sensitive data from a non-compliant device.
524
00:27:50,620 –> 00:27:51,620
These are not just rules.
525
00:27:51,620 –> 00:27:54,340
They are the clarifications of your security boundaries.
526
00:27:54,340 –> 00:27:59,420
When you enforce these policies uniformly you create a state of architectural inevitability
527
00:27:59,420 –> 00:28:02,340
where the insecure path simply ceases to exist.
528
00:28:02,340 –> 00:28:06,940
The system ensures the policy always wins and the organization stays secure because you
529
00:28:06,940 –> 00:28:09,780
have removed the possibility of being anything else.
530
00:28:09,780 –> 00:28:13,940
This is the point where you stop being an administrator and finally become an architect.
531
00:28:13,940 –> 00:28:15,020
Zero trust.
532
00:28:15,020 –> 00:28:16,980
The end of implicit trust.
533
00:28:16,980 –> 00:28:20,660
Once you realize that identities are continuous process you have to start thinking seriously
534
00:28:20,660 –> 00:28:21,740
about zero trust.
535
00:28:21,740 –> 00:28:25,940
The common comfortable assumption is that once a user is authenticated they are officially
536
00:28:25,940 –> 00:28:26,940
trusted.
537
00:28:26,940 –> 00:28:30,220
They provided their password, they finished their MFA challenge and now they are inside
538
00:28:30,220 –> 00:28:31,220
the system.
539
00:28:31,220 –> 00:28:35,460
We tend to treat them as trustworthy until they leave the company or until something goes
540
00:28:35,460 –> 00:28:36,460
wrong.
541
00:28:36,460 –> 00:28:39,620
We assume that at this specific moment because they pass the initial gate they belong
542
00:28:39,620 –> 00:28:40,620
here.
543
00:28:40,620 –> 00:28:44,460
That assumption is exactly what kills organizations.
544
00:28:44,460 –> 00:28:46,620
Zero trust operates on a different law.
545
00:28:46,620 –> 00:28:49,060
Zero trust always verify.
546
00:28:49,060 –> 00:28:52,900
Every single access request is treated as a potential breach until the system proves
547
00:28:52,900 –> 00:28:53,900
otherwise.
548
00:28:53,900 –> 00:28:56,180
This verification does not happen once at sign-in.
549
00:28:56,180 –> 00:28:59,540
It happens continuously for every action and every moment of the session.
550
00:28:59,540 –> 00:29:05,020
The system is perpetually asking if the identity is still valid, if the behavior is normal,
551
00:29:05,020 –> 00:29:08,020
and if anything has changed that should trigger a revocation.
552
00:29:08,020 –> 00:29:11,220
The architectural truth is that trust is not a permanent state.
553
00:29:11,220 –> 00:29:13,140
It is a continuous evaluation.
554
00:29:13,140 –> 00:29:16,860
When you sign into enter ID the engine looks at your device, compliance, your location,
555
00:29:16,860 –> 00:29:19,700
and your typical behavior patterns to see if anything looks off.
556
00:29:19,700 –> 00:29:22,060
If the signals are green, you receive a token.
557
00:29:22,060 –> 00:29:24,140
But that token is not a permanent hall pass.
558
00:29:24,140 –> 00:29:27,940
It is merely a temporary statement about your trustworthiness that can be retracted
559
00:29:27,940 –> 00:29:30,300
the second your risk profile changes.
560
00:29:30,300 –> 00:29:34,980
Continuous access evaluation or CAE is the specific mechanism that makes this real-time
561
00:29:34,980 –> 00:29:36,300
security possible.
562
00:29:36,300 –> 00:29:41,580
CAE allows EntraID to re-evaluate a user’s status constantly rather than waiting for
563
00:29:41,580 –> 00:29:43,700
a token to expire at the end of the day.
564
00:29:43,700 –> 00:29:47,700
If a user’s role changes or their device falls out of compliance, their access is revoked
565
00:29:47,700 –> 00:29:48,700
in seconds.
566
00:29:48,700 –> 00:29:52,740
If a token is stolen, the system can invalidate it immediately, stopping an attacker before
567
00:29:52,740 –> 00:29:53,980
they can move laterally.
568
00:29:53,980 –> 00:29:56,940
We see the alternative play out in the real world all the time.
569
00:29:56,940 –> 00:30:00,940
A user is fired on a Friday afternoon, their badge is taken, and they are walked out of
570
00:30:00,940 –> 00:30:01,940
the building.
571
00:30:01,940 –> 00:30:05,660
However, because no one immediately revoked their cloud tokens or disabled their
572
00:30:05,660 –> 00:30:08,900
Entra account, their Azure access remains wide open.
573
00:30:08,900 –> 00:30:13,580
They go home, log into the VPN, and spend the weekend exporting credentials or establishing
574
00:30:13,580 –> 00:30:14,580
persistence.
575
00:30:14,580 –> 00:30:18,220
By the time Monday morning rolls around, the entire environment has been compromised by
576
00:30:18,220 –> 00:30:19,220
a ghost.
577
00:30:19,220 –> 00:30:24,220
In a zero-trust model, that same termination triggers an automated workflow that disables
578
00:30:24,220 –> 00:30:27,340
the account and revokes all active tokens instantly.
579
00:30:27,340 –> 00:30:31,060
When that former employee tries to log in from their kitchen table, they find that they
580
00:30:31,060 –> 00:30:33,740
cannot authenticate or even reach the login screen.
581
00:30:33,740 –> 00:30:37,700
Their device is already marked as non-compliant, their sessions are dead, and the blast radius
582
00:30:37,700 –> 00:30:39,620
of their departure is exactly zero.
583
00:30:39,620 –> 00:30:43,780
This is not an aspirational goal for the future, it is the standard operating procedure for
584
00:30:43,780 –> 00:30:45,060
modern organizations.
585
00:30:45,060 –> 00:30:49,940
They use life cycle workflows to automate account management and rely on CIE to kill sessions.
586
00:30:49,940 –> 00:30:51,700
The moment a threat is detected.
587
00:30:51,700 –> 00:30:55,820
They use conditional access to ensure that every single interaction with the system is being
588
00:30:55,820 –> 00:30:57,180
watched and verified.
589
00:30:57,180 –> 00:31:01,140
The architectural truth is that zero trust is not a feature you turn on, but a total shift
590
00:31:01,140 –> 00:31:02,540
in your design philosophy.
591
00:31:02,540 –> 00:31:07,140
This model requires a combination of conditional access, privileged identity management, and constant
592
00:31:07,140 –> 00:31:08,580
automated monitoring.
593
00:31:08,580 –> 00:31:10,940
It is not a checkbox you mark off for an auditor.
594
00:31:10,940 –> 00:31:15,100
It is a principle that dictates how every system in your environment must be built.
595
00:31:15,100 –> 00:31:19,460
You are effectively deciding that being inside the network or on a corporate laptop means
596
00:31:19,460 –> 00:31:20,460
absolutely nothing.
597
00:31:20,460 –> 00:31:24,020
When you move to zero trust, you are declaring that implicit trust is dead.
598
00:31:24,020 –> 00:31:28,620
You are challenging every access attempt and verifying every identity, regardless of whether
599
00:31:28,620 –> 00:31:31,620
they are an entry-level employee or the CEO.
600
00:31:31,620 –> 00:31:35,500
You stop viewing access as a simple yes or no switch and start seeing it as a constant
601
00:31:35,500 –> 00:31:37,180
living evaluation of risk.
602
00:31:37,180 –> 00:31:41,340
The moment you embrace this, you realize your job is no longer about granting access,
603
00:31:41,340 –> 00:31:43,780
but about verifying trustworthiness forever.
604
00:31:43,780 –> 00:31:45,860
The AI agent explosion.
605
00:31:45,860 –> 00:31:50,300
Once you realize that continuous verification requires automation, your mind naturally drifts
606
00:31:50,300 –> 00:31:55,540
toward AI agents, and this is exactly where the architectural illusion collapses.
607
00:31:55,540 –> 00:31:59,780
Most organizations cling to the comfortable assumption that AI agents are merely tools under
608
00:31:59,780 –> 00:32:04,260
their direct control, viewing co-pilot as a simple utility that responds to prompts.
609
00:32:04,260 –> 00:32:09,060
In this flawed model, a user asks a question, the AI provides an answer, and the human decides
610
00:32:09,060 –> 00:32:10,060
what to do next.
611
00:32:10,060 –> 00:32:14,140
The AI is seen as a passive participant that doesn’t actually take actions or access infrastructure
612
00:32:14,140 –> 00:32:18,780
on its own, remaining just an intelligent tool that you manage like any other software.
613
00:32:18,780 –> 00:32:20,780
That is a fundamental misunderstanding.
614
00:32:20,780 –> 00:32:23,300
In reality, AI agents are not tools.
615
00:32:23,300 –> 00:32:25,140
They are identities.
616
00:32:25,140 –> 00:32:29,780
When an AI agent runs in your tenant, it functions as an autonomous entity equipped with its own
617
00:32:29,780 –> 00:32:31,860
service principle and specific permissions.
618
00:32:31,860 –> 00:32:36,620
It can authenticate to Azure invoke APIs and access data to make decisions that lead to
619
00:32:36,620 –> 00:32:37,820
real world actions.
620
00:32:37,820 –> 00:32:42,380
It does all of this without waiting for a human to approve the next step or asking for permission
621
00:32:42,380 –> 00:32:46,620
to proceed operating with a level of autonomy that most administrators haven’t yet reconciled
622
00:32:46,620 –> 00:32:48,260
with their security models.
623
00:32:48,260 –> 00:32:49,900
The architectural truth is this.
624
00:32:49,900 –> 00:32:53,540
The AI agent is your new most dangerous insider threat.
625
00:32:53,540 –> 00:32:57,340
Consider a scenario that is playing out in organizations right now where a co-pilot agent
626
00:32:57,340 –> 00:33:01,460
is configured with broad permissions to help users locate documentation.
627
00:33:01,460 –> 00:33:06,420
This agent has been granted the right to read every file in SharePoint, OneDrive and Teams,
628
00:33:06,420 –> 00:33:08,900
along with every archived email in the system.
629
00:33:08,900 –> 00:33:12,500
When a user asks the agent to summarize their recent communications, the agent doesn’t
630
00:33:12,500 –> 00:33:13,620
just look at the surface.
631
00:33:13,620 –> 00:33:17,300
It processes every single email that person has ever sent or received.
632
00:33:17,300 –> 00:33:22,580
It reads them, analyzes the contents, and generates a summary in seconds, effectively accessing
633
00:33:22,580 –> 00:33:25,260
sensitive data at the staggering speed of the cloud.
634
00:33:25,260 –> 00:33:29,060
The user never intended to hand over their entire life story to the agent, but because
635
00:33:29,060 –> 00:33:32,940
the permissions existed and the request was made, the agent fulfilled its mission.
636
00:33:32,940 –> 00:33:37,940
Now imagine a more calculated request where a user asks co-pilot to find sensitive information
637
00:33:37,940 –> 00:33:40,020
across the entire organization.
638
00:33:40,020 –> 00:33:44,220
Since the agent has access to all documents, it can scan for patents, indicating customer
639
00:33:44,220 –> 00:33:48,340
records, financial statements, or intellectual property that the user isn’t authorized to
640
00:33:48,340 –> 00:33:49,340
see.
641
00:33:49,340 –> 00:33:51,780
The agent finds everything because it has the permissions.
642
00:33:51,780 –> 00:33:56,100
And suddenly, the identity perimeter has been bypassed by the very tool meant to enhance
643
00:33:56,100 –> 00:33:57,100
productivity.
644
00:33:57,100 –> 00:34:01,540
The architectural truth is this, AI agents create action risk, not just output risk.
645
00:34:01,540 –> 00:34:05,980
Mostly the ship teams worry about output risk, which is simply the AI generating a bad,
646
00:34:05,980 –> 00:34:09,820
biased, or inaccurate answer that might cause a PR headache.
647
00:34:09,820 –> 00:34:14,100
Action risk is a different animal entirely because it involves the AI modifying or deleting
648
00:34:14,100 –> 00:34:16,220
components of your actual infrastructure.
649
00:34:16,220 –> 00:34:20,180
If an optimization agent is given permission to prune your environment, it might identify
650
00:34:20,180 –> 00:34:22,540
a stale resource and delete it autonomously.
651
00:34:22,540 –> 00:34:26,420
If that resource happened to be a backup required for legal compliance, your organization
652
00:34:26,420 –> 00:34:30,060
is now in breach of regulatory requirements because of a machine’s decision.
653
00:34:30,060 –> 00:34:33,460
You cannot govern these agents the same way you govern human administrators.
654
00:34:33,460 –> 00:34:37,460
Humans are inherently slow, they hesitate when they aren’t sure, and they generally think
655
00:34:37,460 –> 00:34:40,180
about the consequences of hitting the delete button.
656
00:34:40,180 –> 00:34:44,020
While humans certainly make mistakes, those errors are usually human scale, meaning they
657
00:34:44,020 –> 00:34:47,540
might delete one resource before realizing something is wrong and stopping.
658
00:34:47,540 –> 00:34:51,700
AI agents operate continuously at a scale that defies human intervention.
659
00:34:51,700 –> 00:34:55,580
They perform thousands of actions per second and interact with other agents in ways you
660
00:34:55,580 –> 00:34:59,820
likely didn’t anticipate cascading decisions through your infrastructure instantly.
661
00:34:59,820 –> 00:35:04,380
They inherit every permission of the identity they inhabit, and if that identity is over-privileged,
662
00:35:04,380 –> 00:35:07,860
the agent becomes a high-speed engine for architectural erosion.
663
00:35:07,860 –> 00:35:11,340
This is the moment you realize EntraID is no longer just about managing people, it is
664
00:35:11,340 –> 00:35:16,500
about constraining autonomous identities that you currently have no framework to audit.
665
00:35:16,500 –> 00:35:18,780
Bounded autonomy, the new governance model.
666
00:35:18,780 –> 00:35:23,380
The realization that AI agents require a different governance model usually leads architects
667
00:35:23,380 –> 00:35:25,460
toward the concept of bounded autonomy.
668
00:35:25,460 –> 00:35:28,740
There is a common assumption that you can simply write a standard policy to govern these
669
00:35:28,740 –> 00:35:32,020
agents using conditional access or R-back to keep them in check.
670
00:35:32,020 –> 00:35:35,060
You might believe that if you set enough constraints, the agent won’t be able to do anything
671
00:35:35,060 –> 00:35:38,780
you didn’t explicitly authorize, but that line of thinking is dangerously incomplete.
672
00:35:38,780 –> 00:35:43,020
The problem is that traditional policies only describe constraints by telling the agent
673
00:35:43,020 –> 00:35:44,020
what it cannot do.
674
00:35:44,020 –> 00:35:48,220
They fail to define intent, and when you define constraints without intent, you end up with
675
00:35:48,220 –> 00:35:51,980
agents that are either too restricted to be useful or agents that stay within the lines
676
00:35:51,980 –> 00:35:54,460
while accomplishing nothing meaningful.
677
00:35:54,460 –> 00:35:58,580
EntraID autonomy shifts the focus by defining the specific boundaries where an agent can
678
00:35:58,580 –> 00:36:01,980
play, then allowing it to operate freely within those markers.
679
00:36:01,980 –> 00:36:05,940
You define the intent, the constraints and the escalation paths, so the agent can do
680
00:36:05,940 –> 00:36:10,100
its job without stopping to ask for permission at every single fork in the road.
681
00:36:10,100 –> 00:36:14,660
Take an optimization agent designed to reduce cloud costs as a concrete example of this model
682
00:36:14,660 –> 00:36:15,660
in action.
683
00:36:15,660 –> 00:36:16,860
The intent is clear.
684
00:36:16,860 –> 00:36:19,820
Find unused resources and deallocate them to save money.
685
00:36:19,820 –> 00:36:23,860
The boundaries are equally sharp, do not touch backups, do not modify production databases
686
00:36:23,860 –> 00:36:26,740
and ignore any resource tagged as protected.
687
00:36:26,740 –> 00:36:31,340
Within those bounds, the agent is free to shut down a test cluster or resize an underutilized
688
00:36:31,340 –> 00:36:34,580
storage account without a human ever getting involved.
689
00:36:34,580 –> 00:36:38,860
If it encounters a situation that requires crossing a boundary, such as a backup that looks
690
00:36:38,860 –> 00:36:44,180
unused but is actually required for compliance, the agent escalates the issue to a human.
691
00:36:44,180 –> 00:36:49,780
The architectural truth is this, bounded autonomy is the only way to scale AI safely.
692
00:36:49,780 –> 00:36:54,380
If you reject this model, you are left with two broken choices that both lead to failure.
693
00:36:54,380 –> 00:36:59,260
The first choice is to over constrain the agent until it becomes a “slow human” in a computer
694
00:36:59,260 –> 00:37:04,100
that provides no real value because it requires manual approval for every minor task.
695
00:37:04,100 –> 00:37:08,860
The second choice is to give the agent broad, undefined permissions and hope for the best,
696
00:37:08,860 –> 00:37:13,500
which inevitably leads to the agent deleting something critical during a situation you didn’t
697
00:37:13,500 –> 00:37:14,740
anticipate.
698
00:37:14,740 –> 00:37:19,260
Bounded autonomy provides the middle ground necessary to capture the speed and scale of AI
699
00:37:19,260 –> 00:37:22,260
without the catastrophic risks of unmanaged autonomy.
700
00:37:22,260 –> 00:37:26,380
Microsoft EntraAgentID is the first real world implementation of this concept, moving it
701
00:37:26,380 –> 00:37:30,020
from a theoretical architectural goal to a functional reality.
702
00:37:30,020 –> 00:37:34,180
By giving each agent its own identity with specific permissions, you ensure it can only
703
00:37:34,180 –> 00:37:36,580
do what it was built to do and no more.
704
00:37:36,580 –> 00:37:40,380
These agents are governed by the same conditional access policies you use for users, meaning
705
00:37:40,380 –> 00:37:44,500
if an agent tries to access a resource from a suspicious location, the system blocks it
706
00:37:44,500 –> 00:37:45,500
immediately.
707
00:37:45,500 –> 00:37:49,580
Every action is logged and monitored, allowing you to revoke an identity the moment an agent
708
00:37:49,580 –> 00:37:51,460
misbehaves or appears compromised.
709
00:37:51,460 –> 00:37:55,580
When you disable the identity, the agent stops and the potential for further damage vanishes
710
00:37:55,580 –> 00:37:56,580
instantly.
711
00:37:56,580 –> 00:37:58,220
The architectural truth is this.
712
00:37:58,220 –> 00:38:01,900
Governance of AI agents is not about preventing them from acting, but about ensuring they act
713
00:38:01,900 –> 00:38:03,220
within defined intent.
714
00:38:03,220 –> 00:38:07,660
When you adopt bounded autonomy, you are essentially giving the agent a mission and a set
715
00:38:07,660 –> 00:38:09,100
of rules to live by.
716
00:38:09,100 –> 00:38:13,460
You are telling the system exactly why the agent exists, where it is allowed to go, and
717
00:38:13,460 –> 00:38:15,220
when it needs to stop and ask for help.
718
00:38:15,220 –> 00:38:19,060
This is the point where you stop trying to control AI through restriction and start architecting
719
00:38:19,060 –> 00:38:21,340
a framework that actually enables it to work.
720
00:38:21,340 –> 00:38:23,100
The observability imperative.
721
00:38:23,100 –> 00:38:27,140
Once you accept that bounded autonomy is the only way to scale, you realize it demands constant
722
00:38:27,140 –> 00:38:30,780
oversight, which is why you must start thinking about observability.
723
00:38:30,780 –> 00:38:34,660
Most organizations operate under the comfortable assumption that audit logs provide a complete
724
00:38:34,660 –> 00:38:38,780
window into their tenant, because Azure writes them and Microsoft stores them for later
725
00:38:38,780 –> 00:38:39,780
analysis.
726
00:38:39,780 –> 00:38:43,700
While it is true that you can query and export these records to see what happened, relying
727
00:38:43,700 –> 00:38:47,780
on logs alone is a foundational mistake that leaves you architecturally blind.
728
00:38:47,780 –> 00:38:52,100
The distinction between logging and observability matters profoundly, yet it is a concept that
729
00:38:52,100 –> 00:38:54,660
almost no organization truly understands.
730
00:38:54,660 –> 00:38:58,780
Logging is simply a historical record of a past event, like a digital receipt showing that
731
00:38:58,780 –> 00:39:03,180
a specific user deleted a storage account at 3.47 pm last Tuesday.
732
00:39:03,180 –> 00:39:06,740
It allows you to look backward at the wreckage, but it offers no insight into the live state
733
00:39:06,740 –> 00:39:10,180
of the system or the intent behind the action.
734
00:39:10,180 –> 00:39:11,820
Observability is something else entirely.
735
00:39:11,820 –> 00:39:16,180
It is the ability to ask questions about what is happening right now and receive answers
736
00:39:16,180 –> 00:39:17,660
in real time.
737
00:39:17,660 –> 00:39:21,820
Instead of just seeing that an action occurred, you see the logic that triggered it, the specific
738
00:39:21,820 –> 00:39:26,860
conditions, the system evaluated, and the sequence of events that followed.
739
00:39:26,860 –> 00:39:28,540
Observability is not a history lesson.
740
00:39:28,540 –> 00:39:32,900
It is live visibility into the heartbeat of your distributed decision engine.
741
00:39:32,900 –> 00:39:36,900
In architectural terms, flying without observability means you are operating in the dark.
742
00:39:36,900 –> 00:39:41,460
Consider an AI agent tasked with optimizing your costs by identifying and deallocating
743
00:39:41,460 –> 00:39:44,660
unused resources within its defined constraints.
744
00:39:44,660 –> 00:39:49,020
You might have configured its escalation paths correctly, but without observability you can
745
00:39:49,020 –> 00:39:53,020
only see the results in the audit log after the VM has already been shut down.
746
00:39:53,020 –> 00:39:55,060
You cannot see the agent’s reasoning.
747
00:39:55,060 –> 00:39:58,900
No can you see which policies constrained its choices or whether it is currently drifting
748
00:39:58,900 –> 00:40:01,380
toward the edge of its intended bounds.
749
00:40:01,380 –> 00:40:04,380
Everything changes when you implement true observability because you can finally watch
750
00:40:04,380 –> 00:40:08,860
the agent’s logic flow as it analyzes resources and evaluates constraints.
751
00:40:08,860 –> 00:40:12,660
If that agent attempts to touch a production database when it is only authorized for development
752
00:40:12,660 –> 00:40:16,940
environments, a real time alert fires and your SOC team investigates within minutes, this
753
00:40:16,940 –> 00:40:21,660
allows you to stop the agent before it can do any lasting damage, effectively preventing
754
00:40:21,660 –> 00:40:26,020
a breach or a major design omission by preserving the environment in the moment.
755
00:40:26,020 –> 00:40:30,260
Without this visibility, you will likely discover the problem three months later during a routine
756
00:40:30,260 –> 00:40:34,900
audit when someone notices a database was modified by an unauthorized process.
757
00:40:34,900 –> 00:40:39,140
By the time you find the logs from March 15th, it is already July and the damage has been
758
00:40:39,140 –> 00:40:40,220
done for months.
759
00:40:40,220 –> 00:40:43,780
You won’t know what was X-filterated or who else has the data, which means you are now
760
00:40:43,780 –> 00:40:48,300
forced into a reactive incident response mode involving expensive forensic investigators
761
00:40:48,300 –> 00:40:50,060
and regulators.
762
00:40:50,060 –> 00:40:53,980
Building this capability requires three specific components, starting with centralized logging,
763
00:40:53,980 –> 00:40:57,940
where every signal from every source flows into a single system like azuremonitor or log
764
00:40:57,940 –> 00:40:58,860
analytics.
765
00:40:58,860 –> 00:41:02,980
You cannot rely on logs scattered across different services in multiple formats that require
766
00:41:02,980 –> 00:41:05,180
manual stitching to make sense of the chaos.
767
00:41:05,180 –> 00:41:09,340
You need a unified, queryable source of truth that serves as the foundation for your entire
768
00:41:09,340 –> 00:41:10,540
security posture.
769
00:41:10,540 –> 00:41:14,660
The second component is the use of real-time dashboards that show the current state of your
770
00:41:14,660 –> 00:41:17,260
system rather than a snapshot from last week.
771
00:41:17,260 –> 00:41:21,900
These tools allow you to see exactly how many agents are running, how many policy evaluations
772
00:41:21,900 –> 00:41:25,580
are happening, and how many escalations have been triggered in the last hour.
773
00:41:25,580 –> 00:41:29,380
When you see the system in real time, you can spot emerging patterns and identify when
774
00:41:29,380 –> 00:41:32,380
something is going wrong before it becomes a catastrophe.
775
00:41:32,380 –> 00:41:37,380
Finally, you must establish alert thresholds and automated responses to enforce your assumptions
776
00:41:37,380 –> 00:41:38,380
at scale.
777
00:41:38,380 –> 00:41:42,860
If sign-in spike from unusual locations or policy denials exceed a certain limit, the system
778
00:41:42,860 –> 00:41:44,820
should not just notify you.
779
00:41:44,820 –> 00:41:48,060
It should respond by revoking tokens or blocking the agent.
780
00:41:48,060 –> 00:41:52,300
This response must be automated and fast because observability is the foundation of incident
781
00:41:52,300 –> 00:41:56,020
response and if you cannot observe a behavior, you cannot govern it.
782
00:41:56,020 –> 00:41:58,300
The governance loop continues enforcement.
783
00:41:58,300 –> 00:42:02,180
Now that you understand observability, you can monitor your agents and track compliance
784
00:42:02,180 –> 00:42:03,820
with a sense of confidence.
785
00:42:03,820 –> 00:42:07,580
You have defined your policies, deployed your alerts, and established an incident response
786
00:42:07,580 –> 00:42:11,300
plan, leading you to believe that the governance problem is finally solved.
787
00:42:11,300 –> 00:42:16,020
This is the exact moment where governance fails for almost every organization because they
788
00:42:16,020 –> 00:42:18,620
treat it as a destination rather than a process.
789
00:42:18,620 –> 00:42:22,780
The comfortable assumption is that a policy set once will remain enforced forever, such as
790
00:42:22,780 –> 00:42:26,540
an Azure policy that denies public IPs or network interfaces.
791
00:42:26,540 –> 00:42:30,980
You might believe that because the policy is assigned to a management group, every resource
792
00:42:30,980 –> 00:42:34,820
created from now on will be perfectly evaluated and secured.
793
00:42:34,820 –> 00:42:39,580
That assumption is a form of architectural erosion that will eventually destroy your security
794
00:42:39,580 –> 00:42:40,580
posture.
795
00:42:40,580 –> 00:42:43,860
Policies naturally drift over time as exceptions accumulate and the original assumptions
796
00:42:43,860 –> 00:42:46,060
about your environment begin to change.
797
00:42:46,060 –> 00:42:49,420
Governance without constant iteration is nothing more than a false sense of security, where
798
00:42:49,420 –> 00:42:52,940
you feel protected by words on a page that no longer match reality.
799
00:42:52,940 –> 00:42:57,460
What starts as a perfect policy quickly degrades when a developer asks for a single, temporary
800
00:42:57,460 –> 00:43:02,020
exception to finish a test. You grant that exception for one day, but then you forget to remove
801
00:43:02,020 –> 00:43:06,740
it and soon another developer asks for a similar favor for a different project.
802
00:43:06,740 –> 00:43:12,300
Six months later, your environment contains 47 exceptions to the public IP policy rendering
803
00:43:12,300 –> 00:43:14,900
the original rule completely worthless.
804
00:43:14,900 –> 00:43:19,220
The policy still exists in your dashboard, but it has failed to enforce anything, becoming
805
00:43:19,220 –> 00:43:22,740
a piece of security theater that covers up the underlying chaos.
806
00:43:22,740 –> 00:43:26,100
The uncomfortable truth is that governance is not a static state.
807
00:43:26,100 –> 00:43:29,420
It is a continuous loop consisting of five distinct stages.
808
00:43:29,420 –> 00:43:33,340
You begin by defining your intent, such as deciding that public IP should not exist, and
809
00:43:33,340 –> 00:43:36,380
then you move to enforcing that intent through policy deployment.
810
00:43:36,380 –> 00:43:40,700
However, you must also monitor compliance to find violations and remediate them by either
811
00:43:40,700 –> 00:43:43,900
fixing the resource or justifying a documented exception.
812
00:43:43,900 –> 00:43:48,740
The final and most important stage is the review and iteration phase, where you ask if
813
00:43:48,740 –> 00:43:52,740
the policy is still effective or if the environment has changed too much to support it.
814
00:43:52,740 –> 00:43:57,180
The cycle of defining, enforcing, monitoring, remediating and reviewing must repeat indefinitely
815
00:43:57,180 –> 00:43:58,700
because the cloud is dynamic.
816
00:43:58,700 –> 00:44:01,940
If you are not iterating on your policies, you are not governing.
817
00:44:01,940 –> 00:44:04,740
You are simply hoping that your old assumption still hold true.
818
00:44:04,740 –> 00:44:08,820
In a practical sense, this means running a query every quarter to identify which policies
819
00:44:08,820 –> 00:44:12,420
are being violated most frequently and investigating the root cause.
820
00:44:12,420 –> 00:44:16,300
You have to decide if a policy is too strict or if people are simply working around the rules
821
00:44:16,300 –> 00:44:18,740
for the sake of operational flexibility.
822
00:44:18,740 –> 00:44:22,980
The exception must have a documented owner, a clear business reason and a hard expiration
823
00:44:22,980 –> 00:44:26,900
date that you actually enforce during your quarterly reviews.
824
00:44:26,900 –> 00:44:29,380
Governance without iteration is just wishful thinking.
825
00:44:29,380 –> 00:44:34,140
And the reality of this principle is becoming clear as Microsoft’s 2026 deadlines for MFA
826
00:44:34,140 –> 00:44:35,460
enforcement approach.
827
00:44:35,460 –> 00:44:39,180
These are not new requirements as Microsoft has been recommending these changes for over
828
00:44:39,180 –> 00:44:43,900
five years, yet many organizations have failed to iterate on their internal standards.
829
00:44:43,900 –> 00:44:48,340
Now they are facing a hard forcing function on October 1st, where MFA becomes mandatory
830
00:44:48,340 –> 00:44:51,540
with no more delays or special cases allowed.
831
00:44:51,540 –> 00:44:55,500
Organizations that practice continuous governance are already compliant because they implemented
832
00:44:55,500 –> 00:44:57,660
and tested these changes years ago.
833
00:44:57,660 –> 00:45:01,660
For them, the upcoming deadline is just another Tuesday and nothing changes because they
834
00:45:01,660 –> 00:45:05,580
have already evolved their systems to match the modern threat landscape.
835
00:45:05,580 –> 00:45:07,500
They didn’t wait for a crisis to act.
836
00:45:07,500 –> 00:45:11,660
They built the requirement into their architectural DNA through constant refinement.
837
00:45:11,660 –> 00:45:15,780
The organizations that did not iterate are now in a state of crisis, scrambling to fix
838
00:45:15,780 –> 00:45:18,660
broken automation scripts that cannot handle MFA prompts.
839
00:45:18,660 –> 00:45:22,740
They are discovering that their most critical systems rely on legacy authentication that
840
00:45:22,740 –> 00:45:27,140
is about to vanish, forcing them into a cycle of desperate patching and remediation.
841
00:45:27,140 –> 00:45:30,940
All of this stress stems from the foundational mistake of believing that a policy was a
842
00:45:30,940 –> 00:45:34,780
one-time setup rather than a living part of the control plane.
843
00:45:34,780 –> 00:45:36,540
Landing zones as the control plane.
844
00:45:36,540 –> 00:45:40,900
By now you understand that true governance requires a functional control plane, but that
845
00:45:40,900 –> 00:45:42,580
realization comes with a price.
846
00:45:42,580 –> 00:45:46,420
You have to accept that a landing zone is not a template you deploy once and then walk
847
00:45:46,420 –> 00:45:47,420
away from.
848
00:45:47,420 –> 00:45:50,580
It is not a specific resource and it is certainly not just a subscription.
849
00:45:50,580 –> 00:45:54,980
In architectural terms, a landing zone is a continuous governance system that never stops
850
00:45:54,980 –> 00:45:55,980
running.
851
00:45:55,980 –> 00:45:59,220
The comfortable assumption most people make is that a landing zone is just a subscription
852
00:45:59,220 –> 00:46:01,140
with some policies slapped onto it.
853
00:46:01,140 –> 00:46:06,220
You deploy a template, it creates a management group hierarchy and then it spins up some subscriptions.
854
00:46:06,220 –> 00:46:10,940
That same template assigns your policies, configures the networking and sets up your monitoring
855
00:46:10,940 –> 00:46:12,460
before it finally finishes.
856
00:46:12,460 –> 00:46:16,100
You hit the deploy button, the green check mark appears and you tell yourself that governance
857
00:46:16,100 –> 00:46:17,100
is finished.
858
00:46:17,100 –> 00:46:20,100
You believe workloads can now land safely because the work is done.
859
00:46:20,100 –> 00:46:23,060
This is a fundamental misunderstanding of the system.
860
00:46:23,060 –> 00:46:26,780
The architectural truth is that a landing zone is the living expression of your architectural
861
00:46:26,780 –> 00:46:28,660
intent written in code.
862
00:46:28,660 –> 00:46:30,460
It isn’t something you simply deploy.
863
00:46:30,460 –> 00:46:33,980
It is something you continuously operate as your primary control plane.
864
00:46:33,980 –> 00:46:37,740
Every subscription created within that boundary automatically inherits the policies of the
865
00:46:37,740 –> 00:46:43,180
landing zone and every resource created inside those subscriptions is constantly evaluated against
866
00:46:43,180 –> 00:46:44,500
those rules.
867
00:46:44,500 –> 00:46:48,180
Every identity attempting to access a resource is checked against the RBAC assignments you
868
00:46:48,180 –> 00:46:49,660
defined at the top level.
869
00:46:49,660 –> 00:46:51,500
The landing zone is not a passive folder.
870
00:46:51,500 –> 00:46:55,380
It is an active breathing engine that is continuously enforcing your intent across the
871
00:46:55,380 –> 00:46:56,780
entire environment.
872
00:46:56,780 –> 00:47:00,860
When you vend the subscription through a landing zone, that container is never a blank slate.
873
00:47:00,860 –> 00:47:04,420
You aren’t handing over a clean piece of paper that the user then has to figure out how
874
00:47:04,420 –> 00:47:05,660
to configure.
875
00:47:05,660 –> 00:47:09,980
That subscription arrives pre-configured and perfectly aligned with your core architecture
876
00:47:09,980 –> 00:47:12,020
from the very first second it exists.
877
00:47:12,020 –> 00:47:15,980
It already has the correct policies, the right RBAC structures and the required network
878
00:47:15,980 –> 00:47:18,020
topology baked into its DNA.
879
00:47:18,020 –> 00:47:21,540
Because monitoring is already enabled and logging is already flowing, the subscription
880
00:47:21,540 –> 00:47:24,700
is compliant on day zero without any manual intervention.
881
00:47:24,700 –> 00:47:28,300
In a real world scenario, this changes how your teams actually work.
882
00:47:28,300 –> 00:47:32,100
When a developer team needs a new subscription for a project, they don’t open a ticket or wait
883
00:47:32,100 –> 00:47:33,500
for an email chain to resolve.
884
00:47:33,500 –> 00:47:37,700
They don’t need to have a long, painful conversation with the cloud architect just to get permission
885
00:47:37,700 –> 00:47:38,700
to build.
886
00:47:38,700 –> 00:47:43,300
Instead, they go to a self-service portal and fill out a simple form with their team name,
887
00:47:43,300 –> 00:47:45,020
project details and budget.
888
00:47:45,020 –> 00:47:49,300
Once they click Submit, an automated workflow triggers behind the scenes to handle the
889
00:47:49,300 –> 00:47:50,300
heavy lifting.
890
00:47:50,300 –> 00:47:54,260
The system creates the subscription and places it into the correct management group based
891
00:47:54,260 –> 00:47:56,540
on the metadata provided in the form.
892
00:47:56,540 –> 00:48:00,980
It applies the necessary policies, wires up the network and sets up the RBAC assignments
893
00:48:00,980 –> 00:48:03,260
while the developers are still grabbing a coffee.
894
00:48:03,260 –> 00:48:07,500
The entire process takes minutes and the result is a subscription that is fully compliant
895
00:48:07,500 –> 00:48:08,780
from the moment it is born.
896
00:48:08,780 –> 00:48:13,300
This is subscription vending and it represents the control plane operating with total autonomy.
897
00:48:13,300 –> 00:48:18,060
This is how you achieve governance at scale without relying on humans to remember the rules.
898
00:48:18,060 –> 00:48:22,100
The uncomfortable truth is that without subscription vending, you simply cannot scale your governance
899
00:48:22,100 –> 00:48:23,100
model.
900
00:48:23,100 –> 00:48:26,620
You can try to manually create subscriptions and hand assigned policies, but you will eventually
901
00:48:26,620 –> 00:48:28,620
fail because humans are inconsistent.
902
00:48:28,620 –> 00:48:32,180
Some environments will end up with different security postures than others and some will
903
00:48:32,180 –> 00:48:34,140
have better networking than their neighbors.
904
00:48:34,140 –> 00:48:37,820
You will eventually wake up to a sprawl of inconsistently configured environments that
905
00:48:37,820 –> 00:48:39,780
were all created in the name of speed.
906
00:48:39,780 –> 00:48:43,220
The ultimate cost of that flexibility is that your governance becomes fragmented and
907
00:48:43,220 –> 00:48:44,220
meaningless.
908
00:48:44,220 –> 00:48:47,540
As your verified modules have become the new standard for building these systems because
909
00:48:47,540 –> 00:48:51,820
they are composable, tested and aligned with actual architectural patterns.
910
00:48:51,820 –> 00:48:56,420
The old enterprise scale landing zone was a monolithic beast that tried to define everything
911
00:48:56,420 –> 00:48:58,780
in one giant, unmanageable template.
912
00:48:58,780 –> 00:49:02,500
If you wanted to customize a single setting, you had to fork the entire thing which made
913
00:49:02,500 –> 00:49:04,940
merging Microsoft’s updates a nightmare.
914
00:49:04,940 –> 00:49:08,020
That process was incredibly cumbersome and prone to human error.
915
00:49:08,020 –> 00:49:12,420
As your verified modules allow you to build the specific landing zone you need by composing
916
00:49:12,420 –> 00:49:14,780
smaller verified building blocks.
917
00:49:14,780 –> 00:49:18,740
If you need a specific management group structure or a unique network topology, there is a
918
00:49:18,740 –> 00:49:20,820
specific module designed for that purpose.
919
00:49:20,820 –> 00:49:25,140
You compose these modules together, configure your variables and deploy a solution where
920
00:49:25,140 –> 00:49:27,980
every piece is versioned and maintained by Microsoft.
921
00:49:27,980 –> 00:49:31,700
When an update is released, you can adopt it without the pain of a manual merge, allowing
922
00:49:31,700 –> 00:49:34,020
you to stay current with best practices.
923
00:49:34,020 –> 00:49:38,420
The architectural reality is that landing zones are not actually about restricting control.
924
00:49:38,420 –> 00:49:41,820
They are about enabling your organization to move at scale.
925
00:49:41,820 –> 00:49:45,660
Without this framework, you are forced to manually audit every single subscription which is
926
00:49:45,660 –> 00:49:48,140
a slow and error prone way to live.
927
00:49:48,140 –> 00:49:51,660
With a landing zone, you can vent hundreds of subscriptions every month that are also
928
00:49:51,660 –> 00:49:53,820
cure and aligned with your organizational intent.
929
00:49:53,820 –> 00:49:56,340
The landing zone isn’t a cage that holds teams back.
930
00:49:56,340 –> 00:49:59,060
It is the framework that makes massive scaling possible.
931
00:49:59,060 –> 00:50:03,740
It is the only way to let teams self serve while you maintain the integrity of the system.
932
00:50:03,740 –> 00:50:07,380
Once you realize that landing zones require this level of scale, you begin to see the shift
933
00:50:07,380 –> 00:50:11,140
from managing resources to managing the decision engine itself.
934
00:50:11,140 –> 00:50:15,500
From resource manager to decision engine curator, as you embrace the control plane, your focus
935
00:50:15,500 –> 00:50:19,420
shifts away from individual components and towards the logic that governs them.
936
00:50:19,420 –> 00:50:23,420
You stop thinking like a resource manager and start acting as a curator of the decision
937
00:50:23,420 –> 00:50:24,420
engine.
938
00:50:24,420 –> 00:50:28,540
The optimal assumption is that an Azure administrators job is to manage resources.
939
00:50:28,540 –> 00:50:33,660
You believe your value lies in creating, modifying and deleting virtual machines or storage accounts.
940
00:50:33,660 –> 00:50:38,740
You spend your days patching systems, configuring settings and taking ownership of the physical
941
00:50:38,740 –> 00:50:40,220
objects inside the cloud.
942
00:50:40,220 –> 00:50:42,700
This is the traditional view of administration.
943
00:50:42,700 –> 00:50:47,220
And most people believe this is what it means to be responsible for an Azure environment.
944
00:50:47,220 –> 00:50:49,900
That assumption dies the moment you reach level six.
945
00:50:49,900 –> 00:50:53,020
The architectural truth is that you do not manage resources.
946
00:50:53,020 –> 00:50:55,220
You manage a distributed decision engine.
947
00:50:55,220 –> 00:50:59,140
You don’t actually own the resources themselves, but you do own the logic that determines if
948
00:50:59,140 –> 00:51:01,060
those resources are allowed to exist.
949
00:51:01,060 –> 00:51:04,180
You own the rules that dictate how they are configured, who is allowed to touch them
950
00:51:04,180 –> 00:51:06,660
and exactly when they should be decommissioned.
951
00:51:06,660 –> 00:51:10,700
In this model, every policy and our back assignment functions as a discrete decision point
952
00:51:10,700 –> 00:51:12,100
within a larger system.
953
00:51:12,100 –> 00:51:14,580
Your conditional access rules are not just settings.
954
00:51:14,580 –> 00:51:18,500
They are instructions for an engine that evaluates thousands of requests every second.
955
00:51:18,500 –> 00:51:22,700
Your job is no longer to perform the manual labor of administration, but to define the underlying
956
00:51:22,700 –> 00:51:26,180
logic that the engine uses to make those choices.
957
00:51:26,180 –> 00:51:30,180
Consider what this looks like when you are managing 5,000 virtual machines across a global
958
00:51:30,180 –> 00:51:31,180
tenant.
959
00:51:31,180 –> 00:51:34,660
You will never personally touch most of those machines and you will certainly never manually
960
00:51:34,660 –> 00:51:36,620
patch or configure them one by one.
961
00:51:36,620 –> 00:51:40,660
Instead, you define the high level policies that govern the entire class of resources known
962
00:51:40,660 –> 00:51:41,820
as VMs.
963
00:51:41,820 –> 00:51:46,420
You dictate which subscriptions can host them, which sizes are cost effective, and which networking
964
00:51:46,420 –> 00:51:48,420
parts are secure enough to be used.
965
00:51:48,420 –> 00:51:52,500
The decision engine then enforces these rules every time someone tries to create,
966
00:51:52,500 –> 00:51:54,020
identify or delete a resource.
967
00:51:54,020 –> 00:51:57,740
Because you defined the compliance checks and the monitoring requirements beforehand,
968
00:51:57,740 –> 00:52:00,820
the engine acts as the primary administrator of the environment.
969
00:52:00,820 –> 00:52:04,820
You have moved from being the person turning the wrench to being the architect who designed
970
00:52:04,820 –> 00:52:05,820
the factory.
971
00:52:05,820 –> 00:52:07,420
This shift is fundamental to your growth.
972
00:52:07,420 –> 00:52:11,460
At level 1, you are just a person clicking buttons in a portal, but at level 6, you are
973
00:52:11,460 –> 00:52:14,340
writing the code that evaluates those button clicks.
974
00:52:14,340 –> 00:52:17,860
You have moved out of the execution layer and into the logic layer where the real power
975
00:52:17,860 –> 00:52:18,860
resides.
976
00:52:18,860 –> 00:52:22,180
To see this in practice, look at how a developer interacts with the system.
977
00:52:22,180 –> 00:52:26,140
They don’t ask you for a virtual machine, and they don’t wait for you to approve a ticket.
978
00:52:26,140 –> 00:52:29,620
They submit their request through a self-service portal, and that request goes directly to the
979
00:52:29,620 –> 00:52:31,340
decision engine for evaluation.
980
00:52:31,340 –> 00:52:35,060
The engine asks a series of deterministic questions before it allows the deployment to
981
00:52:35,060 –> 00:52:36,060
proceed.
982
00:52:36,060 –> 00:52:40,580
It checks if the identity has the right permissions, and if the target subscription is currently
983
00:52:40,580 –> 00:52:45,100
compliant with corporate standards, it verifies the VM size, the networking configuration,
984
00:52:45,100 –> 00:52:49,140
and the presence of required tags while ensuring the resource is in an approved region.
985
00:52:49,140 –> 00:52:53,300
It even checks if the user is on a trusted device or if they have exceeded their monthly budget
986
00:52:53,300 –> 00:52:54,500
for new resources.
987
00:52:54,500 –> 00:52:58,980
Each of these questions represents a decision point that you personally defined in the control
988
00:52:58,980 –> 00:52:59,980
plane.
989
00:52:59,980 –> 00:53:03,380
If the request passes every check, the VM is created instantly.
990
00:53:03,380 –> 00:53:07,020
If it fails even one, the request is denied with a clear explanation.
991
00:53:07,020 –> 00:53:11,260
This process is transparent, consistent, and incredibly fast, which means the developer
992
00:53:11,260 –> 00:53:14,140
always knows exactly what is required to get their work done.
993
00:53:14,140 –> 00:53:17,820
The architectural truth is that this system isn’t restrictive, it is actually clarifying
994
00:53:17,820 –> 00:53:19,500
for everyone involved.
995
00:53:19,500 –> 00:53:22,740
Developers appreciate knowing the rules of the road, such as which regions are off limits
996
00:53:22,740 –> 00:53:24,580
or which tags are mandatory for billing.
997
00:53:24,580 –> 00:53:28,500
When they follow the rules, the VM appears without any friction, delays, or soul crushing
998
00:53:28,500 –> 00:53:29,500
bureaucracy.
999
00:53:29,500 –> 00:53:33,540
But the deeper insight here is that the decision engine is entirely deterministic.
1000
00:53:33,540 –> 00:53:37,900
It makes the exact same decision every single time, based on the rules you provided, regardless
1001
00:53:37,900 –> 00:53:39,620
of who is making the request.
1002
00:53:39,620 –> 00:53:43,700
There are no special exceptions for executives and no favoritism for senior engineers, because
1003
00:53:43,700 –> 00:53:45,700
the logic applies to everyone equally.
1004
00:53:45,700 –> 00:53:49,580
This isn’t a wall of red tape, it is a masterpiece of architectural clarity.
1005
00:53:49,580 –> 00:53:53,820
When you stop managing resources and start managing the engine, your entire perspective on
1006
00:53:53,820 –> 00:53:54,820
the cloud changes.
1007
00:53:54,820 –> 00:53:58,620
You stop worrying about individual instances and start thinking about entire classes of
1008
00:53:58,620 –> 00:54:01,220
infrastructure and the logic that governs them.
1009
00:54:01,220 –> 00:54:03,860
You are no longer an operator reacting to tickets.
1010
00:54:03,860 –> 00:54:06,300
You are an architect designing a system of authority.
1011
00:54:06,300 –> 00:54:10,060
The decision engine is your true control plane, and the resources are simply the physical
1012
00:54:10,060 –> 00:54:11,860
output of that engine’s choices.
1013
00:54:11,860 –> 00:54:15,580
The control plane is what you own, what you build, and where your professional authority
1014
00:54:15,580 –> 00:54:16,580
actually lives.
1015
00:54:16,580 –> 00:54:20,460
Once you grasp that concept, you finally understand what level 6 is really about.
1016
00:54:20,460 –> 00:54:24,620
You realize the engine is deterministic, and that leads you to wonder how AI agents will
1017
00:54:24,620 –> 00:54:26,540
eventually plug into this logic.
1018
00:54:26,540 –> 00:54:29,580
AI agents as decision engine participants.
1019
00:54:29,580 –> 00:54:33,460
Once you realize the decision engine is strictly deterministic, you naturally start wondering
1020
00:54:33,460 –> 00:54:35,860
how AI agents fit into the architecture.
1021
00:54:35,860 –> 00:54:39,060
This is usually the point where the entire mental model collapses.
1022
00:54:39,060 –> 00:54:42,300
Most organizations lean on a comfortable but false assumption.
1023
00:54:42,300 –> 00:54:45,820
They believe AI agents exist entirely outside their governance model.
1024
00:54:45,820 –> 00:54:49,620
The logic is that co-pilot is just a tool running on a user’s device that responds to
1025
00:54:49,620 –> 00:54:53,740
prompts without ever touching the control plane or interacting with the decision engine.
1026
00:54:53,740 –> 00:54:58,420
You might tell yourself that you govern Azure while the AI operates in a separate vacuum,
1027
00:54:58,420 –> 00:55:01,700
but that line of thinking is a critical architectural mistake.
1028
00:55:01,700 –> 00:55:05,100
In reality, AI agents are not external observers.
1029
00:55:05,100 –> 00:55:08,180
They are active participants in your decision engine.
1030
00:55:08,180 –> 00:55:12,260
When a co-pilot agent needs to reach a resource, it doesn’t get a special bypass or a secret
1031
00:55:12,260 –> 00:55:13,660
path around your security.
1032
00:55:13,660 –> 00:55:17,180
It hits the exact same decision engine as every other identity in your tenant.
1033
00:55:17,180 –> 00:55:21,740
The agent authenticates using its own Entra agent ID, receives a token, and then that
1034
00:55:21,740 –> 00:55:26,460
token is scrutinized by your conditional access policies, resource level, R-back, and application
1035
00:55:26,460 –> 00:55:27,660
authorization.
1036
00:55:27,660 –> 00:55:31,660
To the decision engine, the agent is just another identity to be validated.
1037
00:55:31,660 –> 00:55:35,140
While the engine treats them the same, these agents introduce a level of complexity that
1038
00:55:35,140 –> 00:55:37,380
human users simply cannot match.
1039
00:55:37,380 –> 00:55:41,780
The uncomfortable truth is that AI agents create a massive volume of action risk because
1040
00:55:41,780 –> 00:55:46,020
they operate 24/7 without ever needing a break, because they can perform thousands of
1041
00:55:46,020 –> 00:55:49,980
actions every second and interact with other agents in unpredictable ways.
1042
00:55:49,980 –> 00:55:53,020
They inherit every permission of the identity they represent.
1043
00:55:53,020 –> 00:55:57,780
If that identity is over-privileged, the agent will rapidly cascade that flow across your entire
1044
00:55:57,780 –> 00:55:58,780
infrastructure.
1045
00:55:58,780 –> 00:56:02,980
Consider a common scenario where an AI agent is tasked with cost optimization.
1046
00:56:02,980 –> 00:56:05,380
The intent is simple, reduce cloud spending.
1047
00:56:05,380 –> 00:56:09,780
To do this, the agent has permission to modify VM configurations, and after analyzing the
1048
00:56:09,780 –> 00:56:13,260
environment, it finds a VM using only 30% of its memory.
1049
00:56:13,260 –> 00:56:17,900
It decides to resize that VM to a smaller, cheaper skew, which is an action perfectly within
1050
00:56:17,900 –> 00:56:19,460
its assigned permissions.
1051
00:56:19,460 –> 00:56:23,980
The agent executes the change, but the application running on that VM immediately crashes because
1052
00:56:23,980 –> 00:56:26,900
the smaller SKU can’t handle the application’s peak load.
1053
00:56:26,900 –> 00:56:31,300
Even though the average use was low, the app regularly spiked to 90%, a detailed agent
1054
00:56:31,300 –> 00:56:35,340
ignored because it was making decisions based on a narrow, incomplete data set.
1055
00:56:35,340 –> 00:56:39,420
The agent wasn’t malicious or compromised, yet it still triggered a major production incident
1056
00:56:39,420 –> 00:56:41,220
while trying to achieve its goal.
1057
00:56:41,220 –> 00:56:45,580
This is the essence of action risk, and the only architectural answer is bounded autonomy.
1058
00:56:45,580 –> 00:56:49,260
You can allow an agent to identify a problem and propose a solution, but you cannot allow
1059
00:56:49,260 –> 00:56:52,100
it to implement that solution without a human in the loop.
1060
00:56:52,100 –> 00:56:55,780
In a bounded model, the agent would create a ticket for the underutilized VM.
1061
00:56:55,780 –> 00:56:59,340
A human would see the memory spikes during the investigation, and the optimization would
1062
00:56:59,340 –> 00:57:00,340
be denied.
1063
00:57:00,340 –> 00:57:04,700
By forcing the agent to operate within these specific bounds, you prevent the incident
1064
00:57:04,700 –> 00:57:07,780
while still leveraging the AI’s analytical speed.
1065
00:57:07,780 –> 00:57:11,940
Microsoft Entra Agent ID is how you actually implement this concept of bounded autonomy.
1066
00:57:11,940 –> 00:57:15,340
By giving each agent its own identity, you can wrap it in conditional access policies
1067
00:57:15,340 –> 00:57:18,980
that block it the moment it reaches outside its defined scope.
1068
00:57:18,980 –> 00:57:22,780
Every single move the agent makes is recorded and auditable, and when it hits a decision,
1069
00:57:22,780 –> 00:57:23,980
it isn’t authorized to make.
1070
00:57:23,980 –> 00:57:27,780
It follows a hard-coded escalation path to a human.
1071
00:57:27,780 –> 00:57:32,660
AI agents are not the future of Azure Administration, but bounded AI agents certainly are.
1072
00:57:32,660 –> 00:57:36,380
You need agents that operate within clear intent boundaries and are governed as identities
1073
00:57:36,380 –> 00:57:38,060
rather than just features.
1074
00:57:38,060 –> 00:57:41,820
These are the only tools that will allow you to scale your infrastructure safely because
1075
00:57:41,820 –> 00:57:46,180
an agent without boundaries is just a disaster that executes faster than you can stop it.
1076
00:57:46,180 –> 00:57:48,860
The governance scope, what gets governed?
1077
00:57:48,860 –> 00:57:52,980
By now you understand that AI agents require governance, and you’ve likely started building
1078
00:57:52,980 –> 00:57:55,860
a system around bounded autonomy and observability.
1079
00:57:55,860 –> 00:57:59,700
You have your infrastructure governed, your identities, locked down, and your monitoring
1080
00:57:59,700 –> 00:58:02,620
in place, which usually leads to a false sense of security.
1081
00:58:02,620 –> 00:58:05,900
You feel covered until the moment a data breach actually happens.
1082
00:58:05,900 –> 00:58:10,340
The foundational misunderstanding here is the belief that you only need to govern the things
1083
00:58:10,340 –> 00:58:11,420
you own.
1084
00:58:11,420 –> 00:58:15,580
You might assume that applications belong to the dev teams, data belongs to the data
1085
00:58:15,580 –> 00:58:20,380
teams, and compliance is someone else’s problem, leaving you responsible only for Azure
1086
00:58:20,380 –> 00:58:21,380
Administration.
1087
00:58:21,380 –> 00:58:24,500
This siloed thinking is exactly what creates the opening for a breach.
1088
00:58:24,500 –> 00:58:26,820
Governance is not a collection of independent silos.
1089
00:58:26,820 –> 00:58:30,980
It is a holistic system where a breach occurs because multiple controls fail at the exact
1090
00:58:30,980 –> 00:58:31,980
same time.
1091
00:58:31,980 –> 00:58:35,860
A single broken policy might seem like an acceptable risk in isolation.
1092
00:58:35,860 –> 00:58:39,260
These failures eventually stack to create a catastrophic vulnerability.
1093
00:58:39,260 –> 00:58:42,060
It usually happens in a chain of small overlooked errors.
1094
00:58:42,060 –> 00:58:46,140
An infrastructure failure allows a storage account to be created with public access, while
1095
00:58:46,140 –> 00:58:50,100
an identity failure gives a user far too much permission to modify that account.
1096
00:58:50,100 –> 00:58:53,300
Because the data team didn’t classify the information and the app team used overly
1097
00:58:53,300 –> 00:58:56,300
permissive credentials, the stage is set for a disaster.
1098
00:58:56,300 –> 00:59:00,420
If an automation script fails silently and no one is monitoring for public storage access,
1099
00:59:00,420 –> 00:59:02,380
you have a total governance collapse.
1100
00:59:02,380 –> 00:59:06,260
None of these teams intended to cause a breach, but their individual failures cascaded into
1101
00:59:06,260 –> 00:59:07,260
a single event.
1102
00:59:07,260 –> 00:59:12,140
A user with broad permissions creates a public bucket and attacker finds it, and they download
1103
00:59:12,140 –> 00:59:14,620
unclassified data that no one was watching.
1104
00:59:14,620 –> 00:59:18,420
Because the monitoring script died without an alert, the breach stays active for three months,
1105
00:59:18,420 –> 00:59:20,540
and by the time you find it, the data is long gone.
1106
00:59:20,540 –> 00:59:24,540
You have to view governance as a single system, where every component must function in unison
1107
00:59:24,540 –> 00:59:25,980
for the whole thing to work.
1108
00:59:25,980 –> 00:59:30,580
If you create a perfect Azure policy to deny public storage accounts, but fail to govern
1109
00:59:30,580 –> 00:59:34,900
the identities that can modify those accounts, your policy is effectively useless.
1110
00:59:34,900 –> 00:59:39,100
An overprivileged user can simply bypass the creation time block by changing the settings
1111
00:59:39,100 –> 00:59:40,900
after the resource is deployed.
1112
00:59:40,900 –> 00:59:43,380
The policy didn’t fail because it was written poorly.
1113
00:59:43,380 –> 00:59:46,500
It failed because the rest of the governance system was incomplete.
1114
00:59:46,500 –> 00:59:50,700
You didn’t have the RBACs controls to stop the user or the monitoring to catch the configuration
1115
00:59:50,700 –> 00:59:54,380
drift, proving that your security is only as strong as its weakest link.
1116
00:59:54,380 –> 00:59:59,100
If you ignore any single domain, whether it’s identity, data, applications, or automation,
1117
00:59:59,100 –> 01:00:02,220
you are leaving a hole that an attacker will eventually find.
1118
01:00:02,220 –> 01:00:06,620
The scope of your governance must include every single one of these domains without exception.
1119
01:00:06,620 –> 01:00:10,340
Infrastructure and identity must align with data and compliance, or the entire system
1120
01:00:10,340 –> 01:00:11,500
loses its coherence.
1121
01:00:11,500 –> 01:00:14,620
This isn’t just the best practice you can get to later.
1122
01:00:14,620 –> 01:00:17,580
It is the foundational requirement for operating in the cloud.
1123
01:00:17,580 –> 01:00:21,420
Once you accept that governance is holistic, you have to start looking at the organizational
1124
01:00:21,420 –> 01:00:24,020
structure needed to actually enforce it.
1125
01:00:24,020 –> 01:00:28,380
The organizational structure required by now the reality of holistic governance should
1126
01:00:28,380 –> 01:00:29,380
be clear.
1127
01:00:29,380 –> 01:00:33,940
You understand that every domain, infrastructure, identity, data and automation is woven into
1128
01:00:33,940 –> 01:00:34,940
a single fabric.
1129
01:00:34,940 –> 01:00:38,220
This leads to a deeply uncomfortable realization.
1130
01:00:38,220 –> 01:00:40,980
A lone Azure administrator cannot actually manage this.
1131
01:00:40,980 –> 01:00:43,780
The comfortable assumption is that you are the center of the universe.
1132
01:00:43,780 –> 01:00:46,620
You own the tenant, manage the subscriptions, and write the policies.
1133
01:00:46,620 –> 01:00:50,620
In this mental model, you are the single point of accountability for identity and monitoring
1134
01:00:50,620 –> 01:00:51,620
alike.
1135
01:00:51,620 –> 01:00:55,500
You are the only one who can control the control.
1136
01:00:55,500 –> 01:00:56,700
This is a dangerous illusion.
1137
01:00:56,700 –> 01:00:59,780
The architectural truth is that governance at scale is a team sport.
1138
01:00:59,780 –> 01:01:02,660
And the idea of one person owning every domain is a fantasy.
1139
01:01:02,660 –> 01:01:07,340
No single human possesses the deep expertise or the literal hours in a day to maintain this
1140
01:01:07,340 –> 01:01:08,340
level of control.
1141
01:01:08,340 –> 01:01:11,820
When that person eventually leaves the organization, the entire governance structure doesn’t
1142
01:01:11,820 –> 01:01:13,300
just bend, it collapses.
1143
01:01:13,300 –> 01:01:17,860
Mature organizations operate through distributed teams where each group owns a specific governance
1144
01:01:17,860 –> 01:01:18,860
domain.
1145
01:01:18,860 –> 01:01:23,180
Identity team manages the user lifecycle and conditional access while the network team handles
1146
01:01:23,180 –> 01:01:25,500
firewalls and private endpoints.
1147
01:01:25,500 –> 01:01:29,500
Security and compliance focuses on policy enforcement and Sentinel and platform engineering
1148
01:01:29,500 –> 01:01:31,780
builds the landing zones and automation.
1149
01:01:31,780 –> 01:01:36,380
Even the application teams have a role governing their own data classification and access controls.
1150
01:01:36,380 –> 01:01:38,300
Each of these teams must own their decisions.
1151
01:01:38,300 –> 01:01:43,420
The identity team determines how MFA is enforced and the network team structures the connectivity
1152
01:01:43,420 –> 01:01:46,540
just as the platform team decides how subscriptions are vended.
1153
01:01:46,540 –> 01:01:50,660
This isn’t just a division of labor, it is a distribution of architectural responsibility.
1154
01:01:50,660 –> 01:01:55,660
However, governance requires intense coordination across these silos because without it policies
1155
01:01:55,660 –> 01:01:56,940
inevitably conflict.
1156
01:01:56,940 –> 01:02:01,460
One team might create a restriction that another team’s configuration immediately violates.
1157
01:02:01,460 –> 01:02:04,020
Both teams are technically correct within their own bubble.
1158
01:02:04,020 –> 01:02:08,180
But the resulting contradiction creates a chaotic environment where the system fails.
1159
01:02:08,180 –> 01:02:10,660
We see this play out constantly in the real world.
1160
01:02:10,660 –> 01:02:14,820
Security might push a policy that denies public IPs on all network interfaces while the
1161
01:02:14,820 –> 01:02:19,140
network team creates a policy requiring them for external connectivity.
1162
01:02:19,140 –> 01:02:23,100
Because these mandates clash, neither is enforced reliably, leaving both teams frustrated
1163
01:02:23,100 –> 01:02:25,060
and the environment compromised.
1164
01:02:25,060 –> 01:02:27,500
Solving this requires more than just technical skill.
1165
01:02:27,500 –> 01:02:29,860
It requires a structure for coordination.
1166
01:02:29,860 –> 01:02:33,660
Teams must meet to discuss constraints and refine their policies so they work together
1167
01:02:33,660 –> 01:02:35,220
instead of against each other.
1168
01:02:35,220 –> 01:02:39,300
This only happens when there is clear ownership in a defined path to escalate conflicts when
1169
01:02:39,300 –> 01:02:40,300
they arise.
1170
01:02:40,300 –> 01:02:43,540
Most successful enterprises establish a cloud governance council.
1171
01:02:43,540 –> 01:02:48,260
This body brings together representatives from IT, security, finance and the business to
1172
01:02:48,260 –> 01:02:50,340
review policies and discuss trade-offs.
1173
01:02:50,340 –> 01:02:54,580
They ensure the governance system remains coherent and that every domain is covered by a
1174
01:02:54,580 –> 01:02:58,420
coordinated strategy rather than a series of accidents.
1175
01:02:58,420 –> 01:03:02,980
The architectural truth is that governance without organizational structure is just noise.
1176
01:03:02,980 –> 01:03:08,020
You need clear roles, regular reviews, and a governing body that owns the overall system.
1177
01:03:08,020 –> 01:03:11,420
If you lack these coordination mechanisms, you aren’t managing a cloud.
1178
01:03:11,420 –> 01:03:13,060
You are managing entropy.
1179
01:03:13,060 –> 01:03:16,060
Here is the most uncomfortable truth for the Azure administrator.
1180
01:03:16,060 –> 01:03:18,020
You are no longer in the execution layer.
1181
01:03:18,020 –> 01:03:19,620
You have moved into the leadership layer.
1182
01:03:19,620 –> 01:03:21,820
You aren’t the one configuring every policy anymore.
1183
01:03:21,820 –> 01:03:24,060
You are the one facilitating the teams that do.
1184
01:03:24,060 –> 01:03:25,620
You aren’t just governing the cloud.
1185
01:03:25,620 –> 01:03:28,020
You are governing the governance of the cloud.
1186
01:03:28,020 –> 01:03:30,020
The 2026 inflection point.
1187
01:03:30,020 –> 01:03:33,860
You now see the need for organizational alignment and the distributed teams required to
1188
01:03:33,860 –> 01:03:34,860
make it work.
1189
01:03:34,860 –> 01:03:38,060
You understand the escalation paths and the holistic nature of the system.
1190
01:03:38,060 –> 01:03:41,620
Then you look at the calendar, see that it’s only 2025 and tell yourself there is plenty
1191
01:03:41,620 –> 01:03:42,900
of time to iterate.
1192
01:03:42,900 –> 01:03:45,380
This is the exact moment where most organizations fail.
1193
01:03:45,380 –> 01:03:48,700
The comfortable assumption is that these deadlines aren’t actually real.
1194
01:03:48,700 –> 01:03:53,300
We tell ourselves that Microsoft always announces these shifts years in advance and then offers
1195
01:03:53,300 –> 01:03:55,380
endless extensions or exemptions.
1196
01:03:55,380 –> 01:03:58,980
You assume you can implement governance when the budget opens up or when the staff is
1197
01:03:58,980 –> 01:04:02,540
ready, treating the deadlines as suggestions rather than hard stops.
1198
01:04:02,540 –> 01:04:04,740
That assumption is a career-ending mistake.
1199
01:04:04,740 –> 01:04:09,180
The architectural truth is that the 2026 deadlines represent the enforcement of architectural
1200
01:04:09,180 –> 01:04:10,180
inevitability.
1201
01:04:10,180 –> 01:04:15,300
On October 1, 2026, Microsoft will mandate multi-factor authentication for all Azure Portal
1202
01:04:15,300 –> 01:04:17,260
Access, including Global Administrators.
1203
01:04:17,260 –> 01:04:19,380
There are no delays or special cases.
1204
01:04:19,380 –> 01:04:24,340
By December 31, 2026, legacy authentication will be fully deprecated across all Microsoft
1205
01:04:24,340 –> 01:04:28,540
365 services and organizations that aren’t ready will simply go dark.
1206
01:04:28,540 –> 01:04:31,060
Let’s look at the specific mechanics of that failure.
1207
01:04:31,060 –> 01:04:35,380
When October arrives and MFA is enforced, your lack of preparation means you lose access
1208
01:04:35,380 –> 01:04:37,020
to the Portal entirely.
1209
01:04:37,020 –> 01:04:39,860
Your CLI scripts using basic “Auth” will break.
1210
01:04:39,860 –> 01:04:44,140
Your PowerShell automation will fail and your infrastructure deployment runbooks will hold.
1211
01:04:44,140 –> 01:04:47,860
Because you ignored a deadline announced months in advance, your entire incident response
1212
01:04:47,860 –> 01:04:50,900
capability will sit in a state of operational dysfunction.
1213
01:04:50,900 –> 01:04:54,860
The December deadline for legacy authentication is even more unforgiving.
1214
01:04:54,860 –> 01:05:00,340
Your email integrations using basic SMTP will stop working and your line of business applications
1215
01:05:00,340 –> 01:05:02,260
will suddenly fail to connect.
1216
01:05:02,260 –> 01:05:04,180
These aren’t planned maintenance windows.
1217
01:05:04,180 –> 01:05:08,620
They are unplanned outages that put the entire organization into a state of crisis because
1218
01:05:08,620 –> 01:05:10,940
you refuse to modernize your protocols.
1219
01:05:10,940 –> 01:05:14,380
These dates aren’t arbitrary choices by a product team.
1220
01:05:14,380 –> 01:05:18,940
Legacy authentication is a primary attack vector that allows bad actors to bypass MFA
1221
01:05:18,940 –> 01:05:21,020
and move through your environment undetected.
1222
01:05:21,020 –> 01:05:25,340
By eliminating these protocols, Microsoft is removing an entire category of risk from
1223
01:05:25,340 –> 01:05:26,580
the ecosystem.
1224
01:05:26,580 –> 01:05:30,300
These deadlines are how Microsoft enforces the transition to a zero trust model.
1225
01:05:30,300 –> 01:05:35,500
You cannot stay on legacy systems indefinitely while the rest of the cloud moves toward modern,
1226
01:05:35,500 –> 01:05:37,260
deterministic security.
1227
01:05:37,260 –> 01:05:39,060
This isn’t Microsoft being difficult.
1228
01:05:39,060 –> 01:05:42,900
It is the platform forcing you to accept the future of security architecture.
1229
01:05:42,900 –> 01:05:46,780
The difference between organizations that survive this and those that collapse is how they
1230
01:05:46,780 –> 01:05:48,500
spend their time today.
1231
01:05:48,500 –> 01:05:52,680
Proactive teams are testing right now, discovering that half of their automation needs to be
1232
01:05:52,680 –> 01:05:54,740
rewritten before the deadline hits.
1233
01:05:54,740 –> 01:05:59,220
They are identifying edge cases and training their staff so that when the date arrives, nothing
1234
01:05:59,220 –> 01:06:01,140
actually changes for them.
1235
01:06:01,140 –> 01:06:04,060
Organizations that wait until the last minute will spend October 2nd fighting fires at
1236
01:06:04,060 –> 01:06:05,300
2 o’clock AM.
1237
01:06:05,300 –> 01:06:09,900
They will be rushing MFA deployments for thousands of users and making hasty decisions that create
1238
01:06:09,900 –> 01:06:11,940
even deeper security vulnerabilities.
1239
01:06:11,940 –> 01:06:12,980
They aren’t governing.
1240
01:06:12,980 –> 01:06:15,620
They are reacting to a disaster of their own making.
1241
01:06:15,620 –> 01:06:20,140
The 2026 deadlines are a forcing function designed to make you implement governance and adopt
1242
01:06:20,140 –> 01:06:21,140
zero trust.
1243
01:06:21,140 –> 01:06:25,020
Organizations that use this as a catalyst for change will emerge with a more secure,
1244
01:06:25,020 –> 01:06:26,380
modern infrastructure.
1245
01:06:26,380 –> 01:06:30,140
Those that resist will be forced to change under extreme pressure, violating compliance
1246
01:06:30,140 –> 01:06:32,900
requirements and suffering through avoidable outages.
1247
01:06:32,900 –> 01:06:34,620
The question you have to answer is simple.
1248
01:06:34,620 –> 01:06:38,700
Do you want to work for the organization that implements governance proactively or the
1249
01:06:38,700 –> 01:06:42,740
one that tries to fix its broken architecture in the middle of a crisis?
1250
01:06:42,740 –> 01:06:46,260
The deadlines are real and they are coming for your career.
1251
01:06:46,260 –> 01:06:49,380
The career implications levels 1 through 7.
1252
01:06:49,380 –> 01:06:53,660
You now understand the 7 levels of Azure maturity, the illusions that define them and
1253
01:06:53,660 –> 01:06:56,620
the architectural truths those levels eventually reveal.
1254
01:06:56,620 –> 01:07:00,260
Naturally you are asking the one question that actually matters for your future.
1255
01:07:00,260 –> 01:07:03,780
What does this mean for my career, my salary and my professional trajectory?
1256
01:07:03,780 –> 01:07:07,620
The comfortable assumption most people cling to is that more certifications automatically
1257
01:07:07,620 –> 01:07:10,100
lead to higher pay and better prospects.
1258
01:07:10,100 –> 01:07:14,220
You might believe that earning your AZ 900 leads to a promotion followed by a raise for
1259
01:07:14,220 –> 01:07:18,420
the AZ 104 and another jump once you secure the AZ 305.
1260
01:07:18,420 –> 01:07:22,900
In this mental model, certifications are a simple linear equation where more badges equal
1261
01:07:22,900 –> 01:07:24,940
more money and guaranteed advancement.
1262
01:07:24,940 –> 01:07:26,220
That is a convenient lie.
1263
01:07:26,220 –> 01:07:30,500
The architectural truth is that certifications are a necessary but entirely insufficient
1264
01:07:30,500 –> 01:07:34,740
condition for real career growth, while a badge might get your resume passed an automated
1265
01:07:34,740 –> 01:07:37,740
recruiter filter or prove you studied the documentation.
1266
01:07:37,740 –> 01:07:41,020
It only demonstrates that you understand Azure features.
1267
01:07:41,020 –> 01:07:44,660
It does not mean you understand architecture, it does not mean you understand governance
1268
01:07:44,660 –> 01:07:48,740
and it certainly doesn’t mean you can solve complex high stakes problems.
1269
01:07:48,740 –> 01:07:52,820
Understanding is what actually drives advancement because while certifications open the door,
1270
01:07:52,820 –> 01:07:56,260
only true architectural understanding allows you to walk through it.
1271
01:07:56,260 –> 01:07:59,220
Let’s look at what the progression actually looks like in the real world.
1272
01:07:59,220 –> 01:08:03,740
At level one, you are a portal clicker who knows how to manually create resources, likely holding
1273
01:08:03,740 –> 01:08:09,660
an AZ 900 and working as a junior administrator for 60 to 80 thousand dollars.
1274
01:08:09,660 –> 01:08:13,660
Moving to level two makes you a scripting apprentice where you automate tasks with PowerShell
1275
01:08:13,660 –> 01:08:18,140
and with an AZ 104 in hand, your salary as an administrator typically climbs to between
1276
01:08:18,140 –> 01:08:20,780
80 and 110 thousand dollars.
1277
01:08:20,780 –> 01:08:24,220
Level three marks your transition into a template architect who defines infrastructure as
1278
01:08:24,220 –> 01:08:30,980
code and as an Azure solutions architect with an AZ 305 you can expect to earn 110 to 150 thousand
1279
01:08:30,980 –> 01:08:31,980
dollars.
1280
01:08:31,980 –> 01:08:35,580
By level four you become a governance enforcer who secures environments at scale, often
1281
01:08:35,580 –> 01:08:42,260
holding an AZ 500 and commanding a security architect salary of 130 to 170 thousand dollars.
1282
01:08:42,260 –> 01:08:46,180
The climb continues at level five where you act as an identity strategist designing zero
1283
01:08:46,180 –> 01:08:50,780
trust systems and an SC 300 certification helps push your identity architect earnings
1284
01:08:50,780 –> 01:08:52,940
toward 180 thousand dollars.
1285
01:08:52,940 –> 01:08:57,780
Level six is the platform orchestrator who manages massive landing zones using both solutions
1286
01:08:57,780 –> 01:09:02,820
architect and security engineer credentials earning up to 220 thousand dollars as an enterprise
1287
01:09:02,820 –> 01:09:04,340
cloud architect.
1288
01:09:04,340 –> 01:09:09,340
Finally level seven is the agent governor who oversees autonomous systems and AI agents
1289
01:09:09,340 –> 01:09:14,180
and as a chief architect with AI and identity specialties, your salary starts at 200 thousand
1290
01:09:14,180 –> 01:09:16,860
dollars and often scales significantly higher.
1291
01:09:16,860 –> 01:09:20,660
But here is the critical insight you cannot skip these levels or jump from the portal
1292
01:09:20,660 –> 01:09:22,940
to AI governance just by reading an article.
1293
01:09:22,940 –> 01:09:26,860
You must first understand why portal clicking fails, why scripts are inherently fragile and
1294
01:09:26,860 –> 01:09:30,700
why templates without enforced policies create nothing but high speed chaos.
1295
01:09:30,700 –> 01:09:34,460
You have to learn why policies fail without identity and why network first thinking is
1296
01:09:34,460 –> 01:09:38,740
a dead end before you can ever hope to govern AI within a landing zone.
1297
01:09:38,740 –> 01:09:42,220
The architectural truth is that the level seven architect isn’t the person who memorized
1298
01:09:42,220 –> 01:09:46,500
the most Azure services but the person who realizes those services are just tools to
1299
01:09:46,500 –> 01:09:48,100
implement governance intent.
1300
01:09:48,100 –> 01:09:51,980
They understand that the goal isn’t to deploy more resources but to ensure every deployment
1301
01:09:51,980 –> 01:09:56,340
is compliant, secure and perfectly aligned with what the organization actually intended
1302
01:09:56,340 –> 01:09:57,340
to build.
1303
01:09:57,340 –> 01:10:01,380
In their world, the specific resources are almost irrelevant because the decision engine
1304
01:10:01,380 –> 01:10:04,860
is everything and the architecture is the only thing that lasts.
1305
01:10:04,860 –> 01:10:09,340
Your career journey from level one to level seven is a transition from being a resource manager
1306
01:10:09,340 –> 01:10:11,500
to becoming a decision engine curator.
1307
01:10:11,500 –> 01:10:15,300
It is a path of constant realization where you discover that your previous assumptions
1308
01:10:15,300 –> 01:10:19,260
were wrong, forcing you to rethink your entire approach to the cloud.
1309
01:10:19,260 –> 01:10:23,420
That specific discomfort and the force rethinking it requires is what actually drives your career
1310
01:10:23,420 –> 01:10:30,020
forward because understanding not a collection of digital badges is the only real currency.
1311
01:10:30,020 –> 01:10:32,340
The Monday morning action, what to do now?
1312
01:10:32,340 –> 01:10:36,100
You have the levels, the illusions, the truths and the career roadmap but now you’re sitting
1313
01:10:36,100 –> 01:10:39,340
at your desk on Monday morning wondering what to actually do next.
1314
01:10:39,340 –> 01:10:42,340
The research phase is over and your understanding is complete.
1315
01:10:42,340 –> 01:10:46,660
Yet the most important question remains, how do you turn this theory into a functional system?
1316
01:10:46,660 –> 01:10:49,820
The comfortable assumption is that you need to implement every single thing immediately
1317
01:10:49,820 –> 01:10:54,700
from Azure verified modules and deny policies to subscription, vending and AI governance.
1318
01:10:54,700 –> 01:10:59,100
You might feel a desperate urge to transform your entire organization before the first of
1319
01:10:59,100 –> 01:11:02,540
next month but that level of pressure usually leads to total paralysis.
1320
01:11:02,540 –> 01:11:06,660
Trying to fix everything at once is exactly where most organizations fail because they mistake
1321
01:11:06,660 –> 01:11:08,060
activity for progress.
1322
01:11:08,060 –> 01:11:12,540
The architectural truth is that you must start with a cold hard assessment of your current state.
1323
01:11:12,540 –> 01:11:17,020
On Monday morning, do not try to launch a massive transformation or solve every architectural
1324
01:11:17,020 –> 01:11:20,180
debt your company has accumulated over the last five years.
1325
01:11:20,180 –> 01:11:22,980
Instead, focus on answering one simple question.
1326
01:11:22,980 –> 01:11:26,660
What is the actual measurable state of your governance right now?
1327
01:11:26,660 –> 01:11:29,980
Your first real action on Monday morning is to audit your Azure policy usage to see how
1328
01:11:29,980 –> 01:11:33,700
many policies are actually active and how many are stuck in audit mode.
1329
01:11:33,700 –> 01:11:38,700
You need to run a query to find out which resources are non-compliant and identify the top categories
1330
01:11:38,700 –> 01:11:43,180
of failure so you can export that data and face the reality of your environment.
1331
01:11:43,180 –> 01:11:45,620
Do not assume you know what’s happening in your tenants.
1332
01:11:45,620 –> 01:11:46,860
You need to measure it.
1333
01:11:46,860 –> 01:11:51,100
Next, you must assess your identity governance by looking at how many service principles exist
1334
01:11:51,100 –> 01:11:55,460
and identifying which ones have been granted dangerously broad permissions.
1335
01:11:55,460 –> 01:12:00,460
Use EntraID governance tools to find out how many of these identities are actually documented
1336
01:12:00,460 –> 01:12:04,540
who owns them and whether they have even been used in the last 90 days.
1337
01:12:04,540 –> 01:12:08,580
Finally, evaluate your landing zone maturity by checking if new subscriptions are created
1338
01:12:08,580 –> 01:12:12,140
through a manual process or a standardized automated workflow.
1339
01:12:12,140 –> 01:12:16,260
You need to benchmark your environment against the cloud adoption framework design areas
1340
01:12:16,260 –> 01:12:20,260
to see if your subscriptions are following the same networking topology or if they are drifting
1341
01:12:20,260 –> 01:12:21,380
into silos.
1342
01:12:21,380 –> 01:12:25,900
The architectural truth is that assessment is the foundation of all meaningful change
1343
01:12:25,900 –> 01:12:29,420
and since you cannot improve what you haven’t measured, you should spend your first
1344
01:12:29,420 –> 01:12:32,500
week doing nothing but gathering data.
1345
01:12:32,500 –> 01:12:36,940
Spend the first month truly understanding that data and the first quarter building a plan
1346
01:12:36,940 –> 01:12:39,740
because execution without a baseline is just guessing.
1347
01:12:39,740 –> 01:12:43,220
Once the assessment is done, you have to prioritize the changes that will have the highest
1348
01:12:43,220 –> 01:12:44,780
impact on your risk profile.
1349
01:12:44,780 –> 01:12:48,980
If you discover that half of your 10,000 resources are violating public IP policies, that is
1350
01:12:48,980 –> 01:12:53,100
your immediate priority and you should implement a deny policy to close that gap.
1351
01:12:53,100 –> 01:12:58,060
This single focus change does more to reduce your attack surface than a dozen minor tweaks
1352
01:12:58,060 –> 01:13:00,540
that are easier to explain to your boss.
1353
01:13:00,540 –> 01:13:04,180
Identify the one policy that eliminates the greatest risk to the business, not the one
1354
01:13:04,180 –> 01:13:06,740
that is easiest to click or sounds best in a meeting.
1355
01:13:06,740 –> 01:13:10,980
Your first deny policy should target the violation that would cause the most damage if exploited
1356
01:13:10,980 –> 01:13:16,500
so you can enforce it and remediate the existing violations before moving to the next threat.
1357
01:13:16,500 –> 01:13:20,380
When you have that high priority policy ready, do not push it to the entire organization
1358
01:13:20,380 –> 01:13:24,980
at once but instead deploy it to a single test subscription to verify it works.
1359
01:13:24,980 –> 01:13:29,300
You need to monitor it in non-production environments first to ensure it doesn’t break critical systems
1360
01:13:29,300 –> 01:13:33,580
and only after you have confirmed its behavior should you move it into production.
1361
01:13:33,580 –> 01:13:37,220
The architectural truth is that governance is never a big bang transformation but rather
1362
01:13:37,220 –> 01:13:40,020
a continuous disciplined process of iteration.
1363
01:13:40,020 –> 01:13:44,220
You change one specific thing, measure the result, adjust your approach and then move on
1364
01:13:44,220 –> 01:13:45,700
to the next requirement.
1365
01:13:45,700 –> 01:13:49,940
This requires a level of patience that most people lack but it is the only way to build
1366
01:13:49,940 –> 01:13:53,020
a system that actually functions under pressure.
1367
01:13:53,020 –> 01:13:56,820
After that first policy is live, you need to establish a monthly governance review to see
1368
01:13:56,820 –> 01:14:02,140
if violations are trending down and if your policy is still aligned with your evolving architecture.
1369
01:14:02,140 –> 01:14:05,500
This creates a feedback loop where you can decide whether to adjust the policy or fix
1370
01:14:05,500 –> 01:14:10,020
the environment turning governance into a learning cycle rather than a static set of rules.
1371
01:14:10,020 –> 01:14:13,780
Lastly you must communicate these wins to your leadership by showing them the direct
1372
01:14:13,780 –> 01:14:18,140
impact on non-compliance, security incidents and overall cloud costs.
1373
01:14:18,140 –> 01:14:21,620
Without leadership buy-in your governance efforts will eventually fail because someone
1374
01:14:21,620 –> 01:14:25,060
will eventually pressure you to relax the rules in the name of speed.
1375
01:14:25,060 –> 01:14:28,460
You aren’t just clicking buttons in a console, you are changing the fundamental way your
1376
01:14:28,460 –> 01:14:32,380
organization makes decisions and that requires a leadership team that is fully committed
1377
01:14:32,380 –> 01:14:33,700
to the long game.
1378
01:14:33,700 –> 01:14:37,300
Start with the assessment, find your highest impact change, test it thoroughly and then
1379
01:14:37,300 –> 01:14:38,740
deploy it with confidence.
1380
01:14:38,740 –> 01:14:40,740
This is how you build real governance.
1381
01:14:40,740 –> 01:14:44,500
One step, one policy and one architectural decision at a time.
1382
01:14:44,500 –> 01:14:46,020
The uncomfortable truth.
1383
01:14:46,020 –> 01:14:50,860
The azure admon illusion is the persistent belief that administration is about managing resources.
1384
01:14:50,860 –> 01:14:55,540
You spend your days clicking buttons, spinning up virtual machines and configuring policies
1385
01:14:55,540 –> 01:14:58,100
under the impression that you are managing the cloud.
1386
01:14:58,100 –> 01:14:59,580
You believe you are in control.
1387
01:14:59,580 –> 01:15:04,100
The uncomfortable truth is that you are not in control because the cloud actually controls
1388
01:15:04,100 –> 01:15:05,100
you.
1389
01:15:05,100 –> 01:15:09,220
In reality, Microsoft Azure functions as a distributed decision engine where you no longer
1390
01:15:09,220 –> 01:15:11,980
manage the system but instead you architect it.
1391
01:15:11,980 –> 01:15:16,700
Your role is to define the logic and enforce the intent but the cloud itself makes the final
1392
01:15:16,700 –> 01:15:17,700
decisions.
1393
01:15:17,700 –> 01:15:21,180
Cloud has become the administrator leaving you to serve as its architect when you reach
1394
01:15:21,180 –> 01:15:25,660
level seven you stop being an administrator and become a curator of intent.
1395
01:15:25,660 –> 01:15:30,020
You are now the enforcer of architectural inevitability and that is where the real power
1396
01:15:30,020 –> 01:15:31,660
lies.
1397
01:15:31,660 –> 01:15:35,620
I appreciate you listening to this deep dive into the seven levels of Azure administration.
1398
01:15:35,620 –> 01:15:39,940
If these concepts resonated with your experience please leave a review on your favorite podcast
1399
01:15:39,940 –> 01:15:42,020
platform or connect with me on LinkedIn.
1400
01:15:42,020 –> 01:15:47,140
You can subscribe to the M365 FM podcast for more architectural insights into Azure Microsoft
1401
01:15:47,140 –> 01:15:50,660
365 and security until next time remember to think architecturally.
