Every few months a new customer hands me a landing zone and says “it was built by consultants, it should be fine.” It almost never is. Here are the five things I still find wrong in 2026, in order of how often I see them.
1. Management group structure that mirrors the org chart#
If your MG hierarchy looks like your HR diagram, you’ve optimised for the wrong axis. MGs should reflect policy scope, not reporting lines. Finance shouldn’t have their own MG unless they have genuinely different compliance obligations. Put sandbox workloads in a sandbox MG, production workloads in a landingzones/corp or landingzones/online, and leave it at that.
Fix: start with the CAF reference hierarchy. You can always add layers later; you can never remove them without pain.
2. Defender for Cloud enabled but nobody watching#
I see this constantly: Defender is on, the bill is climbing, and no one has looked at the recommendations dashboard in six months. Defender without routing is just expensive telemetry.
Fix: pipe the alerts into your SIEM or Teams channel on day one. If you don’t have a SIEM, at minimum set up a Logic App that posts high-severity alerts to a channel a human actually reads.
3. Hub-and-spoke with no spoke-to-spoke strategy#
Someone drew the textbook hub-and-spoke on a whiteboard, the network team deployed it, and now you have a hub firewall handling east-west traffic at eye-watering cost. Sometimes that’s what you want. Usually it isn’t.
Fix: decide explicitly whether spokes are allowed to peer. Azure Virtual Network Manager makes this manageable at scale; just don’t let it happen by accident.
4. Private endpoints without private DNS#
Private endpoints look great until someone from a peered VNet tries to hit the public FQDN and gets the public IP back. The private endpoint is there; the DNS isn’t.
Fix: central private DNS zones, linked to every VNet, managed via policy. Azure Policy has a built-in definition for this. Use it.
5. RBAC assignments at the subscription level#
“We just need our DevOps team to deploy, so we gave them Contributor on the subscription.” This is how breaches start.
Fix: scope at the resource group (or resource) level, use custom roles to strip out permissions like role assignment and key deletion, and layer PIM on top for break-glass.
None of these are exotic. They’re all in the docs. But “in the docs” is a long way from “in production” — which is roughly the space I get paid to bridge.