We just wrapped Day One of our Azure and security virtual roadshow. Four hours, multiple sessions, several hundred IT leaders in the audience. (This is the first of five posts unpacking what we covered, one per session.)
The session I led opened the day, and the through-line I kept coming back to was this: your cloud foundation determines what's possible everywhere else. Every organization I see succeed in Azure has done the unglamorous work of getting the foundation right before they started moving workloads. Every organization I see struggle has tried to skip it in an effort to show value quickly or they just don’t know there is a process available.
The poll results bore this out. About 60% of the room was somewhere short of having a real landing zone in place.
What people are actually asking about Azure in 2026
Five questions kept coming up across the sessions, regardless of industry. These are the ones I hear in client meetings every week.
AI readiness. Almost every conversation now opens with "what do we need to do with our data and infrastructure to be ready for AI." The answer is that AI agents like Copilot Cowork are only as good as the context they can reach, and that context exists in your data platforms, your sensitivity labels, and your governance posture.
Cost pressure from outside the cloud. Mike Dent, our hybrid data center field CTO, framed this well. We saw it during COVID with supply chain. Then Broadcom changed VMware licensing. Now hardware procurement times are long, quotes are moving 60 to 80 percent month over month in some segments, and "I can't get it" has been combined with "I can't afford it.". This is driving cloud conversations to reduce or replace infrastructure.
Cost-effective DR. The lowest-friction entry point into Azure for organizations still running on-prem. Retire aging hardware, gain real recoverability, and pick up cloud skills along the way without committing to a full migration.
VDI re-evaluation. Mike has deployed somewhere in the range of millions of desktops across Horizon, Citrix, and AVD over his career, and his read on the current moment is that the market is back in the "do we really need full VDI" cycle. AVD with Nerdio has gotten good enough for a wide range of use cases, and the conversation is genuinely shifting with products like Intune, hybrid-desktop deployments, and others.
Cost optimization once you're in. Reserved instances, savings plans, spot VMs, rightsizing, drift management. These are the things that are complex but drive lower cloud costs.
All five questions are symptoms of the same underlying one: how do we structure our cloud so that the right things happen by default and the wrong things become hard?
Three ways Azure adoption goes wrong
When organizations come to us after they have already started in Azure and something is not working, the issue almost always falls into one of three buckets.
Missing landing zone. Surprise billing, ad-hoc networking decisions, identity and security choices made one workload at a time. The team made tactical decisions instead of structural ones, and now the gaps are showing up in cost reports, audit findings, or both. Worse, the organization is dependent on the heroics of whoever happened to build it. Even if you put two of our architects in separate rooms with the same brief and you will get two slightly different environments. That is why you must build on a backbone of best practices and put those into policy. Both will work, but consistency is important.
No governance model. The early workloads were built well. Then the environment grew, the team grew, and nobody enforced the patterns that worked at first. Over-permissive environments. Lack of tagging. Cost sprawl because you cannot tell which spend belongs to which application. The fix is to set policy early, and if you did not, as they say, “the second best time to begin it is now”.
No operating model. No one decides what gets deployed, when, by whom, or how it gets reviewed. Software-defined everything made the gate to deploy in the cloud low, which is good and bad. You can spin up anything in minutes, but spinning it up fast and spinning it up correctly are different things. The phrase I used on the call was "migration without governance is acceleration without a steering wheel." Operating models are the steering wheel.
The Cloud Adoption Framework and landing zones, in plain English
Microsoft's Cloud Adoption Framework (CAF) is the structural answer to all three failure modes. Strip it down and it has two halves.
The foundation half (Strategy, Plan, Readiness). Why are we doing this? What people, process, and skills do we need? What does the platform need to look like before we start moving workloads? An Azure Landing Zone is the platform answer to that third question: a defined, enforceable baseline for identity, networking, security, monitoring, policy, and compliance. Every workload you deploy after that inherits the baseline.
The run half (Govern, Secure, Manage). Once the landing zone is in place, security gets applied by default. Defender enrolls automatically. Compliance reporting populates without manual intervention. Drift surfaces in your security center as it happens, well before an audit would find it. The work shifts from chasing drift to managing exceptions against a policy you defined intentionally.
Landing zones scale to the use case. A single web application is a matter of minutes. A multi-thousand-VM migration with bare-metal-as-a-service (Azure VMware Solution or Nutanix Cloud Clusters) takes more. Mike pointed out during the session that those bare-metal solutions actually need the landing zone networking even more than VM-based deployments do, because they tie into the Azure backbone differently. AVS uses internal private ExpressRoute circuits. NC2 uses NAT and no-NAT gateway combinations. Get the foundation right early or you will be reworking the network stack later.
The 7R framework for workload decisions
Once the foundation is set, the workload decisions get easier. The CAF uses a 7R framework (we treat it as 8 because Retire deserves to be its own bucket): Retire, Retain on-prem, Rehost (lift and shift), Replatform, Refactor, Re-architect, Replace, Rebuild.
The most under-appreciated step is the first one. In most data-center-to-cloud assessments I run, 30 to 40 percent of the workload inventory gets retired because the application is obsolete, redundant, or no longer used. The cost projections that ignore that retire bucket are the ones that scare CFOs out of moving to the cloud.
For everything else, the pattern I describe to clients that are looking for speed is to "move and improve." Lift and shift to land in Azure, then immediately start the modernization work to move toward platform services and managed offerings over the following months and quarters. The trap is landing in Azure as VMs and then never moving again, because operationally everything still works. The orgs that get the most out of Azure are the ones that take the next step.
Where this leaves you
If you are considering Azure, already partially in Azure, or running an environment that grew faster than its governance did, the right starting question is "what does our foundation look like, and what would need to change for the next decision to be easy?"
Get that part right and AI readiness, cost control, DR posture, VDI strategy, and modernization all become easier.
The next four posts in this series go deeper on the topics the rest of our roadshow covered: application modernization on Azure with Dustin Meany, endpoint and secure workspaces, the security strategy and SOC conversation with Phil Kinsley, and a wrap on unifying the Defender stack with intelligent indication-of-compromise orchestration.
If you want to talk through your foundation, what good looks like for your environment, and where the highest-leverage move is for your next quarter, reach out.