This curriculum reflects the scope typically addressed across a full consulting engagement or multi-phase internal transformation initiative.

Define role-based access control (RBAC) models aligned with enterprise security policies and compliance requirements.
Design governance guardrails using Azure Policy to enforce naming conventions, region constraints, and cost thresholds.
Evaluate trade-offs between centralized IT control and business unit autonomy in subscription architecture.
Map Azure management decisions to existing ITIL processes and change management workflows.
Implement Management Groups hierarchies to scale policy and role assignments across large organizations.
Assess the operational impact of multi-tenant vs. single-tenant Azure AD configurations.
Integrate Azure governance with enterprise architecture review boards and audit cycles.
Establish escalation paths and ownership models for resource lifecycle disputes.

Structure subscriptions to align with cost centers, projects, or regulatory boundaries while minimizing sprawl.
Configure chargeback and showback models using cost allocation tags and Azure Cost Management reports.
Optimize reserved instance and savings plan commitments across fluctuating workloads.
Diagnose cost anomalies using metric alerts and cost trend analysis in multi-environment deployments.
Balance cost efficiency against operational resilience in resource sizing and auto-scaling decisions.
Enforce budget thresholds with automated actions, including service suspension or notification workflows.
Evaluate total cost of ownership (TCO) for lift-and-shift versus refactored cloud-native workloads.
Monitor and govern spending in development, staging, and production environments separately.

Design conditional access policies that enforce MFA and device compliance for administrative roles.
Implement Just-In-Time (JIT) and Just-Enough-Access (JEA) using Azure AD Privileged Identity Management.
Integrate on-premises identities with Azure AD via hybrid identity models (Password Hash Sync, Pass-Through Auth).
Define and audit service principal permissions to prevent over-privileged automation accounts.
Manage break-glass accounts with strict monitoring and rotation protocols.
Assess risks of guest user access in cross-organizational collaboration scenarios.
Enforce identity protection policies based on sign-in risk and user risk levels.
Align identity lifecycle management with HR offboarding processes to prevent orphaned access.

Develop custom Azure Policy definitions to enforce encryption, backup, and network security requirements.
Use initiative definitions to bundle policies for regulatory standards (e.g., HIPAA, ISO 27001).
Monitor compliance posture across subscriptions and generate evidence reports for auditors.
Configure remediation tasks for non-compliant resources with automated deployment pipelines.
Balance enforcement strictness against operational velocity in DevOps environments.
Track drift in infrastructure-as-code (IaC) deployments using policy audit modes.
Integrate policy evaluation with CI/CD gates to prevent non-compliant resource creation.
Manage exceptions and exemptions with documented risk acceptance workflows.

Design Azure Monitor workspaces to aggregate logs across subscriptions while managing ingestion costs.
Configure alert rules with appropriate thresholds, suppression logic, and action groups.
Correlate metrics, logs, and Application Insights data to diagnose cross-service failures.
Establish service health dashboards for executive and technical stakeholders.
Define incident response playbooks integrated with Azure Automation and Logic Apps.
Optimize log retention periods based on compliance needs and storage cost constraints.
Use Network Watcher to diagnose connectivity issues in hybrid and multi-region deployments.
Implement synthetic transactions to proactively validate critical user journeys.

Design runbook architectures in Azure Automation to handle routine maintenance and failover.
Orchestrate cross-resource operations using State Configuration (DSC) and update management.
Integrate automation with ITSM tools (e.g., ServiceNow) for ticketing and audit trails.
Balance automation coverage against script maintainability and testing overhead.
Implement self-healing workflows triggered by health probes and performance thresholds.
Manage credentials and certificates in Automation securely using Azure Key Vault.
Version-control runbooks and test changes in non-production environments before deployment.
Define rollback procedures for failed automation jobs affecting production systems.

Evaluate connectivity models (ExpressRoute, VPN, vWAN) based on bandwidth, latency, and cost.
Design identity and policy consistency across on-premises and Azure environments.
Implement Azure Arc to manage on-premises servers, Kubernetes clusters, and multi-cloud resources.
Assess data sovereignty and residency implications in cross-border hybrid deployments.
Standardize monitoring and logging across heterogeneous infrastructure using Azure Monitor Agents.
Manage patch compliance uniformly across cloud and on-premises workloads.
Architect disaster recovery solutions with Azure Site Recovery across hybrid footprints.
Negotiate SLAs with providers when integrating third-party cloud services with Azure.

Enforce deployment controls using Azure Blueprints and locked resource groups.
Integrate ARM templates, Bicep, or Terraform into gated CI/CD pipelines with peer review.
Define deployment windows and maintenance periods aligned with business operations.
Track configuration changes using Azure Resource Graph queries and export compliance reports.
Implement drift detection and reconciliation strategies for production environments.
Manage secrets and sensitive parameters using Azure Key Vault with strict access policies.
Balance deployment velocity with auditability and rollback capability in regulated industries.
Conduct post-deployment validation using automated smoke tests and health checks.

Configure Azure Defender (now Microsoft Defender for Cloud) for threat detection across workloads.
Interpret secure score recommendations and prioritize remediation based on risk exposure.
Respond to security alerts using automated playbooks and SOAR integrations.
Enforce network segmentation using NSGs, Azure Firewall, and private endpoints.
Validate encryption at rest and in transit for data stores and communication channels.
Conduct regular penetration testing and vulnerability scanning within Azure’s acceptable use policy.
Isolate and investigate compromised resources using network containment and log isolation.
Align security controls with zero trust principles in remote access and micro-segmentation designs.

Assess current cloud maturity using frameworks like Microsoft Cloud Adoption Framework (CAF).
Identify capability gaps in people, processes, and tooling across cloud operations.
Develop roadmap increments that align cloud capabilities with business transformation goals.
Measure operational effectiveness using KPIs such as MTTR, change success rate, and policy compliance.
Evaluate adoption of platform engineering and internal developer platforms on Azure.
Plan for technical debt reduction in legacy cloud deployments and outdated automation.
Facilitate cross-functional workshops to align cloud strategy with business unit objectives.
Anticipate organizational resistance to cloud operating model changes and design mitigation plans.