Azure landing zone Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Azure landing zone Documentation
  2. /
  3. Azure Policy
  4. /
  5. ALZ support for service retirement/deprecation
Edit page

ALZ support for service retirement/deprecation

Azure landing zone is committed to providing our customers with the best possible experience when deploying and managing their Azure landing zones. As part of this commitment, we continuously evaluate our reference implementations and make updates as necessary to ensure they align with the latest Azure best practices and product capabilities.

Azure services and features are regularly updated, and occasionally, certain services or features may be deprecated. When this happens, we assess the impact on our reference implementations and make necessary adjustments to ensure continued support and compatibility. To help surface potential impact to our customers, we provide Azure policies to identify resources that may be impacted by these deprecations.

Prepare for Key Vault API version 2026-02-01: Azure RBAC as default access control

To help identify any Azure Key Vaults that may be impacted by this change, we provide the following Azure Policy definition in our Azure Policy library:

Initiative Enforce-Guardrails-KeyVault includes the policy definition Azure Key Vault should use RBAC permission model.

This policy audits any Key Vaults that are not using the Azure RBAC permission model, which will be impacted by the API retirement. By identifying these resources, customers can take proactive steps to update their Key Vaults to use Azure RBAC before the API retirement date, ensuring continued access and functionality.

Prepare for AKS kubenet deprecation

To help identify any Azure Kubernetes Service instances that may be impacted by this change, we provide the following Azure Policy definition in our Azure Policy library:

Initiative Enforce-Guardrails-Kubernetes includes the custom ALZ policy definition Detect AKS clusters using kubenet network plugin.

This policy audits any AKS clusters that are using the kubenet network plugin, which will be impacted by the deprecation. By identifying these resources, customers can take proactive steps to update their AKS clusters to use the Azure CNI network plugin before the deprecation date, ensuring continued support and functionality.

gdoc_arrow_left_alt ALZ deprecation notices Known issues gdoc_arrow_right_alt