Azure Cloud Adoption Framework Explained: 3 Layers That Actually Matter

A colleague reached out last week.

"Someone sent me this skills assessment. Says it's from the Cloud Adoption Framework. Can you take a look?"

I opened the spreadsheet.

68 skills to assess their Azure team:
- HTML
- C++ / .NET / Java
- Intent-Based Networking
- Edge Computing
- Container-Native Storage
- Node.js

I looked at the list for a minute, then replied:

"This isn't CAF. This isn't even Azure."

The Problem

Microsoft publishes the Cloud Adoption Framework for Azure. It's comprehensive. It's detailed. It's 1,500 pages long.

Leadership hears "Use the Cloud Adoption Framework" and thinks they need a skills assessment.

So they Google "cloud skills matrix."

They find a consultant template. Or a Gartner report. Or some generic "IT transformation" spreadsheet.

They download 68 skills including HTML, C++, and "Intent-Based Networking."

They send it to their Azure team for assessment.

And now nobody knows what's actually required to run Azure.

What's Missing From That Spreadsheet

That 68-skill assessment didn't mention:
- Management Groups - The foundation of Azure hierarchy
- Azure Policy - How governance actually works
- Landing Zones - The core CAF concept
- RBAC - Azure's security model
- Resource Graph / KQL - How you query Azure at scale
- Private Endpoints - Enterprise networking reality
- Tags - How you track cost and ownership

These aren't optional Azure skills. These are the actual framework.

What CAF Actually Is

My dad always told me: "If you can't explain it simply, you don't understand it."

Microsoft's CAF is 1,500 pages because they're covering every enterprise scenario. But at its core, CAF is 3 layers:

Layer 1: Structure (How Azure Is Organized)

• Management Groups - Hierarchy for policies and RBAC
• Subscriptions - Billing and access boundaries
• Resource Groups - Logical containers for resources
• Naming Conventions - Consistent identification

Without structure, Azure becomes chaos. Everything else builds on this foundation.

Layer 2: Governance (What's Allowed and Who Can Do It)

• Azure Policy - Enforce rules automatically (not asking nicely)
• RBAC - Control who can do what (not making everyone Owner)
• Tags - Track ownership, cost centers, environments

Without governance, you're manually trying to enforce rules. With governance, the platform enforces them for you.

Layer 3: Operations (Keeping It Running)

• Monitoring & Alerts - Know when things break
• Backup & Recovery - Protect against disasters
• Cost Management - Understand where money goes
• Security Center - Detect and respond to threats

Without operations, you're reactive. With operations, you're proactive.

That's CAF.

Everything else in those 1,500 pages is:
- Examples of the above three layers
- Methodology and planning frameworks
- Workload-specific guidance (AKS, SQL, etc.)
- Consultant engagement processes

What CAF Operations Actually Look Like

When I write down what CAF means in practice, it's not 68 buzzwords.

It's 58 specific Azure governance operations:

Management & Governance:
- Create, modify, delete Management Groups
- Create, modify, delete Subscriptions
- Create Azure Policy for security and compliance
- Assign Azure Policy to enforce requirements
- Create RBAC Role Definitions
- Assign RBAC Role Assignments

Networking:
- Create ExpressRoute Circuits
- Create Virtual Network Gateways (S2S/P2S VPN)
- Create Virtual Networks, Subnets, Route Tables
- Configure Network Security Groups
- Deploy Private Link Endpoints
- Configure Service Endpoints

Security:
- Administer Azure AD Privileged Identity Management
- Create Conditional Access Policies
- Manage Security Center Alerts
- Configure Key Vault secrets, keys, certificates
- Monitor compliance requirements

Infrastructure:
- Create Virtual Machines, Availability Sets, VMSS
- Configure Load Balancers
- Manage Public IP Addresses
- Create Log Analytics Workspaces
- Configure Azure SQL Servers
- Manage Storage Accounts
- Implement Backup and Recovery

...and 30+ more operations across identity, data, monitoring, and compliance.

This is what CAF governance actually means.

Not "Do you know HTML?"

Need to assign these 58 operations to actual people? I've created a CAF-aligned Roles & Responsibilities Matrix that maps every operation to roles like Azure Admin, Security Engineer, and Platform Engineer. It's the practical RACI matrix Microsoft never published. Available as downloadable Excel and PDF templates.

Why This Keeps Happening

Leadership gets directive: "Use the Cloud Adoption Framework"

They think: "I need to assess my team's skills"

They Google: "cloud skills assessment template"

They find: Generic IT transformation consultant spreadsheet

They send it out

The team looks at "Intent-Based Networking" and "Edge Computing" and thinks: "What does this have to do with creating Management Groups?"

The disconnect:
- CAF is Azure-specific governance and operations
- Generic templates are vendor marketing buzzwords
- One teaches you Landing Zones and Azure Policy
- The other asks if you know C++

Leadership can't tell the difference because CAF is 1,500 pages of Microsoft enterprise jargon.

What Your Team Actually Needs

Not a 68-skill buzzword assessment.

Three questions:

1. Can your team structure Azure correctly?

• Management Groups for hierarchy
• Subscriptions as boundaries
• Resource Groups for organization
• Naming conventions that scale

If no: 3-6 months to learn while doing real work

2. Can your team implement governance?

• Azure Policy to enforce rules automatically
• RBAC without making everyone Owner
• Tags for cost tracking and ownership

If no: 3-6 months to learn while implementing

3. Can your team handle enterprise operations?

• Private Endpoints and hybrid networking
• Resource Graph queries at scale
• Monitoring and alerting
• Backup and disaster recovery

If no: 6-12 months to learn through real projects

These aren't skills you assess on a spreadsheet.

These are capabilities you build by doing the work.

What CAF Doesn't Tell You

CAF is a strategy framework for enterprises.

It assumes:
- Unlimited budget
- Dedicated teams for each function
- 18-month planning cycles
- Leadership understanding cloud concepts

Real Azure work looks different:
- Small teams doing everything
- Production is on fire right now
- You're migrating subscriptions while keeping things running
- Leadership thinks CAF is an org chart template

CAF won't change your team size or timeline.

What changes the timeline:
- Months of hands-on work
- Breaking things in test environments
- Opening Microsoft tickets when stuck (the 3-hour rule: if you can't solve it in 3 hours, escalate)
- Learning Resource Graph by writing queries
- Implementing Landing Zones on real infrastructure

You don't learn Management Groups from a skills assessment.

You learn them by creating them, breaking them, and fixing them.

The Simple Truth

CAF isn't wrong. It's just written for the wrong audience.

Microsoft writes for enterprise architects planning 2-year transformations.

Consultants write to sell implementation services.

Leadership wants a checklist to assess their team.

What's missing:

Page 1 should say:

"CAF is 3 layers: Structure, Governance, Operations.

Structure = Management Groups, Subscriptions, Resource Groups, Names

Governance = Policy, RBAC, Tags

Operations = Monitor, Backup, Cost, Security

Everything else is examples and methodology.

You need people who can:
- Create Management Groups
- Write Azure Policy
- Configure RBAC correctly
- Query Resource Graph
- Handle Private Endpoints

If your team can't do these, they need 6-12 months of hands-on work.

No skills assessment changes that timeline."

But that's not on page 1.

It's somewhere in the middle of 1,500 pages.

What To Do Instead

If someone sends you a "CAF skills assessment" that asks about HTML, Edge Computing, or Intent-Based Networking:

Ignore it.

Instead, answer these questions:

1. Can we create and manage Management Groups? Yes / No / Learning
2. Can we write Azure Policy that enforces compliance? Yes / No / Learning
3. Can we implement RBAC without security holes? Yes / No / Learning
4. Can we configure Private Endpoints for enterprise networking? Yes / No / Learning
5. Can we query Resource Graph at scale? Yes / No / Learning
6. Can we implement Landing Zones correctly? Yes / No / Learning

Those six questions tell you everything about CAF readiness.

The other 62 skills on that spreadsheet? Consultant fluff.

Next step: Once you've answered these questions, use my CAF Roles & Responsibilities Matrix to assign specific owners to each operation. It's the spreadsheet you can't find anywhere else - a practical RACI for all 58 CAF operations.

The Bottom Line

You can't Google your way to an Azure team.

But leadership will keep trying.

They'll download "cloud skills matrices" that ask about Node.js and Edge Computing.

They'll think organization charts and frameworks create skills.

They'll believe CAF is a 68-point assessment instead of 3 foundational layers.

Your job:

Simplify it.

"CAF is Structure, Governance, and Operations.

We can do some of it. We're learning the rest.

It takes 6-12 months of real work to build these capabilities.

No spreadsheet changes that."

If you can't explain it simply, you don't understand it.

CAF is simple.

Microsoft just forgot to say so on page 1.

---

Further Reading

Official Microsoft CAF: https://aka.ms/caf (if you want the full 1,500 pages)

What you actually need:
- IT Roles & Responsibilities Matrix - Map the 58 CAF operations to your team with downloadable Excel/PDF templates. This is the practical RACI matrix Microsoft never published.
- Management Groups: How to structure Azure hierarchy
- Azure Policy: How to enforce governance automatically
- Landing Zones: The actual implementation of CAF structure
- Resource Graph: How to query Azure at scale

Start there. Everything else is commentary.

---

Want more real-world Azure operations content? Subscribe below for practical Azure guidance without the consultant fluff.