diff --git a/.azure-devops/nightlybuild/mlz-bicep-azurecloud-pipelines.yml b/.azure-devops/nightlybuild/mlz-bicep-azurecloud-pipelines.yml
index 9ec8247d9..7099b6a0b 100644
--- a/.azure-devops/nightlybuild/mlz-bicep-azurecloud-pipelines.yml
+++ b/.azure-devops/nightlybuild/mlz-bicep-azurecloud-pipelines.yml
@@ -29,15 +29,77 @@ jobs:
           --name $(bDeploymentName) \
           --location $(Location) \
           --template-file $(TemplateFile)
+
+  - task: AzureCLI@2
+    displayName: "Extract Values and Hydrate Variables for T3 Deployment"
+    inputs:
+      azureSubscription: $(ServiceConnectionName)
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        deploymentoutput=$(az deployment sub show \
+          --name $(bDeploymentName) \
+          --query '{
+              hubSubId: properties.outputs.hub.value.subscriptionId,
+              hubRGroupName: properties.outputs.hub.value.resourceGroupName,
+              hubVNetworkName: properties.outputs.hub.value.virtualNetworkName,
+              hubVNetworkResourceId: properties.outputs.hub.value.virtualNetworkResourceId,
+              logAWspaceResourceId: properties.outputs.logAnalyticsWorkspaceResourceId.value,
+              firewallPrivateIP: properties.outputs.firewallPrivateIPAddress.value
+            }' \
+          --output json)
+
+        hubSubId=$(echo $deploymentoutput | jq  '.hubSubId') \
+          && echo "##vso[task.setvariable variable=hubSubscriptionId;]$hubSubId"
+
+        hubRGroupName=$(echo $deploymentoutput | jq  '.hubRGroupName') \
+          && echo "##vso[task.setvariable variable=hubResourceGroupName;]$hubRGroupName"
+
+        hubVNetworkName=$(echo $deploymentoutput | jq  '.hubVNetworkName') \
+          && echo "##vso[task.setvariable variable=hubVirtualNetworkName;]$hubVNetworkName"
+
+        hubVNetworkResourceId=$(echo $deploymentoutput | jq  '.hubVNetworkResourceId') \
+          && echo "##vso[task.setvariable variable=hubVirtualNetworkResourceId;]$hubVNetworkResourceId"
+
+        logAWspaceResourceId=$(echo $deploymentoutput | jq  '.logAWspaceResourceId') \
+          && echo "##vso[task.setvariable variable=logAnalyticsWorkspaceResourceId;]$logAWspaceResourceId"
+
+        firewallPrivateIP=$(echo $deploymentoutput | jq  '.firewallPrivateIP') \
+          && echo "##vso[task.setvariable variable=firewallPrivateIPAddress;]$firewallPrivateIP"
+
+  - task: AzureCLI@2
+    displayName: "T3 Bicep Deployment"
+    inputs:
+      azureSubscription: $(ServiceConnectionName)
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        az deployment sub create \
+           --subscription $(workloadSubId) \
+           --location $(Location) \
+           --name $(workloadName) \
+           --template-file $(T3TemplateFile) \
+           --parameters \
+              workloadName=$(workloadName) \
+              hubSubscriptionId=$(hubSubscriptionId) \
+              hubResourceGroupName=$(hubResourceGroupName) \
+              hubVirtualNetworkName=$(hubVirtualNetworkName) \
+              hubVirtualNetworkResourceId=$(hubVirtualNetworkResourceId) \
+              logAnalyticsWorkspaceResourceId=$(logAnalyticsWorkspaceResourceId) \
+              firewallPrivateIPAddress=$(firewallPrivateIPAddress)
+
   - task: AzureCLI@2
     displayName: "Clean up Subscription Diagnostics Settings"
+    condition: always()
     inputs:
       azureSubscription: $(ServiceConnectionName)
       scriptType: 'bash'
       scriptLocation: 'inlineScript'
       inlineScript: 'az monitor diagnostic-settings subscription list --query "value[? contains(@.name, ''$1'')].name" -o table  |grep ''mlz''| awk ''{system(" az monitor diagnostic-settings  delete  --resource  ''"/subscriptions/$(subId)"'' --name "$1)}'''
+
   - task: AzureCLI@2
     displayName: "Clean up Resources"
+    condition: always()
     inputs:
       azureSubscription: $(ServiceConnectionName)
       scriptType: 'bash'
diff --git a/.azure-devops/nightlybuild/mlz-bicep-azuregov-pipelines.yml b/.azure-devops/nightlybuild/mlz-bicep-azuregov-pipelines.yml
index 9256750cd..8331053db 100644
--- a/.azure-devops/nightlybuild/mlz-bicep-azuregov-pipelines.yml
+++ b/.azure-devops/nightlybuild/mlz-bicep-azuregov-pipelines.yml
@@ -29,15 +29,76 @@ jobs:
           --name $(bDeploymentName) \
           --location $(GLocation) \
           --template-file $(TemplateFile)
+
+  - task: AzureCLI@2
+    displayName: "Extract Values and Hydrate Variables for T3 Deployment"
+    inputs:
+      azureSubscription: $(GServiceConnectionName)
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        deploymentoutput=$(az deployment sub show \
+          --name $(bDeploymentName) \
+          --query '{
+            hubSubId:properties.outputs.hub.value.subscriptionId,
+            hubRGroupName:properties.outputs.hub.value.resourceGroupName,
+            hubVNetworkName:properties.outputs.hub.value.virtualNetworkName,
+            hubVNetworkResourceId:properties.outputs.hub.value.virtualNetworkResourceId,
+            logAWspaceResourceId:properties.outputs.logAnalyticsWorkspaceResourceId.value,
+            firewallPrivateIP:properties.outputs.firewallPrivateIPAddress.value }' \
+          --output json)
+
+        hubSubId=$(echo $deploymentoutput | jq  '.hubSubId') \
+          && echo "##vso[task.setvariable variable=hubSubscriptionId;]$hubSubId"
+
+        hubRGroupName=$(echo $deploymentoutput | jq  '.hubRGroupName') \
+          && echo "##vso[task.setvariable variable=hubResourceGroupName;]$hubRGroupName"
+
+        hubVNetworkName=$(echo $deploymentoutput | jq  '.hubVNetworkName') \
+          && echo "##vso[task.setvariable variable=hubVirtualNetworkName;]$hubVNetworkName"
+
+        hubVNetworkResourceId=$(echo $deploymentoutput | jq  '.hubVNetworkResourceId') \
+          && echo "##vso[task.setvariable variable=hubVirtualNetworkResourceId;]$hubVNetworkResourceId"
+
+        logAWspaceResourceId=$(echo $deploymentoutput | jq  '.logAWspaceResourceId') \
+          && echo "##vso[task.setvariable variable=logAnalyticsWorkspaceResourceId;]$logAWspaceResourceId"
+
+        firewallPrivateIP=$(echo $deploymentoutput | jq  '.firewallPrivateIP') \
+          && echo "##vso[task.setvariable variable=firewallPrivateIPAddress;]$firewallPrivateIP"
+
+  - task: AzureCLI@2
+    displayName: "T3 Bicep Deployment"
+    inputs:
+      azureSubscription: $(GServiceConnectionName)
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      inlineScript: |
+        az deployment sub create \
+           --subscription $(GSubId) \
+           --location $(GLocation) \
+           --name $(workloadName) \
+           --template-file $(T3TemplateFile) \
+           --parameters \
+              workloadName=$(workloadName) \
+              hubSubscriptionId=$(hubSubscriptionId) \
+              hubResourceGroupName=$(hubResourceGroupName) \
+              hubVirtualNetworkName=$(hubVirtualNetworkName) \
+              hubVirtualNetworkResourceId=$(hubVirtualNetworkResourceId) \
+              logAnalyticsWorkspaceResourceId=$(logAnalyticsWorkspaceResourceId) \
+              firewallPrivateIPAddress=$(firewallPrivateIPAddress)
+   
   - task: AzureCLI@2
     displayName: "Clean up Subscription Diagnostics Settings"
+    condition: always()
     inputs:
       azureSubscription: $(GServiceConnectionName)
       scriptType: 'bash'
       scriptLocation: 'inlineScript'
       inlineScript: 'az monitor diagnostic-settings subscription list --query "value[? contains(@.name, ''$1'')].name" -o table  |grep ''mlz''| awk ''{system(" az monitor diagnostic-settings  delete  --resource  ''"/subscriptions/$(GSubId)"'' --name "$1)}'''
+
   - task: AzureCLI@2
     displayName: "Clean up Resources"
+    condition: always()
     inputs:
       azureSubscription: $(GServiceConnectionName)
       scriptType: 'bash'
diff --git a/.azure-devops/nightlybuild/mlz-tf-azurecloud-pipelines.yml b/.azure-devops/nightlybuild/mlz-tf-azurecloud-pipelines.yml
index 7f7d804cb..dfa172264 100644
--- a/.azure-devops/nightlybuild/mlz-tf-azurecloud-pipelines.yml
+++ b/.azure-devops/nightlybuild/mlz-tf-azurecloud-pipelines.yml
@@ -21,9 +21,9 @@ jobs:
   - task: TerraformInstaller@0
     inputs:
         terraformVersion: '1.0.8'
+
   - task: AzureCLI@2
     displayName: "Apply MLZ Terraform"
-    continueOnError: true
     inputs:
       azureSubscription: $(CAzureConnection)
       scriptType: 'bash'
@@ -39,8 +39,81 @@ jobs:
         terraform apply -var "hub_subid=$(subid)" -auto-approve -input=false
       workingDirectory: '$(System.DefaultWorkingDirectory)/src/terraform/mlz'
       useGlobalConfig: true
+
+  - task: AzureCLI@2
+    displayName: "Extract Values and Hydrate Variables for T3 Deployment"
+    inputs:
+      azureSubscription: $(CAzureConnection)
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      addSpnToEnvironment: true
+      inlineScript: |
+        echo "##vso[task.setvariable variable=hubSubscriptionId;]$(terraform output -raw hub_subid)"
+        echo "##vso[task.setvariable variable=hubVirtualNetworkName;]$(terraform output -raw hub_vnetname)"
+        echo "##vso[task.setvariable variable=hubResourceGroupName;]$(terraform output -raw hub_rgname)"
+        echo "##vso[task.setvariable variable=firewallPrivateIPAddress;]$(terraform output -raw firewall_private_ip)"
+        echo "##vso[task.setvariable variable=lawsName;]$(terraform output -raw laws_name)"
+        echo "##vso[task.setvariable variable=lawsRgName;]$(terraform output -raw laws_rgname)"
+        echo "##vso[task.setvariable variable=tier1SubId;]$(terraform output -raw tier1_subid)"
+        echo "##vso[task.setvariable variable=tier3SubId;]$(terraform output -raw tier1_subid)"
+      workingDirectory: '$(System.DefaultWorkingDirectory)/src/terraform/mlz'
+      useGlobalConfig: true
+
+  - task: AzureCLI@2
+    displayName: "Apply T3 Workload Terraform"
+    inputs:
+      azureSubscription: $(CAzureConnection)
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      addSpnToEnvironment: true
+      inlineScript: |
+        export ARM_CLIENT_ID=$(ClientId)
+        export ARM_CLIENT_SECRET=$(ClientSecret)
+        export ARM_SUBSCRIPTION_ID=$(subId)
+        export ARM_TENANT_ID=$(tenantId)
+        terraform init
+        terraform apply -var "hub_subid=$(hubSubscriptionId)" \
+          -var "hub_rgname=$(hubResourceGroupName)" \
+          -var "firewall_private_ip=$(firewallPrivateIPAddress)" \
+          -var "hub_vnetname=$(hubVirtualNetworkName)" \
+          -var "laws_name=$(lawsName)" -var "laws_rgname=$(lawsRgName)" \
+          -var "tier1_subid=$(tier1SubId)" \
+          -var "tier3_subid=$(tier3SubId)" \
+          -auto-approve \
+          -input=false
+      workingDirectory: '$(System.DefaultWorkingDirectory)/src/terraform/tier3'
+      useGlobalConfig: true
+
+  - task: AzureCLI@2
+    displayName: "Destroy T3 Workload Terraform"
+    condition: always()
+    inputs:
+      azureSubscription: $(CAzureConnection)
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      addSpnToEnvironment: true
+      inlineScript: |
+        export ARM_CLIENT_ID=$(ClientId)
+        export ARM_CLIENT_SECRET=$(ClientSecret)
+        export ARM_SUBSCRIPTION_ID=$(subId)
+        export ARM_TENANT_ID=$(tenantId)
+        terraform init
+        terraform destroy -var "hub_subid=$(hubSubscriptionId)" \
+          -var "hub_rgname=$(hubResourceGroupName)" \
+          -var "firewall_private_ip=$(firewallPrivateIPAddress)" \
+          -var "hub_vnetname=$(hubVirtualNetworkName)" \
+          -var "laws_name=$(lawsName)" \
+          -var "laws_rgname=$(lawsRgName)" \
+          -var "tier1_subid=$(tier1SubId)" \
+          -var "tier3_subid=$(tier3SubId)" \
+          -auto-approve \
+          -input=false
+      workingDirectory: '$(System.DefaultWorkingDirectory)/src/terraform/tier3'
+      useGlobalConfig: true
+
   - task: AzureCLI@2
     displayName: "Destroy MLZ Terraform"
+    condition: always()
     inputs:
       azureSubscription: $(CAzureConnection)
       scriptType: 'bash'
@@ -55,3 +128,4 @@ jobs:
         terraform destroy -var "hub_subid=$(subid)" -auto-approve -input=false
       workingDirectory: '$(System.DefaultWorkingDirectory)/src/terraform/mlz'
       useGlobalConfig: true
+  
\ No newline at end of file
diff --git a/.azure-devops/nightlybuild/mlz-tf-azuregov-pipelines.yml b/.azure-devops/nightlybuild/mlz-tf-azuregov-pipelines.yml
index 6b3fc8aaf..427e7e8e8 100644
--- a/.azure-devops/nightlybuild/mlz-tf-azuregov-pipelines.yml
+++ b/.azure-devops/nightlybuild/mlz-tf-azuregov-pipelines.yml
@@ -2,12 +2,13 @@
 # Licensed under the MIT License.
 
 schedules:
-  - cron: '55 1 * * *'
+  - cron: "0 2 * * *"
     displayName: "Nightly - mlz Terraform azure US Gov cloud"
     branches:
       include:
         - main
-    always: 'true'
+    always: true
+
 pool:
   vmImage: ubuntu-latest
 
@@ -20,9 +21,9 @@ jobs:
   - task: TerraformInstaller@0
     inputs:
       terraformVersion: '1.0.8'
+
   - task: AzureCLI@2
     displayName: "Apply MLZ Terraform"
-    continueOnError: true
     inputs:
       azureSubscription: $(GAzureConnection)
       scriptType: 'bash'
@@ -35,12 +36,104 @@ jobs:
         export ARM_TENANT_ID=$(GTenantId)
         export ARM_ENVIRONMENT=$(CloudEnv)
         terraform init
-        terraform plan -var "hub_subid=$(GSubid)" -var metadata_host=$(MetadataHost) -var environment=$(CloudEnv) -var location=$(GLocation) -input=false
-        terraform apply -var "hub_subid=$(GSubid)" -var metadata_host=$(MetadataHost) -var environment=$(CloudEnv) -var location=$(GLocation) -auto-approve -input=false
+        terraform plan \
+          -var "hub_subid=$(GSubid)" \
+          -var metadata_host=$(MetadataHost) \
+          -var environment=$(CloudEnv) \
+          -var location=$(GLocation) \
+          -input=false
+        terraform apply -var "hub_subid=$(GSubid)" \
+          -var metadata_host=$(MetadataHost) \
+          -var environment=$(CloudEnv) \
+          -var location=$(GLocation) \
+          -auto-approve \
+          -input=false
+      workingDirectory: '$(System.DefaultWorkingDirectory)/src/terraform/mlz'
+      useGlobalConfig: true
+
+  - task: AzureCLI@2
+    displayName: "Extract Values and Hydrate Variables for T3 Deployment"
+    inputs:
+      azureSubscription: $(GAzureConnection)
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      addSpnToEnvironment: true
+      inlineScript: |
+        echo "##vso[task.setvariable variable=hubSubscriptionId;]$(terraform output -raw hub_subid)"
+        echo "##vso[task.setvariable variable=hubVirtualNetworkName;]$(terraform output -raw hub_vnetname)"
+        echo "##vso[task.setvariable variable=hubResourceGroupName;]$(terraform output -raw hub_rgname)"
+        echo "##vso[task.setvariable variable=firewallPrivateIPAddress;]$(terraform output -raw firewall_private_ip)"
+        echo "##vso[task.setvariable variable=lawsName;]$(terraform output -raw laws_name)"
+        echo "##vso[task.setvariable variable=lawsRgName;]$(terraform output -raw laws_rgname)"
+        echo "##vso[task.setvariable variable=tier1SubId;]$(terraform output -raw tier1_subid)"
+        echo "##vso[task.setvariable variable=tier3SubId;]$(terraform output -raw tier1_subid)"
       workingDirectory: '$(System.DefaultWorkingDirectory)/src/terraform/mlz'
       useGlobalConfig: true
+
+  - task: AzureCLI@2
+    displayName: "Apply T3 Workload Terraform"
+    inputs:
+      azureSubscription: $(GAzureConnection)
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      addSpnToEnvironment: true
+      inlineScript: |
+        export ARM_CLIENT_ID=$(GClientId)
+        export ARM_CLIENT_SECRET=$(GClientSecret)
+        export ARM_SUBSCRIPTION_ID=$(GSubId)
+        export ARM_TENANT_ID=$(GTenantId)
+        export ARM_ENVIRONMENT=$(CloudEnv)
+        terraform init
+        terraform apply -var "hub_subid=$(hubSubscriptionId)" \
+          -var metadata_host=$(MetadataHost) \
+          -var environment=$(CloudEnv) \
+          -var location=$(GLocation) \
+          -var "hub_rgname=$(hubResourceGroupName)" \
+          -var "firewall_private_ip=$(firewallPrivateIPAddress)" \
+          -var "hub_vnetname=$(hubVirtualNetworkName)" \
+          -var "laws_name=$(lawsName)" \
+          -var "laws_rgname=$(lawsRgName)" \
+          -var "tier1_subid=$(tier1SubId)" \
+          -var "tier3_subid=$(tier3SubId)" \
+          -auto-approve \
+          -input=false
+      workingDirectory: '$(System.DefaultWorkingDirectory)/src/terraform/tier3'
+      useGlobalConfig: true
+
+  - task: AzureCLI@2
+    displayName: "Destroy T3 Workload Terraform"
+    condition: always()
+    inputs:
+      azureSubscription: $(GAzureConnection)
+      scriptType: 'bash'
+      scriptLocation: 'inlineScript'
+      addSpnToEnvironment: true
+      inlineScript: |
+        export ARM_CLIENT_ID=$(GClientId)
+        export ARM_CLIENT_SECRET=$(GClientSecret)
+        export ARM_SUBSCRIPTION_ID=$(GSubId)
+        export ARM_TENANT_ID=$(GTenantId)
+        export ARM_ENVIRONMENT=$(CloudEnv)
+        terraform init
+        terraform destroy -var "hub_subid=$(hubSubscriptionId)" \
+          -var metadata_host=$(MetadataHost) \
+          -var environment=$(CloudEnv) \
+          -var location=$(GLocation) \
+          -var "hub_rgname=$(hubResourceGroupName)" \
+          -var "firewall_private_ip=$(firewallPrivateIPAddress)" \
+          -var "hub_vnetname=$(hubVirtualNetworkName)" \
+          -var "laws_name=$(lawsName)" \
+          -var "laws_rgname=$(lawsRgName)" \
+          -var "tier1_subid=$(tier1SubId)" \
+          -var "tier3_subid=$(tier3SubId)" \
+          -auto-approve \
+          -input=false
+      workingDirectory: '$(System.DefaultWorkingDirectory)/src/terraform/tier3'
+      useGlobalConfig: true
+
   - task: AzureCLI@2
     displayName: "Destroy MLZ Terraform"
+    condition: always()
     inputs:
       azureSubscription: $(GAzureConnection)
       scriptType: 'bash'
@@ -53,6 +146,11 @@ jobs:
         export ARM_TENANT_ID=$(GTenantId)
         export ARM_ENVIRONMENT=$(CloudEnv)
         terraform init
-        terraform destroy -var "hub_subid=$(GSubid)" -var metadata_host=$(MetadataHost) -var environment=$(CloudEnv) -var location=$(GLocation) -auto-approve -input=false
+        terraform destroy -var "hub_subid=$(GSubid)" \
+          -var metadata_host=$(MetadataHost) \
+          -var environment=$(CloudEnv) \
+          -var location=$(GLocation) \
+          -auto-approve \
+          -input=false
       workingDirectory: '$(System.DefaultWorkingDirectory)/src/terraform/mlz'
       useGlobalConfig: true