When to Use Microsoft Azure Services

white cloudy blue sky

It’s important for organizations to identify where in their journey to the Cloud they might take advantage of Azure IaaS and PaaS services, as well as when they will take advantage of Azure AD beyond just to authenticate and secure Microsoft 365.  When such initiatives are undertaken, key decisions are required to be taken in order to move forward. The following are some key use cases that might help you decide when to look at Microsoft Azure Services as the right solution for moving a particular application or system to the Cloud.

Use Cases for Microsoft Azure Services

  1. When an organization chooses to exit their data center, either to move to a more mature cloud hosting arrangement or to save costs on infrastructure and maintenance, they will often consider Azure IaaS services for hosting enterprise applications.  A data center exit is a significant project, typically taking multiple years for similarly sized organizations  Selecting the right cloud provider for those IaaS services is a critical decision, and Microsoft Azure provides a  number of robust, globally available, highly resilient options that support key enterprise workloads and regulatory compliance and security requirements.
  2. When an organization wishes to rebuild a legacy, internal application using modern cloud tools, they will consider rebuilding the application utilizing Azure PaaS services.  These provide application developers and Dev Ops teams a wide range of ready-to-use cloud services that eliminate the need to setup infrastructure such as compute, storage, network and security.

  • Compute
  • Databases
  • Development
  • Analytics
  • AI + Machine Learning
  • Identity + Security (this often includes Azure AD and the identity/security services included, so there is sometimes overlap in the Azure categories of services)
  • Management + governance
  • Media + Communication
  • Migration
  • Networking
  • Storage

  1. When an organization wishes to automate an enterprise-class business process, they will often consider highly resilient Microsoft Azure PaaS options such as Azure Logic Apps, Azure Automation, Azure Web Jobs.  These PaaS services provide developers with robust tools for automating and managing the business process from an enterprise class development standpoint, without the need to setup, configure and maintain base infrastructure such as services, drives, networking, firewalls and security tools.
  2. When an organization chooses to upgrade a major on-premises enterprise application, they may take the opportunity to re-host that application in Azure IaaS in order to improve operational efficiencies of managing those applications or reduce hardware and maintenance costs.  This can include applications like HR systems, critical business applications, databases, SAP, Workday, FileNet, etc.
  3. In addition to utilizing Azure AD as the identity platform for Microsoft 365, organizations will often leverage it to also provide federated identity management and authentication services to other non-Microsoft enterprise applications, such as HR systems, third party enterprise business applications, SAP, Workday, etc.  This extends the same benefits of MFA, identity management, single sign on, one identity, and conditional access to those other non-Microsoft applications as well. 

If required, Azure AD can hand off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user’s password.  The authentication system can provide other advanced hybrid identity and authentication requirements, for example, third-party multifactor authentication.  All of these are options to consider, and there are key decisions required should the organization choose to leverage this as a go-forward solution.  For example, the following Microsoft decision tree may be utilized:

More information is available on this method at the following links: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn.

General Recommendations For Microsoft Azure

Here are a few general recommendations for once your organization is ready to leverage Azure services in the Microsoft 365 Cloud, either in conjunction with Microsoft 365, or when directly using Azure for other workloads.

  • I usually recommend that organizations generally consider utilizing Azure IaaS and PaaS services once they have established a moderately mature deployment and usage of Microsoft 365.  There are exceptions of course, but generally public and private sector organization consider Azure services once they have a firmly established and deployed instance of Microsoft 365.
  • When considering utilizing Azure IaaS or PaaS services, carefully consider the upfront and ongoing costs of each service.  Each Azure IaaS and PaaS service is priced differently, and each has its own calculator.  When calculating the costs of each service in isolation, the costs can seem very low to start.  However, once multiple IaaS and PaaS services are combined to fulfill a particular use case or host a particular application, they can quickly increase and multiply over time, especially as usage of that workload ramps up. 
  • Monitoring costs on an ongoing basis of Azure IaaS and PaaS services is a critical component of starting to leverage Azure services.  The initial cost of moving, standing up or developing a new workload in Azure can be estimated at an approximately relatively well-estimated cost.  However, ongoing usage costs can be challenging to predict and manage.  As usage of the business workloads in Azure increases, the costs will increase because most Azure services are billed on a consumption basis – for example, usage of an SAP environment hosted in Azure can initially be estimated at X, but as the usage internally increases to 10X, the costs of the Azure components will also quickly increase to 10X or more.  Therefore, as the organization moves into leveraging Azure services, it is highly recommended that a mechanism be established to monitor usage and costs be established which leverages the Azure Cost Management APIs and Power BI.  These are often custom-built solutions and Power BI dashboards that require a separate data store.  For more information, refer to this Microsoft article: https://learn.microsoft.com/en-us/power-bi/connect-data/desktop-connect-azure-cost-management.
  • From experience, I’ve seen that once the usage of Azure services begins, the number of services in use across an organization’s business units very quickly increases.  Organizations can very quickly establish 100s or 1000s of VMs, storage containers, firewalls, PaaS services, databases, etc.  This is due the fact that suddenly employees (typically only administrators or Dev Ops teams) have access to a rich set of cloud infrastructure which becomes easily available and is easy to stand up or access.  However, this can very easily create governance and security challenges as the Azure services are often used to host applications, host business important or critical data, share information across or outside the organization.  As a result, I also recommend that establishing an initial governance process for Azure services which incorporates at least the following components:
    • Clear owners with well-defined responsibilities for the organization’s Azure subscriptions and services
    • A governance committee which meets on a regular basis to review the organization’s usage of Azure, review the associated costs of deployment and usage, and makes decisions and recommendations that impact how Azure services are utilized across the organization
    • Usage of key services like Azure Landing Zones, Azure Policy, Azure Governance.  These services allow a hierarchy to be established of the Azure services in use across the organization, and they allow technical administrators and owners to configure security and governance policies at the Azure subscription or workload level (ie. a high level), which are then automatically enforced on all Azure services utilized at a granular level.  For example, they allow you to configure at a top level that all Azure services (networking, VMs, storage, PaaS services) must use TLS 1.2 as a minimum for communication between services.
  • Once a moderate level of maturity in the roll out of Microsoft 365 is achieved, leverage the Microsoft Cloud Adoption Framework for Azure to plan a well-defined and well-governed strategy for utilizing Microsoft Azure to continue the organizations move into the Microsoft Cloud.  More information on this framework may be found here: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/.

Again, I hope this is helpful to people who are established in Microsoft 365 (at least to some degree) and are thinking about potentially using Microsoft Azure Services to move an application or system to the Cloud.

-Antonio