Microsoft Azure and its Relationship to Microsoft 365

white and red piled sticks

This is a blog article that I’ve had in draft for a long time, but customers keep asking this question: How does Microsoft 365 relate to Microsoft Azure? So, here is my view on that relationship, which I feel is important to understand.

When rolling out Microsoft 365 its important to know that Microsoft Azure is a fundamental component of the Microsoft Cloud. It’s also important to understand the nature of Microsoft Azure and its relationship to Microsoft 365.  Microsoft 365 is a Software as a Service (SaaS) application, which sits on and is built with Microsoft Azure IaaS and PaaS services. Let’s take a look at what those concepts and technologies mean.

Categories of Microsoft Azure Services

Microsoft Azure is a cloud computing platform which provides several fundamental building blocks for implementing business focused cloud-based solutions.  The capabilities of the Azure platform itself fit into the following three (3) categories:

  • Infrastructure as a Service (IaaS) – refers to fundamental components such as virtual machines, storage containers, networking, firewalls, and other important computing infrastructure.  These are components that organizations can use to host their own servers or applications in the cloud, or which can be used by software vendors to build and host online cloud services which they sell to their customers. As well, these can be used by Microsoft themselves to build and host software as a service (such as Microsoft 365).  Migrating an organization’s infrastructure to an IaaS solution helps reduce maintenance of on-premises data centers and save money on hardware costs.

Microsoft Azure IaaS services are typically configured and maintained by application or cloud architects.  It is paid for on a consumption basis (ie. pay for what you use) and are often licensed with an “Azure Pay as you Go” license.  Each Azure IaaS service can have a different price per unit.

  • Platform as a Service (PaaS) – refers to ready-to-use cloud services which can be utilized by developers and solution architects to quick build cloud-hosted business applications or online services.  For example, traditionally, when hosting a web application, an organization would setup a 3-tiered server environment with:
    • A database layer hosted on servers,
    • An application or business logic layer hosted on servers, and
    • A user experience layer hosted on servers

When doing so, the organization was responsible for setting up the servers or VMs, configuring the storage services, configuring the networking, configuring the firewalls and security and maintaining all of that infrastructure, whether it is on-premises or in the cloud (IaaS).  Azure PaaS provides ready-to-use services that are required for building or hosting these types of applications. They can be quickly spun up (similar to spinning up a VM) and the required servers, storage, networking, security, etc. is all configured for you automatically.  Common examples are Azure SQL for databases, Azure App Service for hosting web-based interfaces (ie. web sites), Azure Automation and Azure Logic Apps for automation tools, Azure Cognitive Services for machine learning tools, etc.

For example, if an organization needs to build a SQL database hosted in the cloud, they would traditionally create a new VM, with a storage container, as well as appropriate networking and security, and then they would have installed/configured SQL Server within that VM. Instead, with Azure PaaS, you can select to start an “Azure SQL Database”, and Microsoft Azure will automatically create and configure the necessary VMs, storage containers, networking, security and deploy/configure the SQL Server software.  You are simply given a URL to the Azure SQL database with the credentials selected during the purchase process.  You can then simply start using that database, and all of the infrastructure behind the scenes to host it is automatically configured, secured and maintained.

Microsoft Azure PaaS services are typically configured/maintained by application developers or DEV OPS teams.  They are paid for on a consumption basis (ie. pay for what you use) and are often licensed with an “Azure Pay as you Go” license.  Each Azure PaaS service can have different price per unit.

The following is common diagram, published by Microsoft, to help illustrate the differences and services available within IaaS, PaaS and SaaS capabilities:

  • Directory Services – Azure Active Directory (Azure AD) represents Microsoft’s identity management and directory services capabilities.  It provides storage and management for identities and groups, which are utilized across many Microsoft services, including Microsoft 365.  In addition it provides key security capabilities, such as:
    • Authentication and Password Services
    • Multi-Factor Authentication (MFA)
    • Group naming policy
    • Group expiration policy
    • Conditional Access
    • Risk-Based Conditional Access
    • Privileged Identity Management
    • Entitlement Management
    • Privileged Access Management
    • Access Reviews

The following is a Microsoft published catalog of all Azure services available:

Microsoft 365 Relationship to Microsoft Azure Services

As we know, Microsoft 365 is a Software as a Service platform. What many don’t realize is that it is built on Microsoft Azure IaaS and PaaS services.  More specifically:

Microsoft 365 and Azure IaaS – Microsoft 365 is built and hosted on many thousands of VMs, storage containers, networking and security components that are provided by Azure IaaS.  These Azure IaaS services sit within the same Microsoft data center which hosts Microsoft 365 for the organization. 

To utilize Microsoft 365, customers do not have to pay for an “Azure Pay as You Go” license, or equivalent.  The licenses costs for Azure are all built into the Microsoft 365 license costs.  As well, all the infrastructure components behind Microsoft 365 are completely hidden, obfuscated and not accessible or visible to Microsoft 365 customers.

Microsoft 365 and Azure PaaS – Some Microsoft 365 SaaS services may be built upon Azure PaaS services.  These are likely higher-level services, such as automatic workflows built into SharePoint Online or other such services.  Microsoft does not publish which services are built upon which Azure components.  As with IaaS, to utilize these Microsoft 365 services organizations do not have to pay for an “Azure Pay as You Go” license, or equivalent.  The licenses costs for Azure are all built into the Microsoft 365 license costs.  As well, all the PaaS components that may be behind Microsoft 365 are completely hidden, obfuscated and not accessible or visible to Microsoft 365 customers.

Microsoft 365 and Azure AD – Microsoft 365 uses Azure AD as its fundamental identity management platform.  Some examples of how this service is used by Microsoft 365 are:

  • When a user authenticates to Microsoft 365, they are in fact authenticating to an identity in Azure AD
  • When a user is prompted for MFA, it is Azure AD that is providing the MFA service
  • When a user is logging into Microsoft 365 and a conditional access policy is validated as part of the login process, it is Azure AD that is validating the conditional access policy and making a policy decision about whether the user may login or not
  • etc.

When using Microsoft 365, administrators can also have access to the Azure AD Admin Center.  Depending on their preference, they may use either the Microsoft 365 Admin Center or the Azure AD Admin Center to manage users, groups and MFA settings.  Other Azure AD security services can only be managed in the Azure AD Admin Center, such as Conditional Access policies and Privileged Identity Management.

As with Azure IaaS and PaaS services that may be utilized to host Microsoft 365 services (once again these are not made public in relation to Microsoft 365), costs for Azure AD are bundled into monthly license costs for Microsoft 365.  Some Azure AD identity and security services are only available with higher level Microsoft 365 licenses, for example, Azure AD Privileged Identity Management (PIM) is only available with Azure AD Premium P2 licenses, which are bundled into Microsoft 365 E5 licenses.

In summary, Microsoft Azure computing services are fundamental building blocks of the Microsoft 365 SaaS platform.  End users generally do not interact with or require knowledge of the underlying Azure services, other than perhaps Azure AD (specifically for administrators).

Hope this is helpful to people just starting their journey into Microsoft 365 or those with already established deployments.