This is a continuation of series of articles on hosting solutions and services on Azure public cloud with the most recent discussion on Multitenancy here and picks up the discussion on the checklist for architecting and building multitenant solutions. Administrators will find that this list is familiar to them.  

The previous article introduced the checklist as structured around business and technical considerations

The checklist is categorized based on reliability, security, cost optimization, operational excellence and performance considerations.

The reliability considerations include reviewing the Azure well-architected reliability checklist and this is applicable to all workloads. There must be some safeguards against the noisy neighbor antipattern which is specific to some workloads. Service level objectives and even service level agreements could be defined. These would be based on the requirements of the tenants as well as the composite SLAs of the Azure resources. Reliability is easily impacted by scale and service level agreements can suffer from performance. Testing that the application performs well under load is an important consideration. Finally, Chaos engineering applications can be applied to test the reliability of the solution.

The cost optimization considerations involve Azure well-architected cost optimization checklist and applies to all workloads. Per-tenant consumption must be adequately measured and combined with the infrastructure costs. Antipatterns must be avoided such as failing to track costs or doing it more than necessary.

Security checklist applies as early as design time. There must be tenant isolation in a multi-tenant application but putting the right enforcements and hardening are required to always realize it. In addition, there must be some testing that the tenants are isolated. There must be no cross-tenant access or data leakage and sometimes this involves static and runtime code analysis. These tools can safeguard the security considerations throughout the development.

The operational excellence considerations involve the Azure well-architected performance and efficiency checklist which is also applicable to all workloads. Shared infrastructure must mitigate noisy neighbor concerns. One tenant can reduce the performance of the system for other tenants from a variety of consumptions. Similarly, each Azure resource may impose its own limits to scalability. Solutions do not need to be over-architected or designed for requirements that do not exist.

Some resources also need to be secured differently from others. Domain names must be correctly managed and the allowlisting of resources must be carefully done. Vulnerabilities like dangling DNS and subdomain takeover attacks must be carefully planned.

Cost optimization considerations are all dependent on measurement and correlation. There must be sufficient monitoring of resources and their usages that the costs can be calculated. The billing might be different based on subscriptions and tiers but cost management must be accurate for what is assessed.

Performance efficiency is required not just for the tenants but also for the infrastructure. There must be adequate capacity planning and the fluctuations in supply and demand must be met aggressively with scaling.

#codingexercise

Decimal GetOddNumberRangeMean(Decimal [] A)
{
if (A == null) return 0;
Return A.OddNumberRangeMean ();
}

• Tree: Prune paths from root that don’t add up to a given sum = 12
•  bool Prune(Node root, int sum, int cur)
  
•  {
  
•   If (root == NULL) return false;
  
•  If (root.data + cur > sum) { return false;}
  
•  If  (root.data + cur == sum) {
  

---

3 / 9

•        Root.left = NULL;
  
•         Root.right = NULL;
  
•        Return true;
  
•  }

 This is a continuation of a series of articles on hosting solutions and services on Azure public cloud with the most recent discussion on Multitenancy here and picks up the discussion on the checklist for architecting and building multitenant solutions. Administrators will find that this list is familiar to them.   

The previous article introduced the checklist as structured around business and technical considerations as well as the five pillars of the Azure well-architected framework.  These pillars include 1) Reliability, 2) Security, 3) Cost Optimization, 4) Operational Excellence, and 5) Performance efficiency.  The elements that support these pillars are Azure well-architected review, azure advisor, documentation, patterns-support-and-service offers, reference architectures, and design principles. 

Operational excellence comes with security and reliability. Security and data management must be built right into the system at layers for every application and workload. The data management and analytics scenario focus on establishing a foundation for security. Although workload-specific solutions might be required, the foundation for security is built with the Azure landing zones and managed independently from the workload. Confidentiality and integrity of data including privilege management, data privacy, and appropriate controls must be ensured. Network isolation and end-to-end encryption must be implemented. SSO, MFA, conditional access, and managed service identities are involved to secure authentication. Separation of concerns between azure control plane and data plane as well as RBAC access control must be used. 

The reliability considerations include reviewing the Azure well-architected reliability checklist and this is applicable to all workloads. There must be some safeguards against the noisy neighbor antipattern which is specific to some workloads. Service level objectives and even service level agreements could be defined. These would be based on the requirements of the tenants as well as the composite SLAs of the Azure resources. Reliability is easily impacted by scale and service level agreements can suffer from performance. Testing that the application performs well under load is an important consideration. Finally, Chaos engineering applications can be applied to test the reliability of the solution. 

The cost optimization considerations involve Azure's well-architected cost optimization checklist and are applicable to all workloads. Per-tenant consumption must be adequately measured and combined with the infrastructure costs. Antipatterns must be avoided such as failing to track costs or doing it more than necessary. 

The operational excellence considerations involve the Azure well-architected performance and efficiency checklist which is also applicable to all workloads. Shared infrastructure must mitigate noisy neighbor concerns. One tenant can reduce the performance of the system for other tenants from a variety of consumptions. Similarly, each Azure resource may impose its own limits on scalability. Solutions do not need to be over-architected or designed for requirements that do not exist. 

 

This is a continuation of series of articles on hosting solutions and services on Azure public cloud with the most recent discussion on Multitenancy here This article discusses using the checklist for architecting and building multitenant solutions. Administrators will find that this list is familiar to them.  

 

The checklist is structured around business and technical considerations as well as the five pillars of the Azure well-architected framework.  These pillars include 1) Reliability, 2) Security, 3) Cost Optimization, 4) Operational Excellence, and 5) Performance efficiency.  The elements that support these pillars are Azure well-architected review, azure advisor, documentation, patterns-support-and-service offers, reference architectures and design principles. Out of these, cost optimization is one of the primary benefits of using the right tool for the right solution. It helps to analyze the spend over time as well as the effects of scale out and scale up. The Azure Advisor can help improve reusability, on-demand scaling, reduced data duplication, among many others. Performance is usually based on external factors and is very close to customer satisfaction. Continuous telemetry and reactiveness are essential to tuned up performance. The shared environment controls for management and monitoring create alerts, dashboards, and notifications specific to the performance of the workload. Performance considerations include storage and compute abstractions, dynamic scaling, partitioning, storage pruning, enhanced drivers, and multilayer cache.

Operational excellence comes with security and reliability. Security and data management must be built right into the system at layers for every application and workload. The data management and analytics scenario focus on establishing a foundation for security. Although workload specific solutions might be required, the foundation for security is built with the Azure landing zones and managed independently from the workload. Confidentiality and integrity of data including privilege management, data privacy and appropriate controls must be ensured. Network isolation and end-to-end encryption must be implemented. SSO, MFA, conditional access and managed service identities are involved to secure authentication. Separation of concerns between azure control plane and data plane as well as RBAC access control must be used.

The checklist for business considerations include 1. understanding what kind of solution is being created such as business-to-business, business-to-consumer, or enterprise software 2. Defining the tenants in terms of number and growth plans, 3. Defining the pricing model and ensuring it aligns with the tenants’ consumption of Azure resources. 4. Understanding whether we need to separate the tenants into different tiers and based on the customer’s requirements, deciding on the tenancy model. Finally, promoting the multitenant solution in the commercial marketplace.

The technical considerations emphasize design and service-level objectives, as well as the scale of the solution. It also suggests applying Chaos engineering to test the reliability of the solution. The security considerations involve Zero Trust and least privilege principles.

 

 

 

 

This is a continuation of series of articles on hosting solutions and services on Azure public cloud with the most recent discussion on Multitenancy here This article discusses using the common considerations for multitenant user management. Administrators will find that the process described here is familiar to them.

·        Directory Object Considerations – When a guest user account needs to be created, the user object is created by manually sending the invitation from the portal. This user object is of type Guest. Such accounts can be converted to user type of member but such conversion might have problems with Exchange Online that handles B2B accounts. Mail enabled accounts cannot be invited as guest users. A guest account can be mail-enabled by inviting the cross-org user, showing the account in the Global Address List, and setting up the user type to member.

The difference between using GAL synchronization rather than using Azure AD B2B collaboration is that a mail contact object is created in the first case but some limitations apply. A mail-contact object and a mail-enabled guest user cannot coexist in the same tenant with the same email address simultaneously. If the mail-contact object is already present with the same email address as a guest, then a guest user account can be created but it cannot be mail-enabled. If the guest user account with an email is already present, then creating a mail-contact object will throw an exception.

The recommendation between GAL synchronization and the Azure AD B2B collaboration is that the latter should be preferred. This allows external guest users to show up in the GAL and to create external member users that are not mail enabled. GAL synchronization misleads because the user object created might not have sufficient permissions as the mail-contacts are not security principals. Group memberships and resource access cannot be transferred to a mail-contact object.

·        Azure AD conditional access considerations - Even when a user object is fully created, the state of a user, device or network in the users’ home tenant isn’t conveyed to the resource tenant.

If the conditional access policies require multi-factor authentication, guest users will require to register/respond to the MFA in the resource tenant even if the MFA was satisfied in the home tenant. If the CA policies require the device to be marked as compliant, then the guest user cannot access it because device identity is not registered in the resource tenant. The same holds true for CA policies that require Hybrid Azure AD joined device. If the CA policies require approved client applications or app protection policy, then the guest users will still not be able to access it because InTune requires device registration.

If the conditional access policies are satisfied, even then there might be unintended consequences such as sign-in risk and user-risk which is determined in part by the user behavior in the home tenant. Also. the named location definitions are defined in the resource tenant which are used to determine the scope of the policy.

 This is a continuation of series of articles on hosting solutions and services on Azure public cloud with the most recent discussion on Multitenancy here This article discusses using the common solutions for multitenant user management. Administrators will find that the process described here is familiar to them. 

There are two specific challenges customers solve repeatedly using current tools. These are automatic user lifecycle management and resource allocation across tenants and sharing on-premises applications across tenants.

Their solutions are described below. Microsoft recommends a single tenant wherever possible. When the single tenancy does not work, these solutions work better.

When company acquisitions occur, their employees often maintain their corporate identities. The current state is for these organizations requires them to synchronize changes between these directories. Each resource tenant has a mail contact enabled for all users in the other tenant.  No access to applications is possible across tenants.

The users expect to be shown in each organization’s Global Address List, and access applications and resources in the resource tenant and self-serve access requests to resources.  

The solution for this case requires them to create user objects: 1. Ensure that their database is up to date. 2. Deploy and configure Microsoft Identity Manager, address existing contact objects, create B2B external member objects for other tenant members and synchronize user object attributes. 3. Deploy and configure Entitlement Management access packages.

The second challenge involves sharing on-premises applications across tenants where many organizational units are synchronizing B2B guest users.  They share applications in Azure AD and add, modify, or delete is reflected in the home tenant. These units would like to provide access to on-premises resources for external guest users, applications with SAML authentication, and applications with integrated Windows authentication and Kerberos. 

The solution to this case is to enable the guest users to access the same on-premises applications by configuring access to SAML applications, configuring access to other applications, creating on-premises guest users through MIM, or PowerShell. Access to the on-premises resources must be granted to B2B users in Azure AD. Access must be configured to other applications and on-premises guest users must be created using MIM or PowerShell.

 

This is a continuation of series of articles on hosting solutions and services on Azure public cloud with the most recent discussion on Multitenancy here This article discusses using the AD FS application activity report. Administrators will find that the process described here is simple to execute.

Active Directory Federation Services is used to provide single sign-on to cloud applications. There are significant benefits to moving AD FS applications to Azure AD for authentication, especially in terms of cost management, risk management, productivity, compliance, and governance. A previous article outlined the process by identifying specific migration steps. The AD FS application activity report in the Azure portal helps with this process by identifying which of the applications are capable of being migrated to Azure AD.  

The activity report in the Azure Portal helps to quickly identify which of the applications are capable of being migrated to Azure AD. It can assess all applications for compatibility with migration.  It checks for any issues and gives guidance on preparing individual applications for migration. In addition, the AD FS application activity report can help with:

1)      Discovering AD FS Applications and scope for migration because it lists all AD FS applications in the organization that have had an active user login in the last 30 days. This indicates that these applications are ready for migration to Azure AD. But this report doesn’t display Microsoft related relying parties in AD FS such as Office 365. Relying parties with name ‘urn:federation:MicrosoftOnline’

2)      Prioritizing the applications for migration by getting the number of unique users who have signed into the application in the past 1, 7 or 30 days to help determine the severity of the risk of migrating the application.

3)      Running migration tests and fixing issues by reporting the service that runs tests to determine if an application is ready to migrate. The results are displayed in the AD FS application activity report as a migration status. If the AD FS configuration is not compatible with an Azure AD configuration, the report also gives specific guidance on how to address the configuration in Azure AD.

The data is made available to the following roles: admin role, global administrator role, report reader, security reader, application administrator, or cloud application administrator.  The AD FS must be actively used to access applications. Azure AD Connect health must be enabled in the Azure AD tenant. The Azure AD Connect Health for AD FS agent must be installed.

The AD FS applications that can be migrated will be listed under Enterprise Application section of the Azure Active Directory page in the Azure Portal. The Usage and Insights from the activity page will open a list of all AD FS applications in the organization.

The activity list also displays the migration status as Ready to migrate, needs review and additional steps are required. The migration list will detail potential migration issues. A message can be clicked to open additional migration rules for details. A full list of the properties tested can be seen with the AD FS application configuration tests table.

 This is a continuation of series of articles on hosting solutions and services on Azure public cloud with the most recent discussion on Multitenancy here This article discusses identity directory in Azure AD.

Identity directory is the store where a multitenant solution that wants to authenticate and authorize its users or a service, will save and retrieve the identity information. A directory can include authoritative records for each identity, or it might contain references to external identities that are stored in another identity provider’s directory.

When such an identity system is designed for a multitenant solution, we need to consider the types of identity that the tenants and customers might need. These include local identity provider, social identity provider, the tenant’s Azure AD or Microsoft 365 directory, and federation with a tenant’s identity provider.

A local identity provider allows users to self-register with information such as a username, email, identifier, or a rewards card number and a credential such as a password. The identifier and credentials are persisted. 

A social identity provider integrates with social engineering applications so that users can sign in with their profiles from those applications.

Tenants might have their own Azure AD or Microsoft 365 directory and they might want the multi-tenant solution use their directory as the IdP for accessing the multitenant front-end. This is possible only when the solution is built as a multitenant Azure AD application.

Federation with a tenant’s identity provider if they have custom IdP. Federation allows heterogenous IdP to be integrated into a single source of truth for the solution. Federation also enables single sign-on experiences and enables tenants to manage the lifecycle and security policies of their users, independently of the solution. 

A multitenant application does not control how many tenants or the direct ownership of a resource to its tenant. The customer has the complete say in this. They may want to reassign a resource to another tenant. For example, if they decide to join a machine to a different tenant, they need to disconnect from the first tenant and then register again with the new tenant.  The single sign-on (SSO) option for password hash synchronization and pass-through authentication can be used with only one Azure AD tenant. User migration between tenants involves a new credential to be issued at the destination.