Click here to download an abbreviated PDF version of this article. Please note this information is specific to Microsoft Azure only.
Are you new to Azure?
Azure is a cloud computing platform operated by Microsoft that provides access, management, and development of applications and services via globally-distributed data centers. Azure datacenters are unique physical buildings located all over the globe that house a group of networked computer servers, each equipped with independent power, cooling, and networking.
The Azure cloud platform includes more than 200 products and cloud services designed to empower IT teams to build, run, and manage applications across multiple clouds, on-premises, and at the edge, with flexible tools and frameworks.
- Get started with this how Azure works video. You may also watch the Azure On-Demand video series to quickly learn how to accomplish your goals with Azure.
- Explore the building blocks of Azure with this interactive map.
See the Overview of Azure Infrastructure Components section below for more information on the build.
Buying Azure Plan with AppDirect
How you purchase Microsoft Azure from AppDirect is similar to purchasing any other subscription in the Marketplace. The key difference, however, is that before you actually place your order the Cloud Sales team will provide you with an estimate based on the required services and resources.
- Monitor and analyze your Azure usage with Microsoft Cost Management. Set budgets and allocate spending to your teams and projects.
Azure Plans and Subscriptions
Azure services are primarily sold as Plans and Subscriptions. An Azure subscription serves several purposes, including:
- A legal agreement. Each subscription is associated with an Azure offer, like a free trial or pay-as-you-go. Each offer provides a specific rate plan, benefits, and associated terms and conditions. Azure in CSP (0145P), for example.
- A payment agreement. When you purchase Azure, you provide payment information for that subscription, such as a credit card number associated with your Marketplace account. Each month, the costs that incur by the resources deployed to the subscription are calculated and billed to that payment method.
- A boundary of scale. Scale limits you define for a subscription. The subscription's resources can't exceed the set scale limits. For example, there's a limit on the number of virtual machines that you can create in a single subscription.
- An administrative boundary. A subscription can act as a boundary for administration, security, and policy. Azure also provides other mechanisms to meet these needs, such as management groups, resource groups, and Azure role-based access control.
An Azure Subscription is linked to an offer and payment mechanism (Azure in CSP, for example) and as resources (such as virtual machines) are created they are assigned to an Azure Subscription. Multiple Azure Subscriptions are allowed on a single customer tenant and the names are often customized for ease of use. An Azure Subscription has a duration of 1 month and automatically renews.
Azure Billing and Pricing
Microsoft charges for Azure on a consumption basis, meaning subscribers receive a bill each month that only charges them for the specific resources and services they have used. Prices for a particular service are taken from the monthly price list, and thus prices for the same service could be different every month.
As a Company Admin, by default, only you can purchase software and hardware products on the marketplace for your company. When you submit your purchase a confirmation email will be sent along with the Microsoft product name, invoice number, and payment details.
Who is responsible for paying for the subscription? By default, the AppDirect Marketplace Company Admin is the person who’s email address is associated with the Azure Plan subscription purchase. This person is responsible for paying for all costs incurred by the subscription's resources.
- Get started with this view company purchases video.
- Click to download the viewing company purchases guide.
- Get started with this update your primary email address video.
- Click Manage Bills to view invoices or update payment methods.
Azure reservations: Azure reservations are purchased for specified terms of up to three years with either a single upfront payment or equal monthly payments (when available). Azure reservations expire at the end of the specified term. Customer will not be refunded payment (paid or scheduled) for unused Azure reservations.
Azure compute savings plan: Azure compute savings plan is purchased for specified terms of up to three years with either a single upfront payment or equal monthly payments (when available). Azure compute savings plan expires at the end of the specified term. Customer will not be refunded payment (paid or scheduled) for unused Azure compute savings plan. Azure compute savings plans are noncancelable.
Microsoft Azure Management Portal
All Azure resources are provisioned in the Azure Management portal. Once customers subscribe to Azure, they have access to all the services included in the Azure portal. Subscribers can use these services to create cloud-based resources, such as VMs and databases. Azure resources and services can then be assembled into running environments used to host workloads and store data.
View Azure subscriptions under the Azure plan
From the Subscriptions page, in the usage-based section, expand Azure plan to see associated Azure subscriptions under the Azure plan.
Azure administrative roles
Azure defines three types of roles for administering subscriptions, identities, and resources: Classic subscription administrator roles, Azure roles, and Azure Active Directory (Azure AD) roles.
- Get started with this Azure RBAC overview video.
- Learn how to assign an Azure role with this step-by-step guide.
- Global Administrator is needed to assign out proper users.
The account administrator role is assigned to the Company Admin by default when the Azure subscription is purchased. The account administrator can manage subscription administrators in the Azure portal.
To make a user an administrator of an Azure subscription, an existing billing administrator assigns them the Owner role (an Azure role) at the subscription scope. The Owner role gives the user full access to all resources in the subscription, including the right to delegate access to others.
Overview of Azure Infrastructure Components
Azure offers a large collection of services, which includes platform as a service (PaaS), infrastructure as a service (IaaS), and managed database service capabilities. Microsoft sorts Azure cloud services into nearly two dozen categories. Each category can include numerous specific instances or service types. The most popular service categories include the following:
Compute. These services enable a user to deploy and manage VMs, containers and batch jobs, as well as support remote application access. Compute resources created within the Azure cloud can be configured with either public IP addresses or private IP addresses, depending on whether the resource needs to be accessible to the outside world.
Storage. This category of services provides scalable cloud storage for structured and unstructured data. It also supports big data projects, persistent storage and archival storage.
Security. These products provide capabilities to identify and respond to cloud security threats, as well as manage encryption keys and other sensitive assets.
Databases. This category includes database as a service (DBaaS) offerings for SQL and NoSQL, as well as other database instances -- such as Azure Cosmos DB and Azure Database for PostgreSQL. It also includes Azure SQL Data Warehouse support, caching, and hybrid database integration and migration features. Azure SQL is the platform's flagship database service. It is a relational database that provides SQL functionality without the need for deploying a SQL server.
Networking. This group includes virtual networks, dedicated connections and gateways, as well as services for traffic management and diagnostics, load balancing, DNS hosting and network protection against distributed denial-of-service (DDoS) attacks.
Media and content delivery network (CDN). These CDN services include on-demand streaming, digital rights protection, encoding, and media playback and indexing.
Integration. These are services for server backup, site recovery and connecting private and public clouds.
Mobile. These products help developers build cloud applications for mobile devices, providing notification services, support for back-end tasks, tools for building application program interfaces (APIs) and the ability to couple geospatial context with data.
Web. These services support the development and deployment of web applications. They also offer features for search, content delivery, API management, notification and reporting.
Analytics. These services provide distributed analytics and storage, as well as features for real-time analytics, big data analytics, data lakes, machine learning, business
Identity. These offerings ensure only authorized users can access Azure services and help protect encryption keys and other sensitive information in the cloud. Services include support for Azure Active Directory and multifactor authentication.
DevOps. This group provides project and collaboration tools, such as Azure DevOps -- formerly Visual Studio Team Services -- that facilitate DevOps software development processes. It also offers features for application diagnostics, DevOps tool integrations and test labs for build tests and experimentation.
Customer Security Best Practices
All Azure customers should follow Microsoft’s security guidance and best practices.
-
Ensure multifactor authentication (MFA) is enabled and registered on every account. Use either Microsoft Entra ID security defaults or Conditional Access to enforce MFA. MFA is the best baseline security hygiene method to protect against threats.
- Consider using passwordless sign-in with the Microsoft Authenticator app.
- Frequently review subscriptions and resources or services that might have been provisioned unexpectedly.
- Review the Azure Monitor activity log for subscription-related activity.
- Utilize cost anomaly alerts to detect unexpected high consumption in Azure.
- Users who have Microsoft Entra administrative roles such as Global Administrator or Security Administrator should not be regularly used for email and collaboration. Create a separate user account with no Microsoft Entra administrative roles for collaboration tasks.
- Regularly review and verify password recovery email addresses and phone numbers within Microsoft Entra ID for all users with the Global Admin roles and update if necessary.
- Review, audit, and minimize access privileges and delegated permissions. It's important to consider and implement a least-privilege approach. Microsoft recommends prioritizing a thorough review and audit of partner relationships to minimize any unnecessary permissions between your organization and upstream providers. Microsoft recommends immediately removing access for any partner relationships that look unfamiliar or haven't yet been audited.
- Review, harden, and monitor all tenant administrator accounts: All organizations should thoroughly review all tenant admin users, including users associated with Administer On Behalf Of (AOBO) in Azure subscriptions, and verify the authenticity of the users and activity. We strongly encourage the use of phishing-resistant MFA for all tenant administrators, review of devices registered for use with MFA, and minimizing the use of standing high-privilege access. Continue to reinspect all active tenant admin users accounts, and check audit logs regularly to verify that high-privilege user access isn't granted or delegated to admin users who don't require those privileges to do their jobs.
- Review service provider permissions access from B2B and local accounts: In addition to using delegated administrative privilege capabilities, some cloud service providers use business-to-business (B2B) accounts or local administrator accounts in customer tenants. We recommend that you identify whether your cloud service providers use these accounts, and if so, ensure that those accounts are well governed and have least-privilege access in your tenant. Microsoft recommends against the use of "shared" administrator accounts. Review the detailed guidance on how to review permissions for B2B accounts.
-
Review and audit Microsoft Entra sign-ins and configuration changes: Authentications of this nature are audited and available to customers through the Microsoft Entra sign-in logs, Microsoft Entra audit logs, and the Microsoft Purview compliance portal (formerly in the Exchange Admin Center). We recently added the capability to see sign-ins by partners who have delegated admin permissions. You can see a filtered view of those sign-ins by going to the sign-in logs in the Microsoft Entra admin center and adding the filter Cross-tenant access type: Service provider on the User-sign ins (non-interactive) tab.
- Review existing log availability and retention strategies: Investigating activities conducted by malicious actors places a large emphasis on having adequate log-retention procedures for cloud-based resources, including Microsoft 365.
We encourage all organizations to become familiar with the logs made available within your subscription and to evaluate them routinely for adequacy and anomalies. For organizations relying on a third-party MSPs, work with them to understand their logging strategy for all administrative actions and establish a process should logs need to be made available during an incident.
Access to Microsoft experts anytime, anywhere, whatever the problem
As a Microsoft Cloud Solution Provider (CSP) partner, AppDirect is responsible for ensuring Azure customers have accepted the Microsoft Customer Agreement; communicating consumption and spend to customers; directly provisioning and managing subscriptions; and will act as the first point of contact for customer support.
Thank you for choosing AppDirect Marketplace! If you have any questions or need assistance, you can email us at help@appdirect.com, call us at 833-427-7762, or start a chat with us on our website at helpcenter.appdirect.com.
Comments
0 comments
Please sign in to leave a comment.