The Architecture of Azure Data Platform Applications
Back in January 2017, Gavin Payne (b | t) and I delivered two webinars about the Azure Data Platform. The first session was an overview of the high-level architecture of the Azure Data Platform, while the second session delved deeper, covering more information about delivering applications on Azure and those parts of Azure which go beyond SQL Server's relational database engine. Btw, Gavin Payne is a top-rated expert in this field. Gavin is the Head of Digital Transformation at Coeo, a UK-based Microsoft Gold Partner and one of our tightest partner firms. Coeo provides consulting and managed services for Microsoft data management and analytics technologies. Gavin's credentials are many; he is both a Microsoft Certified Architect and a Microsoft Certified Master for SQL Server. He spends his days creating new Coeo services that help customers use digital technologies, such as cloud data platforms and advanced analytics solutions. This man knows his stuff.
Those webinars are now posted online, in case you missed the sessions when they were first broadcast. Click below to watch the webinars:
- How Azure is Enhancing the Microsoft Data Platform, Part 1: Introduction, concepts and basic database applications on Azure
- How Azure is Enhancing the Microsoft Data Platform, Part 2: Implementing and maintaining applications on Azure, Beyond the relational database on Azure
Please share the news about these sessions with your colleagues!
Q-Ben: Thank you for organizing the excellent webinar and for submitting my question regarding SSAS Azure authentication. As a quick follow-up, do you know the alternative if complete Directory Integration (AAD with on-premises AD) isn't available? As per this MSFT article: https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-overview, there are apparently other options for different scenarios. For example, my organization is reluctant to sync AAD with AD for all scenarios for security reasons. Thank you!
A-Gavin: My understanding is that the Azure Active Directory (AAD) service is a common infrastructure component used by several services in Azure. (Azure SQL Database is another). So getting that capability deployed is an important milestone for deploying and operating solutions in Azure. AAD can be deployed on its own without any integration to any on-premises traditional Active Directory services, which I’d suggest is what the article you linked to means when it says “but isn't required for all scenarios.”. Such a solution would require any users to have a username and password that only works with Azure services, which isn’t preferable for hybrid environments where users already have an on-premises username and password.
The only way to integrate the two AD worlds is to have some form of synchronization, such as the methods described here – https://technet.microsoft.com/library/jj573653.aspx Unfortunately, doing that is a company infrastructure level decision that as you’ve learnt often requires security to be managed differently in the future. Hopefully my knowledge of Active Directory is enough to have answered your question. It’s not something most data platform teams would be responsible for so you’ll probably find limited guidance outside of the Active Directory audiences but that’s where I’d recommend looking if you need to know more.
A-Mike: I have a bit to add to that, Gavin. Microsoft moves very fast with new features and capabilities in Azure. The link above will be deprecated this year. So a more accurate answer is that I’d suggest Ben investigate Azure AD Connect (https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect), as that is the replacement for those earlier approaches. You are correct that they could keep their Azure AD separate and then have Azure specific credentials. But as you point out, that’s not really helpful. Within Azure AD Connect they also support ADFS, which means that it goes back to the on-premises system for authentication. That might be more in line with what Ben is looking for. Oh, and I’m assuming Ben doesn't have Office 365.
Q-David: Does Microsoft do anything to ensure that when a machine is shut down, a new machine spinning up on the same server will not be able to access unerased bits from the previous machine? This is a concern for DoD and related high-security enterprises.
A-Gavin: Microsoft has parts of it organisation dedicated to ensuring government departments get the security features and capabilities they require. Although some of these are not always public facing, security conscious organisations will know who to ask though. Also, some Azure services can have resources added or taken away without requiring a restart whereas some do require a restart. An example I can think of is that adding DTUs to a database hosted by the Azure SQL Database is nearly always rapid providing the database stays within the same tier (basic, standard and premium) while moving a database to a new tier can take several minutes and require a “restart” of the database. The same analogy applies to most other Azure services.
I hope you enjoyed the sessions and that you'll spread the word for our future webinars. Cheers!