This post is part of a mini-series that explains how Microsoft Customers, Azure AD Tenants, Azure Subscriptions and Cloud Solution Providers all work together.
It is aimed at anyone who wishes to purchase Azure resources from a Cloud Solution Provider (CSP) such as NewOrbit, as well as Microsoft Partners who wish to understand the relationship between CSPs and Customers better.
This is an immensely confusing topic that often stumps people who have spent years working with Azure - even as Partners.
I focus on explaining the concepts rather than being 100% technically correct. This means some of the detail is glossed over or simplified.
This series focuses on Partners providing Azure to Customers, but the Microsoft 365 side is inherently linked to this so there will be some straying into that area as well.
Organizations can buy Microsoft software and services directly from Microsoft as well as through Partners. There are various different designations, such as Cloud Solution Provider, Managed Service Provider and variations on those.
In this post we will briefly explain Azure Cloud Solution Providers (CSPs) and how they can work with you.
The general idea is that when you buy through a Partner, you get not just the Microsoft product but additional services and expertise from the Partner.
For example, you might buy your Microsoft 365 from an MSP who also provide setup and support services for your Microsoft 365 environment - and potentially your whole IT estate.
When you buy Azure through a Cloud Solution Provider, you will usually get support from the Partner rather than from Microsoft. For example, when you buy your Azure through NewOrbit you will get access not only to support and monitoring but to our deep expertise and experience in designing and implementing Azure solutions.
It’s a bit like having a team of Azure experts on your staff, but without the overhead of actually employing them.
The Azure subscription belongs to you
Crucially, when a Cloud Solution Provider sells you an Azure Subscription, they should create it under your existing Microsoft Tenant (unless you don’t have one). That makes it easy for you to move the billing relationship for that subscription to a different Cloud Solution Provider without having to make any technical changes, should you ever want to. It also means that you retain full control over the subscription and can grant access to it to other Partners or even to Microsoft directly, if you wish.
Historically, Cloud Solution Providers would often create a whole new Microsoft Customer and Tenant to “own” the Azure Subscription for technical reasons. This is no longer necessary and should be avoided. If you are considering buying Azure through a Cloud Solution Provider, make sure they are going to create the subscription under your existing Microsoft Tenant.
Microsoft are committed to a “Multi-Partner” model, allowing you to buy different Microsoft products and services from different Partners - and even from Microsoft directly - as you see fit. This enables you to get the best possible service for each product or service you buy. For example, you might buy your Microsoft 365 from a local MSP who can provide on-site support, and buy your Azure from a specialist Azure Partner like NewOrbit who can provide deep technical expertise. You can even buy Azure simultaneously from multiple Partners, if suitable.
In the past, Microsoft’s Partner tools sort of assumed that all Partners would have Admin rights to the Tenant, which made this Multi-Partner model difficult to implement. This is no longer the case. Microsoft have made significant improvements to their Partner tools to support this Multi-Partner model. For example, you can now grant a Partner access to a specific subscription without giving them access to the whole Tenant.
Other parts of this series explain the different ways Partners can get access to parts of your system without having full admin rights. As always with things that evolve over time, there are multiple ways to do this, with different usability and impact on your compliance.
NewOrbit works actively to avoid getting any more access to your environment than we need to provide the agreed service to you. This is in accordance with the principle of least privilege as set out in both the “Cloud Solution Provider program authorization guide” and in our ISO 27001 accreditation.
Crucially, when you buy Azure through a Cloud Solution Provider, you are not buying Azure directly from Microsoft. You are buying it from the Cloud Solution Provider. This means that the Cloud Solution Provider is responsible for billing you for the Azure resources you use. Microsoft will not bill you directly for those resources.
Direct vs Indirect
When looking at Cloud Solution Providers, you may sometimes see a reference to “Direct” or “Indirect”. A “Direct” Partner has a direct relationship with Microsoft and are invoiced for your Azure directly by Microsoft. An “Indirect” Partner has a relationship with an “Indirect Provider” who in turn has a relationship with Microsoft. The Indirect Provider is invoiced by Microsoft and invoices the Indirect Partner who invoices the Customer.
This does not directly affect you as a Customer. It is mostly a matter of volume; Direct Partners have to sell a certain minimum level of Azure spend from Customers each year.
Buying Azure through a Cloud Solution Provider can be a great way to get the most out of Azure. You get access to the Partner’s expertise and experience, and you get support from the Partner rather than from Microsoft. Some partners, such as NewOrbit, will also provide additional services such as monitoring and management of your Azure environment.
You can generally get as much or as little support as you want from your Cloud Solution Provider, and you can change Cloud Solution Providers at any time without having to make any technical changes. Many organizations just want the reassurance that they can pick up the phone and talk to a real person who knows their environment and can help them with any issues they have.
It is pretty easy to move existing Azure Subscriptions or resources to or from a Cloud Solution Provider, so there is no need to worry about being locked in.