Zero Trust for Software Development Companies: what “good” looks like in practice
Threats keep accelerating in speed, scale, and sophistication. Microsoft is tracking a sharp rise in daily attacks and password-spray attempts, which is exactly why software development companies need a Zero Trust foundation that assumes breach and limits blast radius by default. The session’s companion deck lays out a crisp, do-first list for software development companies that build and operate multi-tenant apps. I have folded those specifics into this updated post. Start from identity and tenancy If your multi-tenant SaaS lives on Microsoft Entra ID, treat the app’s home tenant like production infrastructure, not a convenience sandbox. Create a dedicated “app tenant” that is locked down, automated, and free of day-to-day human use. Avoid hosting customer-facing multi-tenant app registrations in your corporate tenant where guests, everyday collaboration tools, and broader policies compete with your need for strict controls. Two resources to get your footing fast are the Zero Trust Workshop and the Entra Security guidance. They frame the exact checks below and help you sequence work across identity, device, data, and workload layers. The essential checks most software development companies miss Global admin and subscription access. Global Administrators should not have standing access to Azure subscriptions. Require just-in-time elevation so high-impact operations create signals, slow attacker velocity, and route through observable control points. App creation and lifecycle. Do not allow anyone to create applications or service principals. Restrict that right to a small, audited group, then continuously prune inactive apps, especially those with high Microsoft Graph privileges. Attackers hide behind service principals and abandoned migrations more often than you think. Redirect URIs. Keep reply URLs tight. Only use domains you control. Remove localhost and abandoned cloud sites to cut off token interception and code hijacking paths. Secrets and certificates. Prefer managed identity. If you must use credentials, do not use client secrets. If you must use certificates, keep expirations short and rotate regularly so any compromise has a short half-life. First-party service apps. Ensure Microsoft service applications in your tenant do not have customer-added credentials. Threat actors try to attach their own keys to first-party principals to inherit trusted access. Privileged identities. Keep admin accounts cloud-only to prevent an on-prem compromise from laddering into Entra, and register phishing-resistant methods for every privileged user. Keys or platform authenticators beat OTP fatigue every day of the week. How to roll this out without stalling the roadmap Adopt the workshop mindset. Run a lightweight Zero Trust assessment, pick the items above that are both high-impact and feasible in your environment, and bake them into your next few sprints. Treat security debt like product debt so you always reserve capacity for it. If you are modernizing a legacy app, use that cutover to move the registration to a dedicated app tenant, switch to managed identity, and clean your redirect URIs. The guidance below is what your team will reference as you go. Resources to take the next step Zero Trust Workshop: aka.ms/ztworkshop Entra Security guidance: aka.ms/entra/security If you only do one thing this week, carve out time to separate your app tenant from your corporate tenant, then enforce just-in-time privilege. Those two moves alone shrink your blast radius and make intrusions noisier and easier to catch.Scaling software businesses through hyperscaler marketplaces: Strategies, actions, and resources
As cloud marketplaces like the Microsoft Azure Marketplace continue to grow, software companies are seeing new opportunities to reach buyers, activate the channel, and drive recurring revenue through marketplace selling. In a recent conversation hosted by TD SYNNEX, leaders in cloud channel development and marketplace strategy shared key insights for Software Development Companies looking to scale. This Q&A summarizes actionable strategies, common challenges, and available resources that can help Software Development Companies grow their marketplace presence and unlock ecosystem scale. Q: How can software development companies get started more easily in cloud marketplaces? A: The entry point has become more streamlined in recent years thanks to distribution. Working with distribution, software development companies can leverage Microsoft expertise and relationships to quickly assess where they are in their marketplace journey, identify key readiness milestones, and accelerate time to market through Marketplaces. TD SYNNEX supports this process with guided enablement, ensuring vendors understand the technical steps needed to get listed, become co-sell ready, and activate transactable offers. Q: What are the biggest challenges software companies face when trying to scale? A: One of the biggest hurdles is reach. Many software development companies build strong technology but lack access to the broad channel networks needed to scale. Without deep relationships in place, they may struggle to get discovered by the right partners or buyers. This is where distribution support becomes valuable. Distributors like TD SYNNEX can bridge the gap by connecting software development companies to large reseller ecosystems and providing scalable routes to market. Platforms like TD SYNNEX’s StreamOne® simplify cloud provisioning and transactions for partners, helping software companies tap into demand more efficiently. Q: Is there a framework for scaling go-to-market efforts after onboarding? A: Yes, and it typically involves the following steps: Initial Integration Onboard to a cloud commerce platform, then add your offer into hyperscaler marketplaces like Microsoft Azure. Establishing this foundation makes future scaling repeatable. Private Offers for Flexibility Use private offers to tailor pricing and packaging for strategic deals. These offers can be customized for specific partners or customers, helping speed up deal closure and align with cloud budgets. Partner Enablement & Co-Sell Activation Support the channel with training, solution briefs, and campaign materials. TD SYNNEX offers co-marketing programs and partner-ready enablement that help resellers understand how to position your solution. Multi-Geo Expansion Once you’re successfully transacting in one region, it’s easier to replicate that motion in other geographies. Marketplace and distribution tools make global expansion more accessible than ever. Community & Events Participate in field events, executive briefings, and partner showcases. These moments help vendors tell their story directly to decision-makers and drive partner engagement. Q: What resources are available to help software development companies scale more efficiently? A: Several high-value resources exist to support software development companies on this journey: Engagement & Consultation These strategic consultations review the onboarding and assessment process, helping vendors identify where they are and what comes next. TD SYNNEX Private Offer Deal Desk Whether you’re responding to a specific partner opportunity or looking to craft strategic offers, the TD SYNNEX Private Offer Deal Desk can help tailor terms, accelerate approval, and enable smoother transactions. Marketing & Enablement Programs From curated offer catalogs to subsidized marketing campaigns, programs are available to help software development companies scale awareness without heavy upfront investment. TD SYNNEX also offers digital marketing services and inclusion in cloud solution spotlights. Q: What’s the long-term value of being marketplace-enabled? A: Marketplace integration opens doors beyond initial sales. It positions software development companies to participate in co-sell motions with hyperscalers, attract partners who prefer digital procurement, and align with customer trends—especially as cloud budgets and committed spend agreements become more common. Software development companies that build marketplace-native offers, activate partner channels, and support flexible selling motions will be better positioned to ride the next wave of transformation, including AI-driven industry solutions and global expansion. Next Steps for Software development companies If you’re ready to explore marketplace selling or want to scale your reach through channel partners, consider these actions: Request a consultation with the TD SYNNEX team using this form. Activate your offer in Azure Marketplace Explore private offers to support strategic deals, leveraging the TD SYNNEX Private Offer Deal Desk. Engage in partner enablement to accelerate co-sell motion Leverage go-to-market programs to boost visibility Whether you're just getting started or looking to scale globally, the right combination of marketplace strategy, partner engagement, and platform support can accelerate your path to growth. TD SYNNEX and the Microsoft Commercial Marketplace ecosystem offer a strong foundation to build on.Lock in marketplace terms for up to five years with multiyear contract durations
Co-authored by Trevor_Yeats We’re excited to announce that the Microsoft marketplace now supports multiyear contract durations—enabling customers and partners to lock in terms and pricing for up to five years. New options include four and five-year terms for SaaS and Professional Services, and two, four, and five-year terms for Virtual Machine Software Reservations (VMSR). These contract durations are available globally across all marketplace-supported currencies. The value for your customers and for you With multiyear contract durations, customers can buy with confidence knowing they will have stability and continuity of service, making it easier to plan and forecast expenses and lock in substantial savings that often come with longer contracts. Partners benefit by supporting customers’ budget needs, strengthening customer relationships, reducing administrative burdens, and growing reliable revenue streams. “Our customers value five-year contracts for the stability and long-term value they provide. With multiyear contracts now available in Microsoft marketplace, we can better align with their operational timelines, reduce renewal cycles, and focus on building lasting relationships—while driving predictable revenue.” Sue Wilkinson, Global Director of Partners, IFS How it works To enable multiyear contract durations, software partners must take the following steps: Create a public offer with multiyear contract durations. Partners must ensure their public offers include extended contract terms before they can create private offers with those durations. Partners have two options: Update an existing public plan to support new options for extended durations (i.e., four and five-year options for SaaS offers and two, four, and five-year options for VMSR), or Create a new public plan that includes multiyear contract durations. Create private offers with multiyear contract durations. Once a public offer with multiyear contract durations is published, partners can configure private offers that leverage those durations. Notes: Existing customer agreements cannot be modified mid-term to extend contract length. Customers must cancel their current plan and purchase a new one that includes the desired extended duration. Multiyear contract durations for CSP offers will be enabled later this summer. Until then, partners can create new offers without opting to resell through CSP to take advantage of extended contract durations. Creating multiyear contracts with flexible billing schedules Partners can create private offers that combine multiyear contract durations with flexible billing options—like quarterly, semiannual, or bimonthly—making it easier to align with customer needs and streamline sales. “Microsoft’s recent launch of multiyear contracts and flexible billing has been a game changer, simplifying the buying process and enhancing the customer experience. We can now build private offers in the Microsoft marketplace in a more natural way that mirrors our contracts in the platform.” Sue Wilkinson, Global Director of Partners, IFS Learn more about flexible billing schedules and capturing the marketplace opportunity. Eligibility for multiyear contracts and how to get started Any company who is part of the Microsoft AI Cloud Partner Program can sell on the marketplace with multiyear contract durations. Details are provided in our documentation, but at a high-level: Be a member of the Microsoft AI Cloud Partner Program (it’s free to join) Sign the marketplace publisher agreement Publish your public offer with multiyear contract durations. Sell private offers with multiyear contract durations. In addition, we have many support resources for partners depending on where they are on their marketplace journey. For example, software development companies can join ISV Success, within the Partner Program, for tools and resources that help them publish their solution and maximize reach through the marketplace. Learn more by visiting: Microsoft commercial marketplace transact capabilities FAQs: https://aka.ms/multiyear-FAQsDQ Global and Sycor offer ISV Success for Business Applications solutions in Microsoft AppSource
Microsoft ISV Success for Business Applications offers platforms, resources, and support designed to help partners develop, publish, and market business apps. Learn more about these offers from DQ Global and Sycor in Microsoft AppSource.Maximizing the multicloud advantage — Publishing and selling through the Microsoft marketplace
This post is part of a series on replicating apps from AWS to Azure. View all posts in this series. For AWS-based software companies aiming to broaden their footprint, the marketplace offers a strategic path forward. By publishing your solution, you gain visibility across Microsoft’s digital storefronts—Azure Marketplace and Microsoft AppSource—as well as in-product experiences like the Azure Portal. This presence enables 24/7 global selling and simplifies procurement for enterprise customers, especially those with Azure Consumption Commitments who are motivated to buy Azure-based solutions through the marketplace. Publishing in Azure reduces friction when selling to Azure-centric enterprises, enables consistent branding and offer management across clouds, and allows you to leverage both ecosystems without duplicating engineering investments. You can also join ISV Success to get access to over $126K USD in cloud credits, AI services, developer tools, and 1:1 technical consults to help you replicate your app and publish to the marketplace. To replicate your app faster get cloud-ready reference code to replicate AWS apps to Azure. 1. Introduction Unlock new growth opportunities by tapping into the marketplace and reach enterprise buyers more effectively. Whether you're migrating from AWS or building natively on Azure, the marketplace enables you to expand into new geographies, co-sell with Microsoft’s extensive salesforce, and simplify procurement for customers with pre-committed Azure spend. In this guide, we’ll walk you through the key steps to publishing and selling successfully—from selecting the right offer type to optimizing billing, pricing, and co-sell incentives. Through the marketplace, your business can: Sell to millions of monthly shoppers: Sell 24/7 across 141+ geographies, 17 currencies, and 50+ value-added tax IDs, Maximize your sales reach: Sell directly on marketplace storefronts and in-product experiences used by 95% of Fortune 500 companies. Access pre-committed cloud budgets: Stand out to the more than 85% of Microsoft customers with pre-committed Azure spend using the marketplace. Co-sell with 35,000 Microsoft sellers: Sell even more with collaborative sales through the marketplace, Expand to new markets with recurring revenue: Scale through 500,000 Microsoft partners, who can sell on your behalf or sell jointly to customers. This article walks you through the essentials of publishing and selling through the marketplace, including offer types, billing and pricing models, tools, incentives, and financial programs that can accelerate your success. 2. Selecting the right marketplace offer type When publishing to the marketplace, choosing the right offer type is key. Each type supports different ways customers use and deploy your solution. Common Offer Types and What They’re Best For Software as a Service (SaaS) Best for apps deployed on your Azure infrastructure that customers access through subscriptions. For customers who want a turnkey ready-to-use, hosted solution with minimal set-up. Azure Virtual Machine (VM) Best for software that runs on a pre-configured virtual machine. Similar to Amazon Machine Image (AMI) offers. For customers who want full control over a virtual machine running your software. Azure Container Ideal for containerized apps that customers deploy and run themselves like Amazon Elastic Container Service (ECS) or Elastic Kubernetes Service (EKS). For customers who want to run your app in their own container environment. Azure Application Used to deploy multiple Azure resources like VMs, storage, or networking. This is ideal for customers who want packaged deployments that automate setup in the customer’s environment. Azure also supports other offer types. See the full list at App Advisor – Offer Types. 3. How marketplace billing and pricing work A key advantage of publishing through the marketplace is the seamless integration with Azure’s billing system, which simplifies procurement for customers and streamlines revenue collection for software development companies. Integrated Azure billing When customers purchase through the marketplace, charges are seamlessly applied to their existing Azure account, eliminating separate invoicing and procurement workflows. Purchases can count toward Azure Consumption Commitment, enhancing appeal for enterprise buyers, while customers benefit from consolidated billing and simplified expense tracking. Publisher earnings Microsoft manages billing and collection. After deducting a standard transaction fee, earnings are disbursed on a regular schedule—reducing overhead and ensuring predictable cash flow. Pricing models The marketplace supports a variety of pricing models to align with your business model and customer expectations: Flat-rate: A fixed monthly or annual fee for access to your solution. Per user pricing: Charges based on the number of users accessing the solution. Usage-based (metered): Charges based on actual usage metrics (e.g., API calls, compute hours). After choosing your pricing model, you can configure multiple tiered plans (SKUs) for different service levels or feature sets at varying price. Renewing a private offer with an existing paid customer—whether the original deal was through the marketplace or not— reduces your transaction fee by 50% for the entire renewal term. How to grow sales with negotiated deals For many enterprise customers, closing deals means negotiating pricing and terms. Most co-sell deals also happen through negotiated terms. If co-selling with Microsoft sellers is a path you want to pursue, make sure you learn about these options. Private offers: Depending on the plan you have selected, you can create personalized pricing and terms for specific customers that are only visible to them. Offers can include custom billing schedules, discounts, and contract durations. Multiparty private offers: If you sell through channel partners or need to for a specific deal, then you can use multiparty private offers (MPO) to offer negotiated terms and pricing. MPO is currently available in the United States, United Kingdom and Canada, with support for more geographies coming soon. The Private Offers API allows you to programmatically create and manage custom deals with enterprise customers. These capabilities allow you to maintain pricing flexibility while benefiting from the streamlined procurement and billing experience of the marketplace. Learn more on your options for negotiated deals through marketplace. Transactable professional services In addition to software, you can also list professional services (e.g., onboarding, training, consulting) as transactable items. This allows customers to purchase both your product and value-added services through a single, unified channel—further increasing your Azure Consumption Commitment alignment and revenue potential. These offers are currently not discoverable via storefront search and must be shared via direct link with customers. Transactable services are supported in select markets and must follow specific publishing guidelines. Learn more about selling transactable professional services. 4.Tools to help publish your marketplace offer Microsoft provides a rich set of tools and resources to help ISVs confidently publish, manage, and grow their offers in the marketplace. These assets can streamline your journey and maximize your impact. Joining as a partner to create and publish your marketplace offer To publish and manage your marketplace apps, sign up for the Microsoft AI Cloud Partner Program and set up your Partner Center account. Partner Center is where you configure offers, manage referrals and claim incentives. The best way for software companies to sign up is to join ISV Success, which offers over $126K USD in benefits, including Microsoft products, Azure cloud credits, and technical consultations. See the benefits. You can also enroll as a partner through Partner Center without joining ISV Success. Once your account is set up, assign roles to your team for tasks like publishing, marketing, and managing referrals. This helps streamline the marketplace process. Learn about marketplace-specific roles needed to publish and manage apps, payout and tax settings, and access marketplace insights Step-by-step guidance through App Advisor App Advisor provides curated step-by-step guidance—through replicating your app, publishing it to marketplace, and growing your sales—helping you make informed decisions at every stage. Reference code on transactable webhooks For SaaS publishers, implementing transactable webhooks is essential for provisioning, metering, and managing customer subscriptions. Microsoft offers reference implementations like the SaaS Accelerator, which simplifies webhook integration and accelerates time to market. The Mastering the Marketplace GitHub repo also provides hands-on code samples and walkthroughs to help you build production-ready integrations. You can review Mastering the SaaS Accelerator - Mastering the Marketplace. Marketplace documentation and offer creation guides Microsoft maintains detailed documentation to guide you through the publishing process ensuring your offer is compliant, discoverable and optimized. The marketplace documentation hub organizes all the marketplace documentation for app publishers. The Publishing Guide by Offer Type provides technical and business requirements for each offer type (SaaS, VM, Container, etc.). The marketplace offer listings best practices helps you craft compelling branding and go-to-market strategies. Engaging with Microsoft to go-to-market Microsoft offers multiple programs, incentives, and offerings to help you amplify your reach, earn by selling through marketplace, and differentiate in marketplace: Marketplace Rewards unlock benefits like listing optimization, up to $400K USD in Azure cloud credits, go-to-market support, and co-sell readiness. Transact & Grow financial incentive can pay you up to $20K USD to sell through marketplace. Solutions Partner with certified software designations help you stand out in the marketplace, differentiate with Microsoft sellers, and grants you marketing and sales benefits. Accelerating visibility, credibility, and access Publishing through the Azure gives you access to Microsoft’s extensive sales ecosystem, including: Tip: Enable a free trial period for your paid marketplace plans to get the most customer engagement in marketplace. Microsoft field sellers: who can co-sell your solution to their accounts. Partner Center insights: that help you track performance and optimize your listing. Marketplace rewards tiers: that unlock additional benefits as your offer gains traction. Visit this link to learn more about additional benefits: Transacting on the marketplace - Marketplace publisher | Microsoft Learn 5. Qualifying for Azure IP Co-sell to incentivize Microsoft sellers and help customers with commitments Software companies can leverage Azure IP Co-sell (AZIPCS) to enhance enterprise reach, seller engagement, and deal velocity via the marketplace. Offers that achieve Azure IP co-sell eligibility gain these marketplace benefits: Marked as Azure benefit eligible for eligible customers in the marketplace and Azure Portal. Sales of your offer through the marketplace contribute toward customers' pre-committed cloud budget otherwise known as Azure consumption commitment (MACC). This helps software companies align with enterprise procurement strategies and unlock larger opportunities. Microsoft sellers are highly interested in marketplace offers that can help customers meet their Azure consumption commitment. Co-sell deals are roughly 30% higher than non-co-sell deals Co-sell deals tend to close 2x faster, compared average across all Microsoft-managed customers Requirements for Azure IP co-sell eligible offers To qualify: Your marketplace offer must be configured to transact through the marketplace and have at least one non-$0 pricing plan. You need to create a co-sell solution for your offer You must reach a company-level revenue threshold over the trailing twelve-month (TTM) period of either $100K USD of marketplace billed sales (MBS) OR Azure Consumed Revenue (ACR). Learn how to make the most of co-sell. Key resources: Microsoft Azure Migration Hub | Microsoft Learn Publishing to commercial marketplace documentation Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV Success Maximize your momentum with step-by-step guidance to publish and grow your app with App Advisor Accelerate your development with cloud ready deployable code through the Quick-start Development Toolkit Earn exclusive benefits for your software company business with Marketplace Rewards. Private offers overview - Marketplace customer documentation | Microsoft Learn Marketplace FAQs – Microsoft Tech CommunityNavigating AI security: Identifying risks and implementing mitigations
As artificial intelligence becomes central to software innovation, it also introduces unique security challenges—especially in applications powered by large language models (LLMs). In this edition of the Software Development Company Security Series, we explore the evolving risks facing AI-powered products and share actionable strategies to secure AI solutions throughout the development lifecycle. *Data based on 2024–2025 global reports from Cyberhaven, Swimlane, FS-ISAC, Capgemini, Palo Alto Networks, and Pillar Security analyzing AI security incidents across sectors. Understanding the Evolving AI Threat Landscape AI systems, particularly LLMs, differ from traditional software in one fundamental way: they’re generative, probabilistic, and nondeterministic. This unpredictability opens the door to novel security risks, including: Sensitive Data Exposure: Leaked personal or proprietary data via model outputs. Prompt Injection: Manipulated inputs crafted to subvert AI behavior. Supply Chain Attacks: Risks from compromised training data, open-source models, or third-party libraries. Model Poisoning: Insertion of malicious content during training to bias outcomes. Jailbreaks & Misuse: Circumventing safeguards to produce unsafe or unethical content. Compliance & Trust Risks: Legal, regulatory, and reputational consequences from unvalidated AI outputs. These risks underscore the need for a security-first approach to designing, deploying, and operating AI systems. Key Risks: The OWASP Top 10 for LLMs The OWASP Top 10 LLM Risks offer a framework for understanding threats specific to generative AI. Key entries include: Prompt Injection Sensitive Data Disclosure Model and Data Poisoning Excessive Model Permissions Hallucination & Misinformation System Prompt Leakage Vector Embedding Exploits Uncontrolled Resource Consumption Each of these risks presents opportunities for attackers across the AI lifecycle—from model training and prompt design to output handling and API access. Inherent Risks of LLM-Based Applications Three core attributes contribute to LLM vulnerabilities: Probabilistic Outputs: Same prompt, different results. Non-Determinism: Inconsistent behavior, compounded over time. Linguistic Flexibility: Prone to manipulation and hallucination. Common attack scenarios include: Hallucination: Fabricated content presented as fact—dangerous in domains like healthcare or legal. Indirect Prompt Injection: Malicious prompts hidden in user content (emails, docs). Jailbreaks: Bypassing guardrails using clever or multi-step prompting. Mitigations include retrieval-augmented generation (RAG), output validation, prompt filtering, and user activity monitoring. Microsoft’s Approach to Securing AI Applications Securing AI requires embedding Zero Trust principles and responsible AI at every stage. Microsoft supports this through: Zero Trust Architecture Verify explicitly based on identity and context Use least privilege access controls Assume breach with proactive monitoring and segmentation Shared Responsibility Model Customer-managed models: You manage model security and data. Microsoft-managed platforms: Microsoft handles infrastructure; you configure securely. End-to-End Security Controls Protect infrastructure, APIs, orchestration flows, and user prompts. Enforce responsible AI principles: fairness, privacy, accountability, and transparency. Tools & Ecosystem Microsoft Defender for Cloud: Monitors AI posture and detects threats like credential misuse or jailbreak attempts. Azure AI Foundry: Scans models for embedded risks and unsafe code. Prompt Shield: Filters harmful inputs in real-time. Red Team Tools (e.g., PyRIT): Simulate attacks to harden defenses pre-deployment. Action Steps for Software Companies Securing AI Products Here’s a focused checklist for AI builders and software development companies: Embed Security Early Apply Zero Trust by default Use identity and access management Encrypt data in transit and at rest Leverage Microsoft Security Ecosystem Enable Defender for Cloud for AI workload protection Scan models via Azure AI Foundry Deploy Prompt Shield to defend against jailbreaks and injection attacks Secure the Supply Chain Maintain a Software Bill of Materials (SBOM) Regularly audit and patch dependencies Sanitize external data inputs Mitigate LLM-Specific Risks Validate outputs and restrict unsafe actions Use RAG to reduce hallucination Monitor prompt usage and filter malicious patterns Build for Multi-Tenancy and Compliance Use Well-Architected Framework for OpenAI Isolate tenant data Ensure alignment with data residency and privacy laws Continuously Improve Conduct regular red teaming Monitor AI systems in production Establish incident response playbooks Foster a Security-First Culture Share responsibility across engineering, product, and security teams Train users on AI risks and responsible usage Update policies to adapt to evolving threats Conclusion: Secure AI Is Responsible AI AI’s potential can only be realized when it is both innovative and secure. By embedding security and responsibility across the AI lifecycle, software companies can deliver solutions that are not only powerful—but trusted, compliant, and resilient. Explore More OWASP Top 10 for Large Language Model Applications | OWASP Foundation Overview - AI threat protection - Microsoft Defender for Cloud | Microsoft Learn Prompt Shields in Azure AI Content Safety - Azure AI services | Microsoft Learn AI Red Teaming Agent - Azure AI Foundry | Microsoft Learn AI Trust and AI Risk: Tackling Trust, Risk and Security in AI Models What is Azure AI Content Safety? - Azure AI services | Microsoft Learn Overview of Responsible AI practices for Azure OpenAI models - Azure AI services | Microsoft Learn Architecture Best Practices for Azure OpenAI Service - Microsoft Azure Well-Architected Framework | Microsoft Learn Azure OpenAI Landing Zone reference architecture AI Workload Documentation - Microsoft Azure Well-Architected Framework | Microsoft Learn Announcing new tools in Azure AI to help you build more secure and trustworthy generative AI applications | Microsoft Azure Blog HiddenLayer Model Scanner helps developers assess the security of open models in the model catalog | Microsoft Community Hub Inside AI Security with Mark Russinovich | BRK227 The Price of Intelligence - ACM QueueJoin us at Microsoft's campus for the Ultimate Partner LIVE event!
The countdown is on - Ultimate Partner LIVE in Redmond, WA on May 1st – 2nd is fast approaching, and you won’t want to miss it! This is the event for connecting with Microsoft executives, partners, and industry experts driving ecosystem growth and shaping the future. Join us as we take over the iconic Microsoft Conference Center for two action-packed days. It’s your opportunity to engage directly with Microsoft leaders, learn from expert panel discussions, immerse yourself in hands-on workshops, and experience a targeted partnering experience. Microsoft’s ongoing support of Ultimate Partner, along with its sponsorship of the Ultimate Partner LIVE event, highlights the importance of ecosystem-led growth. A special thank you to all the Microsoft leaders below who plan to take the stage and those who coordinate behind the scenes to make this event a success. Over 30 industry-leading speakers and award-winning partners will grace the stage and share insights that will shape the future of cloud go-to-market strategies. The two-day agenda will cover topics such as: Prepare Your Microsoft Business for FY26 The Marketplace Ecosystem Opportunity The State of the Marketplace Ecosystem Microsoft’s AI & Software Vision Forging the New World of Data & AI Defining the Marketplace of the Future for SMBs The Power of Partnerships: Building AI Together Perspective of a Microsoft Marketplace POTY Award Winner Embracing Change and Pivoting for Success Acre of Diamonds: How to Leverage the Opportunity with Microsoft Unlocking the Opportunity Through Ecosystem Thinking The Partner Perspective for Ecosystem Thinking Future of Distribution Co-Selling Journey Celebrating Microsoft: 50 Years of Tectonic Shifts And more! Why This Event is Critical: We are standing at a pivotal moment: AI is advancing faster than most organizations can keep up with. Accelerate Microsoft FY25 Q4 priorities and understand FY26 opportunities. Microsoft Marketplace is poised for explosive growth. Go-to-market success now demands tighter alignment and precision from partners than ever before. Why You Can’t Afford to Miss This Event: Exclusive Access to Microsoft Decision-Makers The executives setting the agenda for FY26 will be in the room. You’ll gain clarity on FY26. Nicole Dezen, Chief Partner Officer & CVP Global Partner Solutions will kick us off, and you will hear from leaders across the Software, Services, Reseller, Marketplace, and Sales Organizations. Know exactly how to align your business, resources, and messaging to what Microsoft actually cares about this fiscal year. Interactive Workshops to Sharpen Your Skills How to co-sell smarter with Microsoft How to design GTM plays that convert How to win with commercial marketplace motions With Industry Experts like Reis Barrie, CEO of Carve Partners, John Jahnke, CEO of Tackle.io, Sam Gong, SVP Marketing at WorkSpan, Rebecca Jones, Chief Growth Officer of Bridge Partners, Erin Figer, Founder of Core Consulting, and leaders from The Partner Masters, Suger and more hosting immersive workshops, be prepared to learn and implement. Proven Frameworks for Delivering Results Vince Menzione will share his 7 Principles of Successful Partnerships—developed from working with top-performing partners across the ecosystem. Other experts will share frameworks for marketplace, co-selling, GTM, and more Networking Opportunities to Accelerate Your Business This will be a curated executive room where you'll connect with partner leaders, advisors, and Microsoft stakeholders in high-trust conversations that spark real opportunities. You’ll leave with a tighter, more strategic network—and future deals in motion. An Intentionally Designed Experience with Real-World Impact Every detail of this event—from the location in Redmond to the experience design—is built to support meaningful conversations, clarity, and action. What People Say: “What an incredible experience at the Ultimate Partner Live Executive Summit. Two days packed with relationship building, business growth, and learning – it felt like months of progress compressed into 2 days.” Steven Karachinsky, CEO at Ziro “Really loved the vibe and amazing conversations with the partners at the Ultimate event! I think you absolutely have the right formula to create impact for the entire ecosystem with such a gathering.” Sandy Gupta, VP, Ecosystems of Global Software Companies at Microsoft “The event was informative, insightful, and inspiring. Your ability to put into words the tectonic shift we are all experiencing is refreshing! Thanks for being the trailblazer by providing thoughtful content and curated partner experiences. We have all been craving this for so long.” Regina Manfredi, EVP, General Manager at Crayon Group US “Attending this event was like striking gold 🙂 As a startup founder focused on co-sell and partnership, the validation and insights I gained at this event were invaluable; the future of partnerships and alliances is clearly bright. Vince Menzione, you are truly a powerhouse, and I wish you continued success! Most importantly, thank you for streaming the entire event, was truly incredible.” Archana Vadya, Founder & CEO at PartneRite “A big shout out to Vince Menzione for bringing this scale event (Ultimate Partner LIVE in Dallas) to life! It was a mega effort, and the results were amazing. Just look at the abundance of LinkedIn posts! It was an absolute pleasure sharing the stage with so many incredible speakers and colleagues from Microsoft and several of our partners like WorkSpan, Carve Partners, BDO, EY, Archive360, Sage, PartnerTap.” Kevin Peesker, (former) President, SMC - Small, Medium, Corporate Business at Microsoft This will prove to be the most valuable two days for your business in the first half of 2025. Ultimate Partner LIVE is a premium, focused, two-day immersive experience that will equip you with the tools and insights to lead through change and drive measurable results in FY26. Register now and use code ULTIMATEVIP50 at checkout for an exclusive discount.Morrisec offers this ISV Success for Business Applications partner solution in Microsoft AppSource
Microsoft ISV Success for Business Applications offers platforms, resources, and support designed to help partners develop, publish, and market business apps. Learn more about this offer from Morrisec in Microsoft AppSource:Meet customer business needs with flexible billing schedules in the marketplace
Co-authored by Trevor_Yeats Today, we’re announcing that Microsoft now offers flexible billing schedules through private offers to better align with customer needs. Flexible billing schedules are available globally to all marketplace-supported currencies. Watch these demo videos to learn more about flexible billing schedules. The value for your customers and for you With flexible billing schedules, customers can buy with confidence knowing that private offers can be customized for virtually any contract value and billing timeline to align with their requirements. Partners can tailor customer private offers and multiparty private offers to meet those requirements. This streamlines sales and accelerates deal velocity. With over 100 partners in our private preview, we’re excited to make this capability publicly available. Many of these partners have achieved remarkable success, closing deals worth millions of dollars. “Flexible billing in Microsoft marketplace has significantly improved how our sales teams engage with customers. It allows them to meet each organization's and customer's procurement needs, whether it's aligning with fiscal year budgets or accelerating project timelines from evaluations to implementations. Additionally, it helps with managing cloud commitment benefits. This flexibility has made it easier for our customers to purchase and deploy solutions faster, without waiting for specific budgets to become available. We can now set up flexible billing schedules to accommodate their needs.” Brett Ferancy, Global Alliance Leader, Abnormal AI Example use cases See below for some real-world examples of how partners and customers are leveraging flexible billing. Variable pricing with specific dates. In this example, the customer pays a setup fee at the start of billing, followed by variable pricing throughout the contract to match consumption patterns and budget cycles. 3-year deal $80M total Notes Immediate charge when billing starts $2M Setup fee – 1 st month 01 Jan 2025 $5M Year 1 installment #2 15 Jul 2025 $3M Year 1 installment #3 01 Jan 2026 $10M Year 2 installment #1 15 Jul 2026 $10M Year 2 installment #2 01 Jan 2027 $20M Year 3 installment #1 15 Jul 2027 $30M Year 3 installment #2 Variable quarterly billing. In this example, the customer pays a setup fee at the start of billing, followed by variable pricing each quarter. 1-year deal $10M total Notes Immediate when billing starts $2M Q1 01 Jun 2025 $3M Q2 01 Sep 2025 $2M Q3 01 Dec 2025 $3M Q4 Delayed start for billing. In this example, the customer gets the first two months free, followed by varied payments throughout the contract to match budget cycles 2-year deal $25M total Notes Immediate when billing starts $0M Free – 2 months 01 Mar 2024 $10M Year 1 fee 15 Jan 2025 $5M Year 2 installment 1 01 Jul 2025 $10M Year 2 installment 2 How it works To start using flexible billing for private offers: The software partner creates a private offer in the marketplace. Currently flexible billing supports SaaS flat rate offers, VM software reservations, and professional services. Partner must choose “Customize SaaS plans and Professional Services” or “Customize VM software reservations” when creating a new private offer. On the configure pricing page, under “billing frequency,” the partner will select “flexible schedule when the contract duration is 1-year or greater.” The software partner creates the billing schedule with up to 70 installments up to $100,000,000 USD, or any of the currencies supported by marketplace, over the length of the deal. There is also an option to book an immediate charge when billing starts or delay the first charge to a date in the future. Private offers can have up to ten included product plans. Each plan has its own billing frequency and may include a unique flexible schedule. A flexible schedule does not apply to all plans included in the private offer and must be set up independently. The software partner can also create a schedule in their customer’s local billing currency using the market pricing template. The customer accepts and purchases the private offer with the flexible billing schedule. For a multiparty private offer, the process is the same except: The software partner sends the private offer to the channel partner. The channel partner adds their price adjustment percentage aligned to the flexible billing schedule and passes it to the customer. Eligibility Any company who is part of the Microsoft AI Cloud Partner Program can sell on the marketplace through private offers with flexible billing. Details are provided in our documentation, but at a high-level: Be a member of the Microsoft AI Cloud Partner Program (it’s free to join) Sign the marketplace publisher agreement Publish your offer Sell private offers with flexible billing In addition, we have many support resources for partners depending on where they are on their marketplace journey. For example, software development companies can join ISV Success for tools and resources that help them publish their solution and maximize its reach on the marketplace. Get started with flexible billing on marketplace We invite you to start leveraging these new improvements to flexible billing today. Learn more by visiting aka.ms/flexbill-docs.Unleashing the multicloud advantage: Identity and Access Management (IAM)
This post is part of a series on replicating apps from AWS to Azure. View all posts in this series. As a software development company, expanding your marketplace presence beyond AWS Marketplace to include Azure Marketplace can open new doors to grow your customer base. Azure’s broad ecosystem and diverse user base offer a dynamic platform to enhance your application’s reach and potential. To ensure a smooth app replication, start by understanding the key differences between AWS IAM and Microsoft Entra ID. A clear grasp of these distinctions will help you transition identity management effectively while optimizing security and performance on Azure. This guide will highlight these differences, map comparable services, and provide actionable steps for a seamless IAM replication. You can also join ISV Success to get access to over $126K USD in cloud credits, AI services, developer tools, and 1:1 technical consults to help you replicate your app and publish to Azure Marketplace. This article addresses Identity and Access Management (IAM) and select Identity Services: Amazon Cognito vs. Microsoft Entra ID. Identity and Access management (IAM) Identity and Access Management (IAM) is essential for securing and managing who can access resources, under what conditions, and with what specific permissions. AWS and Azure both offer robust IAM solutions to manage identities, roles, and policies, but they differ significantly in architecture, integration capabilities, and ease of use, particularly for software companies building SaaS solutions migrating from AWS to Azure. Users, Groups, and Roles AWS IAM creates users within an AWS account, grouping them into IAM User Groups, while Azure IAM manages users as directory objects in Microsoft Entra ID, assigning permissions via Azure RBAC. Both support MFA and identity federation through SAML, Azure enforcing Conditional Access based on location, device state, and user risk. AWS IAM grants permissions using JSON-based policies, allowing roles to be assumed by users, AWS services, or external identities without permanent credentials. Azure IAM assigns permissions via RBAC to users, groups, and service principals, offering predefined and customizable roles. Azure supports federated identity for hybrid environments, while Azure integrates with on-premises Microsoft Entra ID. Permissions and Policies AWS IAM employs JSON-based policies for granular permissions across AWS services. Policies can be identity-based, directly attached to users or roles, or resource-based, applied directly to resources such as S3 buckets or DynamoDB tables. AWS supports temporary credentials via roles, which can be assumed by users, AWS services, or external federated identities. Azure RBAC leverages predefined roles (e.g., Global Administrator, Contributor, Reader) or custom roles, offering clear hierarchical permissions management across resource, resource group, subscription, or management group levels. AWS also allows conditional permissions through advanced policy conditions (e.g., IP address, MFA status, tags). Azure IAM employs Conditional Access Policies, adjusting access based on location, device state, and user risk. AWS IAM grants access only when explicitly allowed, whereas Azure IAM evaluates role assignments and conditions before permitting actions. For multi-account and cross-tenant access, AWS IAM enables secure cross-account roles, while Azure IAM supports External Identities for inter-tenant collaboration. AWS IAM delegates administrative rights using roles and policies, whereas Azure IAM assigns administrative roles within organizations for delegated management. AWS IAM enables controlled, temporary access to S3 objects using pre-signed URLs, which grant time-limited access to specific resources without modifying IAM policies. These URLs are often used for secure file sharing and API integrations. In Azure, a similar concept exists with Shared Access Signatures (SAS) Keys, which provide scoped and time-limited access to Azure Storage resources like Blob Storage, Table Storage, and Queues. Unlike pre-signed URLs, SAS keys allow granular control over permissions, such as read, write, delete, or list operations, making them more flexible for temporary access Integration with External Identities Both platforms provide Single Sign-On (SSO). AWS IAM uses AWS SSO. Microsoft Entra ID also supports SSO with SAML, OAuth, and OIDC. For federated identities, AWS IAM allows external users to assume roles, while Microsoft Entra ID assigns roles based on its access model. Hybrid environments are supported through on-premises directory integration. AWS IAM connects to Active Directory via AWS Directory Service, while Microsoft Entra ID integrates with on-prem AD using Microsoft Entra ID Connect, enabling hybrid identity management and SSO for cloud and on-prem resources. Both support automated user provisioning: AWS IAM utilizes AWS SSO and federation services, while Microsoft Entra ID supports SCIM 2.0 for third-party applications and syncs on-prem AD via Entra ID Connect. AWS IAM enables ECS, EKS, and Lambda workloads to pull container images from Amazon Elastic Container Registry (ECR) using IAM roles. These roles grant temporary permissions to fetch container images without requiring long-term credentials. In Azure, Azure Container Registry (ACR) authentication is managed through Service Principals and Managed Identities. Instead of IAM roles, Azure applications authenticate using Entra ID, allowing containers to securely pull images from ACR without embedding credentials. Access Control Models AWS IAM uses a policy-based access model, where permissions are defined in JSON policies attached to users, groups, or roles. In contrast, Azure separate's identity management via Microsoft Entra ID from access management via Azure RBAC, which assigns roles to users, groups, service principals, or managed identities to control access to Azure resources. Both provide fine-grained access control. AWS IAM sets permissions at the resource level (e.g., EC2, S3), while Azure uses Azure RBAC to assign Microsoft Entra ID identities roles that apply hierarchically at the resource, subscription, or management group levels. Both follow a default "deny" model, granting access only when explicitly allowed. For multi-account and multi-tenant support, AWS IAM enables cross-account roles. Microsoft Entra organizations can use External ID cross-tenant access settings to manage collaboration with other Microsoft Entra organizations and Microsoft Azure clouds through B2B collaboration and B2B direct connect. Delegation is managed through IAM roles in AWS and RBAC role assignments in Azure. Conditional access is supported—AWS uses policy-based conditions (e.g., time-based, IP restrictions), while Microsoft Entra ID relies on Conditional Access Policies (e.g., location, device health, risk level). AWS allows cross-account policy sharing, while Microsoft Entra ID enables role-based delegation at different organizational levels. Both support cross-service permissions, AWS IAM policies can define access across multiple AWS services, while Azure uses Azure RBAC to assign Microsoft Entra ID identities permissions across Azure services such as Blob Storage, SQL Database, and Key Vault. For workload authentication, AWS IAM roles provide temporary credentials for EC2, Lambda, and ECS, eliminating hardcoded secrets. In Azure, Microsoft Entra ID enables Managed Identities, allowing applications running on Azure services to authenticate securely to other Azure resources without managing credentials. Additionally, Microsoft Entra Workload Identities allow Kubernetes workloads—especially on AKS—to authenticate using Entra ID via OpenID Connect (OIDC), streamlining access to Azure services in containerized and multi-tenant environments. In AWS, containerized workloads such as ECS, EKS, and Lambda use IAM roles to securely authenticate and pull images from Amazon ECR, avoiding hardcoded credentials. In Azure, containerized applications authenticate to Azure Container Registry (ACR) using Microsoft Entra ID identities—either Managed Identities or Service Principals. Permissions such as AcrPull are granted via Azure RBAC, enabling secure image access. Azure’s model supports cross-tenant authentication, making it particularly useful for ISVs with multi-tenant containerized SaaS deployments. Cross-account storage access in AWS uses IAM roles and bucket policies for Amazon S3, allowing external AWS accounts to securely share data. In Azure, Microsoft Entra ID B2B and RBAC assignments. This model avoids the need to share credentials or manage access via SAS tokens, streamlining collaborations in multi-tenant environments. Audit and Monitoring AWS IAM and Microsoft Entra ID both provide robust audit logging and monitoring. AWS CloudTrail logs IAM and AWS API calls for 90 days by default, with extended retention via CloudTrail Lake or Amazon S3. Microsoft Entra ID logs sign-ins, including failed attempts, retaining data for 7 days in the free tier and up to 30 to 90 days in Premium tiers. For longer retention, Log Analytics or Sentinel should be used. For real-time monitoring, AWS CloudWatch tracks IAM activities like logins and policy changes, while Microsoft Entra ID Premium does so via Azure AD Identity Protection. AWS uses CloudWatch Alarms for alerts on permission changes, whereas Microsoft Entra ID alerts on suspicious sign-ins and risky users. AWS GuardDuty detects IAM threats like unusual API calls or credential misuse, while Microsoft Entra ID’s Identity Protection identifies risky sign-ins (Premium P2 required). AWS Security Hub aggregates findings from CloudTrail and GuardDuty, while Microsoft Entra ID integrates with Azure Sentinel for advanced security analytics. For IAM configuration tracking, AWS Config monitors policies and permissions, while Microsoft Entra ID’s Audit Log track's role, group, and user changes. AWS Artifact provides downloadable compliance reports. Microsoft Purview Compliance Manager enables customers to assess and manage their compliance across services like Entra ID and Azure using built-in control assessments. AWS CloudTrail logs IAM activity across AWS Organizations, and Microsoft Entra ID Premium supports cross-tenant access monitoring. Azure Lighthouse enables cross-tenant management for service providers, integrating with Microsoft Entra ID for delegated access without guest accounts. It applies RBAC across tenants and manages shared resources like Azure Blob Storage and virtual machines, streamlining ISV operations in marketplace scenarios. Pricing AWS IAM and Microsoft Entra ID provide core IAM services for free, with advanced features available in paid tiers. Both platforms support unlimited users for basic IAM functions, with AWS offering free user, role, and policy creation, while Microsoft Entra ID allows up to 500,000 objects (users/groups) at no cost. Additional users can be added for free, though advanced features require a paid plan. MFA is free on both platforms, but Microsoft Entra ID includes advanced MFA options in Premium tiers. AWS does not have risk based Conditional Access for free. Microsoft Entra ID includes it in Premium P1/P2 tiers (starting at $6 per user/month) Custom policies for fine-grained access control are free in AWS and Azure. Identity federation is free in AWS IAM, while Microsoft Entra ID requires a Premium P1/P2 plan. Microsoft Entra ID includes Self-Service Password Reset (SSPR) in Premium P1/P2, whereas AWS IAM does not offer it for free. Both platforms support RBAC at no extra cost. Directory synchronization is available via Microsoft Entra ID Premium P1/P2. AWS Directory Service is a paid managed AD service, not part of IAM. AWS IAM doesn’t have a direct “guest user” concept; instead, you configure federated access or cross-account roles, but Microsoft Entra ID requires a Premium tier for Azure AD External Identities. Full API and CLI access for user, policy, and role management is free on both platforms. Advanced security monitoring is available through AWS GuardDuty and Security Hub at an extra cost. Microsoft Entra ID provides advanced security monitoring, such as risk-based conditional access, within Premium P1/P2 tiers. Both platforms offer free support for service principals, enabling secure application access and role assignments. Amazon Cognito vs. Microsoft Entra ID Amazon Cognito provides identity and access management for applications in AWS, while Azure offers this through Microsoft Entra ID, centralizing IAM tools for ISVs. Both differ in authentication, integration, and target audiences. User management Amazon Cognito uses User Pools for authentication and Identity Pools for federated identities. Microsoft Entra ID serves as a central identity directory for Azure, Microsoft 365, and third-party apps, integrating with on-prem AD. Authentication methods Both support password-based login, MFA, passwordless authentication, and social sign-in. Amazon Cognito can be extended to support passwordless authentication with magic links, OTPs, and FIDO2 using AWS Lambda. Microsoft Entra ID supports native passwordless options like FIDO2, Windows Hello, and OTPs, plus risk-based conditional authentication. Identity Federation & SSO Amazon Cognito supports SAML, OAuth 2.0, and OIDC. Microsoft Entra ID offers enterprise SSO with SAML, OAuth, and WS-Federation, plus cross-tenant federation via Entra ID B2B. Access Control & Security Policies AWS relies on AWS IAM and custom logic for built-in RBAC or Attribute Based Access Control (ABAC). Microsoft Entra ID includes RBAC, ABAC, and Conditional Access Policies for granular security control. Self-Service & User Management Amazon Cognito allows self-registration and password resets, with workflow customization via AWS Lambda. Microsoft Entra ID offers SSPR, access reviews, and an enterprise portal for account management. Security & Compliance Amazon Cognito provides monitoring via AWS CloudTrail and GuardDuty, compliant with HIPAA, GDPR, and ISO 27001. Microsoft Entra ID integrates with Microsoft Defender for Identity for threat detection, with compliance for HIPAA, GDPR, ISO 27001, and FedRAMP, plus risk-based authentication in premium tiers. Migration best practices tips When migrating IAM from AWS to Azure, organizations should: Assess existing AWS IAM policies and roles, mapping them carefully to Azure RBAC roles. Leverage Microsoft Entra Connect for seamless integration with existing on-premises Active Directory environments. Use Azure's Managed Identities and SAS tokens strategically to minimize credential management complexity. Implement Conditional Access Policies in Azure to dynamically secure and simplify access management. Key Resources: Microsoft Azure Migration Hub | Microsoft Learn Publishing to commercial marketplace documentation Pricing Calculator | Microsoft Azure Azure IAM best practices Configure SAML/WS-Fed identity provider - Microsoft Entra External ID Maximize your momentum with step-by-step guidance to publish and grow your app with App Advisor Accelerate your development with cloud ready deployable code through the Quick-start Development Toolkit
