Migrating your AWS offer to Microsoft Marketplace - Database services
For software development companies looking to expand or replicate their marketplace offerings from AWS to Microsoft Azure, one of the most critical steps in replicating your solution is selecting the right Azure database services. While both AWS and Azure provide robust managed database options, their architecture, service availability, and design approaches vary. To deliver reliable performance, scale globally, and meet operational requirements, it’s essential to understand how Azure databases work—and how they compare to AWS—before you replicate your app. Broaden your customer base and enhance your app’s exposure by bringing your AWS-based solution to Azure and listing it on Microsoft Marketplace. This guide walks you through how Azure database services compare to those on AWS—spotlighting differences in architecture, scalability, and feature sets—so you can make confident choices when replicating your app’s data layer to Azure. This post is part of a series on replicating apps from AWS to Azure. View all posts in this series. AWS to Azure database mapping When replicating your app from AWS to Azure, start by mapping your existing database services to the closest Azure equivalents. Both clouds offer relational, NoSQL, and analytics databases, but they differ in architecture, features, and integration points. Choosing the right Azure service helps keep your app performant, secure, and manageable—and aligns with Azure Marketplace requirements for an Azure-native deployment. AWS Service Azure Equivalent Recommended Use Cases & Key Differences Amazon RDS (MySQL/PostgreSQL) Azure Database for MySQL / PostgreSQL Fully managed relational DB with built-in HA, scaling, and security. Building Generative AI apps. Amazon RDS (SQL Server) Azure SQL Database or Azure SQL Managed Instance Use Azure SQL Database for modern apps; choose Managed Instance for near 100% compatibility with on-prem SQL Server. SQL Server on EC2 SQL Server on Azure VMs Best for lift-and-shift scenarios requiring full OS-level control. Amazon RDS (Oracle) Oracle Database@Azure Managed Oracle workloads with Azure integration. Amazon Aurora (PostgreSQL/MySQL) Azure Database for PostgreSQL (Flexible Server) or Azure Database for MySQL Similar managed experience for large workloads, consider Azure HorizonDB (public preview)—built on PostgreSQL to compete with Aurora & AlloyDB. Learn more. Amazon DynamoDB Azure Cosmos DB (NoSQL API) Global distribution, multi-model support, and guaranteed SLAs for latency and throughput. Amazon Keyspaces (Cassandra) Azure Managed Instance for Apache Cassandra Managed Cassandra with elastic scaling and Azure-native security. Cassandra on EC2 Azure Managed Instance for Apache Cassandra Same as above; ideal for lift-and-shift Cassandra clusters. Amazon DocumentDB MongoDB Atlas MongoDB on EC2 Azure DocumentDB Azure DocumentDB Azure DocumentDB Drop-in compatibility for MongoDB workloads with global replication and vCore-based pricing. Amazon Redshift Azure Synapse Analytics Enterprise analytics with integrated data lake and Power BI connectivity. Amazon ElastiCache (Redis) Azure Cache for Redis Low-latency caching with clustering and persistence options. Match your use case After mapping AWS services to Azure equivalents, the next step is selecting the right service for your workload. Start by considering the data model (relational, document, key-value), then factor in performance, consistency, and global reach. Building AI apps: Generative AI, vector search, advanced analytics. Relational workloads: Use Azure SQL Database, Azure SQL Managed Instance, or Azure Database for MySQL/PostgreSQL for transactional apps; enable zone redundancy for HA. Review schema compatibility, stored procedures, triggers, and extensions. Inventory all databases, tables, indexes, users, and dependencies before migration. Document any required refactoring for Azure. NoSQL workloads: Choose Azure Cosmos DB for globally distributed apps; select the API (No SQL, MongoDB, Cassandra) that matches your existing schema. Validate data: Model mapping and test migration in a sandbox environment to ensure data integrity and application connectivity. Analytics: For large-scale queries and BI integration, Azure Synapse Analytics offers MPP architecture and tight integration with Azure Data Lake. Inventory all analytics assets, ETL pipelines, and dependencies. Plan for migration using Azure Data Factory or Synapse pipelines. Test performance benchmarks and optimize query plans post-migration. Caching: Azure Cache for Redis accelerates app performance with in-memory data and clustering. Update application connection strings and drivers to use Azure endpoints. Implement retry logic and connection pooling for reliability. Validate cache warm-up and failover strategies. Hybrid scenarios: Combine Cosmos DB with Synapse Link (for Synapse as target) or Fabric Mirroring (for Fabric as target) for real-time analytics without ETL overhead. Assess network isolation, security, and compliance requirements. Deploy Private Endpoints and configure RBAC as needed. Document integration points and monitor hybrid data flows. Factor in security and compliance Encryption: Confirm default encryption meets compliance requirements; enable customer-managed keys (CMK) if needed. Enable Transparent Data Encryption (TDE) and review encryption for backups and in-transit data. Access control: Apply Azure RBAC and database-level roles for granular permissions. Audit user roles and permissions regularly to ensure least privilege. Network isolation: Use Private Endpoints within a virtual network to keep traffic off the public internet. Configure Network Security Groups (NSGs) and firewalls for additional protection. Identity integration: Prefer Managed Identities for secure access to databases. Integrate with Azure Active Directory for centralized identity management. Compliance checks: Verify certifications like GDPR, HIPAA, or industry-specific standards. Use Azure Policy and Compliance Manager to automate compliance validation Audit logging and threat detection: Enable audit logging and advanced threat detection with Microsoft Defender for all database services. Review logs and alerts regularly. Optimize for cost Compute tiers: Choose General Purpose for balanced workloads; Business Critical for low-latency and high IOPS. Review workload sizing and adjust tiers as needed for cost efficiency. Autoscaling: Enable autoscale for Cosmos DB and flexible servers to avoid overprovisioning. Monitor scaling events and set thresholds to control spend. Reserved capacity: Commit to 1–3 years for predictable workloads to unlock discounts. Evaluate usage patterns before committing to reservations. Serverless: Use serverless compute for workloads with completely ad hoc usage and low frequency of access. This eliminates the need for pre-provisioned resources and reduces costs for unpredictable workloads. Monitoring: Use Azure Cost Management and query performance insights to optimize spend. Set up budget alerts and analyze cost trends monthly. Include basic resource monitoring to detect adverse usage patterns early. Storage and backup costs: Review storage costs, backup retention policies, and configure lifecycle management for backups and archives. Data migration from AWS to Azure Migrating your data from AWS to Azure is a key step in replicating your app’s database layer for Azure Marketplace. The goal is a one-time transfer—after migration, your app runs fully on Azure. Azure Database Migration Service (DMS): Automates migration from RDS, Aurora, or on-prem to Azure Database, Azure SQL Managed Instance, Azure Database for MySQL/PostgreSQL, and SQL Server on Azure VM (for MySQL/PostgreSQL/SQL Server). Supports online and offline migrations; run pre-migration assessments and schema validation. Azure Data Factory: Orchestrates data movement from DynamoDB, Redshift, or S3 to Azure Cosmos DB or Synapse. Use mapping data flows for transformations and data cleansing. MongoDB migrations: Use the online migration utility designed for medium to large-scale migrations to Azure DocumentDB. Ensure schema compatibility and validate performance benchmarks before cutover. Cassandra migrations: Use Cassandra hybrid cluster or dual write proxy for Azure Managed Instance for Apache Cassandra. Validate schema compatibility and test migration in a sandbox environment. Offline transfers: For very large datasets, use Azure Data Box for secure physical migration. Plan logistics and security for device handling. Migration best practices: Schedule migration during a maintenance window, validate data integrity post-migration, and perform cutover only after successful data validation & verifications. Final readiness before marketplace listing Validate performance: Benchmark with real data and confirm chosen SKUs deliver required throughput and latency. Test application functionality under expected load and validate query performance for all critical scenarios. Lock down security: Ensure RBAC roles, Private Endpoints, and encryption meet compliance requirements. Review audit logs, enable threat detection, and verify access controls for all database and storage resources. Control costs: Verify autoscaling, reserved capacity, and cost alerts are active. Review storage and backup policies, and set up budget alerts for ongoing cost control. Enable monitoring: Set up dashboards for query performance, latency, and capacity. Configure alerts for failures, anomalies, and capacity thresholds. Monitor with Azure Monitor and Log Analytics for real-time operational insights. Documentation and support: Update migration runbooks, operational guides, troubleshooting documentation, and escalation contacts for post-migration support. Key Resources SaaS Workloads - Microsoft Azure Well-Architected Framework | Microsoft Learn Metered billing for SaaS offers in Partner Center Create plans for a SaaS offer in Microsoft Marketplace Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV Success Maximize your momentum with step-by-step guidance to publish and grow your app with App AdvisorSharePoint Embedded security features: A comprehensive Q&A guide
🔐 Authentication & identity management Q: How does SharePoint Embedded integrate with Microsoft Entra ID? A: SharePoint Embedded requires all users to authenticate through Microsoft Entra ID Single sign-on (SSO): Seamless authentication across Microsoft 365 services Multi-factor authentication (MFA): Configurable per-organization security policies Guest access: Secure B2B collaboration using Entra ID B2B guest accounts Key requirement: All users accessing SharePoint Embedded containers must exist as either: Member users in your Entra ID tenant Guest users invited through Entra ID B2B collaboration Q: What's the difference between delegated and application permissions? A: Understanding these permission models is critical for security and auditability: Delegated permissions (recommended): Application acts on behalf of an authenticated user User context preserved in audit logs Users must authenticate before accessing containers Enables file search capabilities within containers Use case: Interactive applications where user identity matters Application-only permissions (restricted Use): Application acts without user context No user tracking in audit logs (shows as application) Search capabilities are limited Use case: Background jobs, system integrations, automated processes Best practice: Use delegated permissions whenever possible to maintain proper audit trails and security accountability. Q: How do we secure service principals and application secrets? A: SharePoint Embedded supports multiple secure authentication methods: Managed identities (Most Secure): No secrets or certificates to manage Identity tied to Azure resources Cannot be used outside your Azure environment Eliminates credential exposure risk Certificate-based authentication: More secure than client secrets Longer validity periods Can be stored in Azure Key Vault Client secrets (use with caution): Store in Azure Key Vault, never in code or config files Enable automatic rotation (recommended: 90-day rotation) Configure expiration alerts Security hardening: Apply Conditional Access policies to service principals Restrict to corporate IP ranges using Named Locations Implement Privileged Identity Management (PIM) for credential access Enable Azure Policy to enforce certificate-based authentication Domain limitations if applicable 🛡️ Container-level security features Q: What security controls are available at the container level? A: SharePoint Embedded provides granular security controls for each container: Sensitivity labels: Enforce encryption and access policies Automatically applied to all content in container Integrated with Microsoft Purview Information Protection Block download policy: View-only access for high-sensitivity content Prevents data exfiltration Supports watermarking in Office web apps Container permissions: Four permission levels available: Owners: Full control including container deletion Managers: Manage content and permissions (cannot delete container) Writers: Add, update, and delete content Readers: View-only access Q: How does SharePoint Embedded handle external user collaboration? A: SharePoint Embedded supports secure external collaboration through multiple mechanisms: Authentication options: Entra ID guest users: External users invited as B2B guests Email-based sharing: Send secure access links with expiration Anonymous links: View-only or edit links without authentication (configurable) Security controls: Container-level sharing policies may supersede tenant default settings; however, they do not impact other configurations within the tenant. Link expiration dates and access revocation Audit trail for all external user activities Integration with Data Loss Prevention (DLP) policies Sharing configuration best practices: Enable guest sharing only for required applications Require email verification for sensitive content Monitor external access through Microsoft Purview audit logs Real-world scenarios: Legal firms: Share case documents with external counsel using time-limited guest access Construction projects: Collaborate with subcontractors while maintaining security boundaries Financial services: Enable secure document exchange with clients using DLP policies 📋 Compliance & data governance Q: What Microsoft Purview features are supported? A: SharePoint Embedded integrates with the full Microsoft Purview compliance suite: Audit logging: All user and admin operations captured in unified audit log Enhanced with ContainerTypeId for filtering Search and export capabilities through Microsoft Purview Retention up to 10 years (with E5 license) eDiscovery: Search across all SharePoint Embedded containers Place legal holds on container content Review content to determine if it should be tagged and included in the case Export content for litigation or investigation Data lifecycle management (DLM): Apply retention policies to containers Automatic deletion after retention period Hold policies for litigation or investigation Label-based retention rules Implementation: Retention policies apply to "All Sites" automatically to include SPE containers Selective enforcement using container URLs Graph API for programmatic label application Data loss prevention (DLP): Identify and protect sensitive information Prevent external sharing of classified content Policy tips and user notifications Automatic encryption and access restrictions DLP policy enforcement: Real-time scanning of uploaded content Block external sharing based on content type Business justification workflows (app-dependent) Integration with sensitivity labels Q: How are DLP policies enforced in SharePoint Embedded? A: DLP works similarly to SharePoint Online with some considerations: Supported scenarios: Automatic detection of sensitive information (PII, financial data, etc.) Policy enforcement on upload, download, and sharing Alert generation for policy violations Integration with Microsoft Purview compliance center Application responsibilities: Since SharePoint Embedded has no built-in UI, applications must: Display policy tips to users when DLP flags content Handle business justification workflows for policy overrides Implement sharing restrictions when DLP blocks external access Use Graph APIs to retrieve DLP policy status Best practice: Test DLP policies on pilot containers before organization-wide deployment. 🔒 Advanced security scenarios Q: How do we implement least-privilege access for SharePoint Embedded? A: Follow these principles for robust security architecture: Q: What are common security misconfigurations to avoid? A: Learn from real customer experiences: ❌ Common Mistake 1: Assigning application permissions to user activities Problem: No audit trail, all actions appear as "application" Solution: Use delegated permissions for interactive scenarios ❌ Common Mistake 2: Storing secrets in application code Problem: Credential exposure in version control Solution: Use Azure Key Vault with managed identities ❌ Common Mistake 3: Ignoring conditional access configuration Problem: Service principals accessible from any network Solution: Configure named locations and conditional access policies ❌ Common Mistake 4: Not testing admin consent flow Problem: Consuming tenant onboarding failures Solution: Use admin consent URL method: https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id={client-id}&redirect_uri={redirect-uri} 🏢 Enterprise security best practices Q: What security hardening steps should we implement? A: Follow this layered security approach: Level 1: Basic hardening Access controls: [ ] Implement least privilege principles [ ] Use delegated permissions for user-facing operations [ ] Regular permission audits (quarterly) [ ] Remove unused API permissions Authentication: [ ] Enable certificate-based authentication [ ] Configure MFA for all admin accounts [ ] Implement password-less authentication where possible [ ] Use managed identities for Azure-hosted apps Network security: [ ] Configure Conditional Access policies [ ] Define trusted IP ranges (Named Locations) [ ] Block legacy authentication protocols [ ] Enable sign-in risk policies Level 2: Advanced hardening Monitoring & alerting: [ ] Enable Microsoft Defender for Cloud Apps [ ] Configure alerts for suspicious activities: Unusual download volumes Access from unexpected locations Permission changes Guest user additions [ ] Integrate audit logs with SIEM (Sentinel, Splunk) [ ] Establish baseline for normal activity Compliance: [ ] Apply sensitivity labels to containers [ ] Implement DLP policies for sensitive data [ ] Configure retention policies [ ] Regular compliance assessments Incident response: [ ] Document container emergency access procedures [ ] Define escalation paths for security incidents [ ] Test access revocation processes [ ] Maintain audit log retention for forensics Level 3: Zero trust architecture Continuous verification: [ ] Device compliance requirements [ ] Session-based access controls [ ] Real-time risk assessment [ ] Automated response to anomalies 📚 Additional resources Official documentation Security and Compliance Overview Container Permissions API Microsoft Purview DLP Conditional Access Policies Security best practices SharePoint Embedded Admin Guide Entra ID Application Security Zero Trust Security Model Have more questions or want to talk to the team, contact us: SharePointEmbedded@microsoft.comMarketplace offer live? Now make it shine!🌟
Microsoft gives you the tools, best practices, and guidance to boost visibility, drive traffic, and turn interest into real customers fast. And the quickest path? App Advisor. 🚀 Start with App Advisor: Your Marketplace growth playbook App Advisor is your self‑serve hub packed with step‑by‑step best practices, optimization guidance, and proven GTM strategies designed to your help app or agent rise above the noise and stand out to buyers. 🛠️ Optimize your listing Sharpen your sales page with clearer, benefits‑forward messaging Strengthen SEO so your offer is easier to find Enable a trial - the strongest conversion accelerator Offer public plans with clear tiers (Basic / Standard / Premium) to support direct sales Add visuals, screenshots, and short videos to show value instantly 📈 Boost visibility Cross‑link your website, G2 profile, blogs, and social posts back to your listing Understand factors that influence Marketplace search rankings and views Review your category selections - they directly affect discoverability Encourage customer reviews - including from G2, which flows into your listing! 📣 Promote with confidence App Advisor provides guidance around: Ready‑to‑use templates Partner‑tested messaging Campaign ideas to drive awareness and demand Be sure to: Link all channels (website → Marketplace → G2 → social → email) Use OCIDs to see exactly which channels move the needle in Marketplace Insights Double down on what moves the needle 🏅 Unlock Marketplace Rewards When you publish a transactable offer, Marketplace Rewards kick in automatically, giving your listing additional promotional lift. Rewards include: Personalized listing optimization recommendations Marketplace blog and newsletter promotion Extra visibility for your listing Editorial + press release templates GTM enablement that grows with performance Marketplace Rewards + App Advisor = compounding growth momentum. 🧲 Build a product-led growth motion Sales don’t happen by accident - they happen with a smart GTM motion. App Advisor walks you through: Segmenting your target market Defining messaging that resonates with real buyers Building educational content (blogs, case studies, guides, emails) Nailing SEO & SEM basics Creating a conversion‑ready experience that shows quick wins Tracking performance with OCIDs + Marketplace Insights Strengthening your digital presence Encouraging reviews and customer storytelling Running targeted ads to your ideal audiences This motion turns Marketplace visibility into pipeline, and pipeline into wins. 🤝 Expand your reach through channel partners Once you’ve optimized your offer and are promoting it consistently, it’s time to extend your reach even further. Forge relationships with channel partners - let them sell for you. By leveraging channel partners, you can make your solution available for system integrators, distributors and resellers to sell to their customers. You can sell through or with channel partners by leveraging resale enabled offers (REO), multi-party private offers (MPO), or Cloud Solution Provider (CSP) offers. That means: Your offer appears in their reseller catalogs They bring your solution into their customer conversations You tap into existing, trusted partner‑to‑customer relationships You gain scale without extra headcount or marketing spend A small switch. A massive multiplier. Enable resale so channel partners can open doors you couldn’t reach alone. ✅ Where to go next Start with App Advisor to sharpen your listing + GTM motion Add public plans + trial Strengthen SEO and performance signals Track success using OCIDs Publish a transactable offer to unlock Marketplace Rewards Enable REO to let channel partners help scale you globally – go deeper in this REO-focused post. Ready to make your offer shine? Head to App Advisor and get started.
