Need help setting up isolation models for secure multi tennancy service

Question

Need help setting up isolation models for secure multi tennancy service

Christian Hyltoft 25

I need to implement proper multi-tenancy for my application in Azure to ensure complete data separation between different customer organizations. I understand Azure offers various "isolation models" for multi-tenancy, but I haven't worked extensively with Azure recently and need guidance on the best approach. I'm looking for recommendations on which Azure isolation model would be most appropriate (shared database with row-level security, database-per-tenant, etc.), best practices for implementing tenant isolation, and any security considerations specific to multi-tenant architecture. My requirements include complete isolation of customer data between tenants, secure authentication and authorization, and a cost-effective, scalable solution. Thanks in advance for any guidance!

Accepted answer

1 additional answer

Your answer

Answer 1

Hari Babu Vattepally 2,480 Microsoft External Staff

Hi @Christian Hyltoft ,

As said above that, I understand that you would like to setup container-per-tenant model for multi-tenancy in Azure Blob Storage, to make sure that complete data isolation and scalability.

Deploying a dedicated storage account for each tenant offers the highest level of isolation. This ensures that all storage keys are isolated and can be rotated independently. This method allows you to scale your solution to avoid the limits and quotas of each storage account. However, you must also consider the maximum number of storage accounts that can be deployed in a single Azure subscription.

In order to setup a container-per-tenant model in Azure Blob Storage for secure multi tenancy, please follow the below steps:

Create a dedicated blob container for each tenant within your Azure Storage account. Azure supports the creation of multiple blob containers without a specific limit, which helps in isolating tenant data. Name the container (e.g., tenant1-container, tenant2-container) and set the Access level to "Private" and repeat for each tenant.
Then configure the Authentication and Authorization, please make sure to assign Azure roles (e.g., Storage Blob Data Contributor or Storage Blob Data Reader) to tenant-specific users or service principals, scoped to their containers. And, using Azure Storage access controls, like Shared Access Signatures (SAS), which helps to manage and restrict access to each tenant's blob container. This ensures only authorized users can access their data. Also, set expiration times for enhanced security.
Also, implement monitoring to track the usage and performance of each container. This will help manage resources effectively and ensure the security and isolation of each tenant's data. Also, when working with a multitenant solution, consider if you need to measure the consumption for each tenant, and define the specific metrics to track, such as the storage capacity used by each tenant or the number of operations performed on each tenant's data. You can also use cost allocation to monitor the cost of each tenant's usage and enable chargeback across multiple subscriptions.
To have cost optimization use Life Cycle Mangement policies to automatically move blobs to lower cost tiers such as cool or Archive based on the access patterns.
Also, please be aware of the storage limits, for a single storage account we can have up to 500TB of data.

Please refer the below documentation for more information and best practices:

I hope by following the above will help in implement a container-per-tenant model in Azure Blob Storage.

Please let us know in the comments below, if the issue is resolved or still persists. We will be glad to assist you closely.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Hari Babu Vattepally 2,480 Reputation points Microsoft External Staff

2025-03-31T17:50:26.19+00:00

Hi @Christian Hyltoft ,

Your contribution is highly appreciated. Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Hari Babu Vattepally 2,480 Reputation points Microsoft External Staff

2025-04-01T15:47:52.29+00:00

Hi @Christian Hyltoft ,

Just checking in to see if the above answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hari Babu Vattepally 2,480 Reputation points Microsoft External Staff

2025-04-02T04:45:12.39+00:00

Hi @Christian Hyltoft ,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Christian Hyltoft 25 Reputation points

2025-04-02T08:58:26.17+00:00

Thank you for your comment!

Is there a smart way to integrate or implement this, so that it will automatically create a new container for every tennant signed up through the application or is the best practice to do this manually?
Hari Babu Vattepally 2,480 Reputation points Microsoft External Staff

2025-04-02T11:42:11.1166667+00:00
Hi @Christian Hyltoft ,

Thanks for the response. Yes, you can automate the process by creating a new container for every tenant at the time of sign-up which is better approach for scalability, efficiency and consistency.

Please follow the below on how you can integrate into your application:

Add the container creation logic to the backend of your tenant sign-up process. When a tenant signs up, it should automatically trigger the creation of a new container.

You can also leverage using the Azure Storage SDK or REST API to programmatically create containers. Below is a sample code using Python:

from azure.storage.blob import BlobServiceClient def create_container(account_url, container_name, credential): # Initialize the Blob Service Client blob_service_client = BlobServiceClient(account_url=account_url, credential=credential) # Create the container container_client = blob_service_client.get_container_client(container_name) container_client.create_container() print(f"Container '{container_name}' created successfully!")

And, invoke this function during tenant registration. Make sure to use a unique naming convention for the container, such as tenant-{tenantID} or customer-{customerName}.

To automate and to have a serverless approach, you can use Azure Functions to create containers. Using the Azure Functions, you can trigger the function on tenant registration (via an event or API call). And, utilize the storage SDK within the function to programmatically create containers. Azure Function sample code as below:

import logging from azure.storage.blob import BlobServiceClient def main(req): tenant_id = req.params.get('tenant_id') account_url = "https://<your-storage-account>.blob.core.windows.net" credential = DefaultAzureCredential() # Create the container container_name = f"tenant-{tenant_id}" blob_service_client = BlobServiceClient(account_url=account_url, credential=credential) container_client = blob_service_client.get_container_client(container_name) container_client.create_container() logging.info(f"Container '{container_name}' created for tenant {tenant_id}")

Additionally: If you can also optionally use, Azure Resource Manager (ARM) templates or Bicep scripts to automate the container creation as part of tenant provisioning.

However, please make sure to enforce secure access control by using Role-Based Access Control (RBAC) to assign tenant specific permissions at container level as mentioned in above solution.

As an alternatively, you can create a Shared Access Signature (SAS) to provide scope access to the container. This will ensure that each tenant can access only specific container.

Below are some more additional best practices:- Make sure that the container creation process is idempotent, so that it succeeds even if the container already exists.

Leverage Azure Key Vault to securely handle storage account credentials and ensure that Azure Storage Encryption is enabled (this is the default setting).

Also. make sure to Log container creation events using Azure Monitor or Application Insights to support auditing requirements.

I hope by follow above helps in achieving the desired solution.

Please do let us know in the comments section here, we will be happy to help you with the further assistance closely.

Please do consider to "Accept Answer"/ “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Dear Christian,

Thank you for your enquiry here at Q&A portal. Implementing secure multi-tenancy in Azure requires careful consideration of isolation models, scalability, and cost-efficiency. So lets review all based on your stated requirements (data isolation, security, and cost-effectiveness):

Azure Multi-Tenancy Isolation ways.

Database-Per-Tenant. Best suited Maximum isolation, compliance-heavy workloads (e.g., healthcare, financial services). Advantages is physical data separation, simplified backup/restore procedures, tenant-specific scaling. Drawbacks is higher operational costs at scale, increased management overhead.I would reccomend Azure SQL Database (elastic pools for cost optimisation), PostgreSQL/Cosmos DB with dedicated tenant containers.

Shared Database with Row-Level Security

Best suited for cost-conscious implementations with moderate isolation needs. Advantages is reduced operational complexity, leverages native RLS or application-level filtering. Drawbacks is requires meticulous RLS configuration; potential cross-tenant leakage if improperly implemented. Implementation not really hard, Azure SQL RLS or tenant ID filtering in application code.

Hybrid Model/Tenant Sharding

Groups tenants into shared databases (e.g., by region/service tier) to balance isolation and cost.

Best Practices of Security. Authentication, So u could implement Azure AD (B2B/B2C) with tenant-specific claims.

Authorisation: Employ ABAC/RBAC models (e.g., tenant ID validation in tokens).

Network Isolation: Configure NSGs, Private Endpoints, or dedicated App Service Environments (ASE) for sensitive tenants.

Audit Trails: Enable Azure Monitor/Log Analytics per tenant.

Now about costs.

Elastic Pools is an ideal for database-per-tenant architectures to optimise resource utilisation. Serverless Tiers is suitable for variable workloads (Azure SQL DB/PostgreSQL).

Any questions- welcome )))

Best regards,

Alex

P.S. If my answer help to you, please Accept my answer

Share via

Need help setting up isolation models for secure multi tennancy service

1 additional answer

Your answer