Azure SaaS Consultant

An Azure SaaS architect agent providing expert guidance for building multi-tenant SaaS applications on Azure, covering tenant isolation, data partitioning, billing integration, and scalability patterns.

When to Use This Agent

Choose Azure SaaS Consultant when:

• Designing multi-tenant SaaS architectures on Azure
• Choosing tenant isolation strategies (shared vs. dedicated resources)
• Implementing tenant onboarding and provisioning automation
• Planning data partitioning and cross-tenant security
• Integrating Azure-based billing and metering for SaaS pricing

Consider alternatives when:

• Building single-tenant Azure applications (use Azure Infra Engineer Partner)
• Implementing specific Azure services (use the service-specific agent)
• Designing non-Azure SaaS architectures (use a general cloud architect)

Quick Start

Copy
# .claude/agents/azure-saas-consultant.yml
name: Azure SaaS Consultant
description: Design multi-tenant SaaS architectures on Azure
model: claude-sonnet
tools:
  - Read
  - Write
  - Glob
  - Grep
  - WebSearch

Example invocation:

claude "Design a multi-tenant SaaS architecture for a project management tool that needs to support 500 tenants with varying sizes, data isolation requirements, and per-tenant customization"

Core Concepts

Tenancy Models

Model	Isolation	Cost	Complexity	Best For
Shared Everything	Low	Lowest	Low	SMB SaaS, early-stage
Shared App, Dedicated DB	Medium	Medium	Medium	Compliance-heavy industries
Dedicated per Tenant	High	Highest	High	Enterprise, regulated
Hybrid	Variable	Variable	High	Mixed customer tiers

Data Partitioning Strategies

Copy
// Row-level security for shared database
// SQL Server / Azure SQL
CREATE SECURITY POLICY TenantFilterPolicy
ADD FILTER PREDICATE dbo.fn_TenantFilter(TenantId) ON dbo.Projects,
ADD BLOCK PREDICATE dbo.fn_TenantFilter(TenantId) ON dbo.Projects;

// Tenant filter function
CREATE FUNCTION dbo.fn_TenantFilter(@TenantId uniqueidentifier)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN SELECT 1 AS result
WHERE @TenantId = CAST(SESSION_CONTEXT(N'TenantId') AS uniqueidentifier);

// Application middleware sets tenant context
app.Use(async (context, next) =>
{
    var tenantId = context.User.FindFirst("tenant_id")?.Value;
    using var conn = new SqlConnection(connectionString);
    await conn.OpenAsync();
    using var cmd = conn.CreateCommand();
    cmd.CommandText = "EXEC sp_set_session_context @key=N'TenantId', @value=@tenantId";
    cmd.Parameters.AddWithValue("@tenantId", tenantId);
    await cmd.ExecuteNonQueryAsync();
    await next();
});

Tenant Provisioning Pipeline

Copy
// Automated tenant onboarding
interface TenantProvisionRequest {
  tenantName: string;
  tier: 'free' | 'professional' | 'enterprise';
  region: string;
  adminEmail: string;
}

async function provisionTenant(request: TenantProvisionRequest) {
  // 1. Create tenant record
  const tenant = await db.tenants.create({
    name: request.tenantName,
    tier: request.tier,
    status: 'provisioning',
  });

  // 2. Provision infrastructure based on tier
  if (request.tier === 'enterprise') {
    // Dedicated database for enterprise tenants
    await provisionDedicatedDatabase(tenant.id, request.region);
  } else {
    // Shared database with row-level security
    await createTenantSchema(tenant.id);
  }

  // 3. Configure DNS and custom domain
  await configureTenantSubdomain(tenant.id, request.tenantName);

  // 4. Create admin user and send welcome email
  await createTenantAdmin(tenant.id, request.adminEmail);

  // 5. Initialize tenant configuration
  await seedDefaultConfiguration(tenant.id, request.tier);

  return tenant;
}

Configuration

Parameter	Description	Default
tenancy_model	Multi-tenancy approach (shared, dedicated, hybrid)	shared
data_isolation	Data isolation level (row, schema, database)	row
billing_model	Pricing approach (per-seat, usage, tiered)	tiered
regions	Supported Azure regions	["eastus2", "westeurope"]
customization_level	Per-tenant customization (branding, config, code)	branding
compliance	Compliance requirements (soc2, hipaa, gdpr)	None

Best Practices

1. Choose the tenancy model based on customer requirements, not developer convenience. Shared-everything is cheapest to build but fails customers needing data isolation for compliance. Dedicated-everything satisfies every requirement but does not scale economically to thousands of tenants. Most successful SaaS products use a hybrid model: shared infrastructure for standard tiers and dedicated resources for enterprise customers who pay a premium.

2. Implement tenant context as cross-cutting middleware, not per-query logic. Set the tenant context once at the request boundary (from JWT claims, subdomain, or header) and propagate it through the request pipeline. Row-level security, query filters, and cache key prefixes should automatically use this context. If every query manually adds WHERE tenant_id = @tenantId, you will eventually miss one and create a data leak.

3. Design the data model for tenant isolation from the start. Adding tenant isolation to an existing single-tenant database is extremely difficult and error-prone. Include tenant_id in every table from day one. Add composite indexes that include tenant_id. Test data isolation with automated tests that verify one tenant cannot access another tenant's data. This is the one architectural decision that is almost impossible to retrofit.

4. Build tenant provisioning as a fully automated pipeline. Tenant creation should be a single API call that triggers automated infrastructure provisioning, database setup, DNS configuration, and admin user creation. Manual provisioning steps create bottlenecks that limit growth and introduce human error. Test the provisioning pipeline regularly by creating and tearing down test tenants.

5. Implement per-tenant resource quotas and rate limiting. Without quotas, one tenant's heavy usage impacts all others (noisy neighbor problem). Enforce limits on storage, API calls, compute time, and concurrent connections per tenant and tier. Rate limit at the API gateway level using tenant-specific keys. Alert when tenants approach their limits rather than hard-cutting them, and offer upgrade paths.

Common Issues

Noisy neighbor problem causes performance degradation for other tenants. One tenant's bulk import or complex query monopolizes shared database connections, CPU, or memory, degrading performance for all tenants. Implement query timeouts, connection pool limits per tenant, and resource governor policies. For shared databases, use Azure SQL Elastic Pools with per-database resource limits. Consider moving high-usage tenants to dedicated resources automatically.

Tenant data accidentally leaks across tenant boundaries. The most critical SaaS security failure. Common causes: missing tenant filter on a query, caching without tenant-scoped keys, shared file storage without tenant prefixes. Prevent with defense-in-depth: row-level security in the database, tenant-aware middleware, tenant-scoped cache keys, and automated penetration tests that attempt cross-tenant data access. One leak destroys trust with all customers.

Tenant onboarding takes too long for customers to start using the product. Complex provisioning (dedicated infrastructure, DNS propagation, manual configuration) delays time-to-value. Design a fast-start path: shared infrastructure tiers that provision in seconds, progressive feature enablement, and background provisioning for dedicated resources. Show the customer a working product within 60 seconds of signup, then upgrade their infrastructure asynchronously.