Alternativa apenas UE a Microsoft Azure.
Microsoft Azure is the cloud most often defended with the words "but we already use Microsoft for everything." That defence does not survive a Schrems II analysis: Microsoft Corporation is a US company, every Azure subsidiary is US-controlled, and Microsoft has explicitly acknowledged in court (Microsoft Ireland, 2018) that it would comply with valid US legal process for data anywhere globally — which is precisely what the CLOUD Act later codified. The "Microsoft Cloud for Sovereignty" and Bleu (Microsoft × Capgemini × Orange) initiatives are interesting but technology-licensed from a US parent. For genuine EU sovereignty, you exit. Below is the map.
"Região UE" não é soberania. Quatro perguntas decidem.
Residência de dados diz onde os bits ficam. Soberania diz qual sistema jurídico pode forçar o acesso. A resposta tem de valer nos quatro pontos — caso contrário a stack não é soberana.
Onde os dados estão fisicamente armazenados?
Não "na nuvem" — qual datacenter, em qual país, sob qual jurisdição.
Quem mais está no seu caminho de dados?
Cada fornecedor que toca os dados: o CDN, o relay de e-mail, o rastreador de erros, o pipeline de analytics.
Quais leis podem forçar a divulgação?
Um fornecedor com sede nos EUA está sujeito ao FISA 702 e ao CLOUD Act — mesmo quando os dados estão em Frankfurt.
Quem detém realmente as chaves de cifragem?
Se o provedor de nuvem tem tanto os dados quanto as chaves, ele pode lê-los — independentemente de qualquer DPA.
Falha em jurisdição e custódia de chaves.
Bits na UE, casa-mãe nos EUA, subprocessadores americanos no caminho predefinido, chaves geridas pelo fornecedor.
Passa nos quatro.
Hospedado na UE em infraestrutura com sede europeia. Zero subprocessadores americanos no caminho padrão. Chaves do cliente ou de KMS europeu. Nomeados no seu DPA Artigo 28.
Porque é que as equipas estão a sair Microsoft Azure
Azure exits typically come from one of three triggers: a public-sector tender that explicitly excludes US-jurisdiction processors, a healthcare or financial services audit that flagged Microsoft 365 + Azure as a single concentration risk under DORA, or a CISO who calculated that the licence true-up costs and "free" Azure credits actually translate to vendor lock-in worth six figures. The Azure ecosystem has tighter coupling than AWS — Active Directory, Office 365, Defender, Sentinel are typically all in the mix — which makes the migration more invasive than its AWS equivalent. It is still doable; we have done it.
Microsoft Azure serviços e os seus equivalentes apenas na UE
Uma migração não é "trocar uma caixa por outra". O mapeamento abaixo é o que executamos para clientes que saem de Microsoft Azure por motivos Schrems II — plena jurisdição UE, sem casa-mãe US no caminho dos dados.
| Microsoft Azure serviço | Alternativa apenas UE | Nota de engenharia |
|---|---|---|
| Azure Virtual Machines | Hetzner Cloud, OVH, IONOS, Scaleway Instances | IaaS migration is straightforward; the Windows licensing chapter requires more thought (BYOL or move to Linux-where-possible). |
| Azure Blob Storage | OVH Object Storage, Wasabi EU, self-hosted Ceph or MinIO | S3-compatible EU storage is the migration target; SDK changes are minimal. |
| Azure SQL Database | Azure → PostgreSQL or MySQL on EU managed providers (OVH, Aiven), or self-managed | Schema porting from Azure SQL (T-SQL flavour) is the longest single task; tools like AWS SCT or pgloader help. Often a good moment to revisit ORM choices. |
| Azure Front Door / CDN | Bunny.net, KeyCDN | Bunny offers comparable POP density and dramatically lower per-GB pricing. |
| Azure DNS | Hetzner DNS, Bunny DNS, deSEC | For most use cases Hetzner DNS is sufficient; deSEC adds DNSSEC by default. |
| AKS (managed Kubernetes) | Scaleway Kapsule, OVH Managed Kubernetes, IONOS K8s, or self-managed Talos / K3s on Hetzner | Helm charts and YAML transfer cleanly; Azure-specific addons (Application Gateway Ingress, Azure CNI) need replacement with standard equivalents. |
| Azure Functions | Scaleway Serverless Functions, self-hosted Knative or OpenFaaS | Most Azure Functions workloads fit a small EU Kubernetes cluster running Knative. |
| Azure Active Directory / Entra ID | Keycloak (RH-sponsored) on EU infra, Authentik (DE), self-hosted SCIM/OIDC providers | The hardest single migration. Plan for a 3-month parallel-run window. SSO integrations across SaaS need re-mapping. |
| Azure Service Bus / Event Grid | Self-hosted RabbitMQ or NATS, Apache Kafka on EU compute | Managed queueing options in the EU sovereign space are limited; self-managed is standard. |
| Azure Monitor / Application Insights | Self-hosted Prometheus + Grafana + Loki + Tempo, or Grafana Cloud EU region | OpenTelemetry instrumentation makes the swap mechanical for application code. |
| Azure Cosmos DB | PostgreSQL with appropriate indexing on EU managed services, or ScyllaDB / FoundationDB self-hosted | No 1:1 replacement for global multi-region active-active; if your workload truly needs that pattern, the conversation is different. |
| Defender / Sentinel (security) | Wazuh (self-hosted), CrowdSec (FR), self-hosted SIEM on EU compute | CrowdSec is FR-headquartered and increasingly competitive in the SIEM/IDS space. |
| Key Vault | Hashicorp Vault on EU infra, optionally HSM-backed | Vault is the production-grade sovereign answer; we operate it for clients. |
| Microsoft 365 (email, Teams, OneDrive) | mailbox.org (DE), Tuta (DE), Nextcloud (DE) for storage, Element/Matrix or Mattermost for chat | Often the harder political conversation than the infrastructure migration. Frequently kept on M365 with documented exposure rather than migrated. |
Como migramos de Microsoft Azure
Uma migração típica de mid-market decorre em três fases. Os números abaixo assumem uma equipa de engenharia de 6 a 10 pessoas e uma stack de aplicação moderadamente complexa.
Audit & ID-mapping
Inventory Azure services, Entra ID dependencies, SSO integrations and licensing. The identity layer is the longest tail. Output: phased plan with the SSO migration scoped separately.
Edge, monitoring, soft dependencies
Replace Front Door, Azure DNS, App Insights and Blob Storage. Pre-stage EU compute and replicate database. Move CI/CD off Azure DevOps if applicable.
Compute, DB, identity cutover
AKS workloads to managed EU K8s. SQL Database to PostgreSQL with logical replication for live cutover. Identity migration with parallel-run; cut SSO over per application.
5-year TCO on Azure exits we have run: typically 25–45% cheaper, with the largest savings coming from licence true-up avoidance and bandwidth/egress. Bear in mind: if your team uses Microsoft 365 and is staying on it, the identity-layer migration only partially decouples — that decision belongs at board level.
Perguntas frequentes
Does Microsoft Cloud for Sovereignty solve the Schrems II problem?
It improves the documentation story but does not change the underlying jurisdiction: Microsoft Corporation remains the parent. For workloads where the analysis turns on parent-jurisdiction (i.e. most regulated workloads after Schrems II), it is not sufficient on its own.
What about Bleu? Or T-Systems Open Sovereign Cloud?
Bleu (Microsoft × Capgemini × Orange) and T-Systems Open Sovereign Cloud (Google Cloud licensed) are pseudo-sovereign offerings — operated by EU-headquartered entities under licence from a US technology partner. They can satisfy specific regulatory requirements (notably the French SecNumCloud certification for Bleu) but inherit a stack they cannot independently maintain. For most buyers, a clean EU-native stack is the architecturally simpler answer.
Can we leave Azure but keep Microsoft 365?
Yes, and many of our clients run that hybrid. The trade-off is that personal data flowing through M365 (email content, OneDrive files, Teams chat) remains under Microsoft processing. Document it in your DPA, apply supplementary measures (encryption at rest with EU-held keys for sensitive folders), and keep customer-data infrastructure on the sovereign stack.
How does this affect our Microsoft Enterprise Agreement?
Existing EAs typically have annual or multi-year terms; the migration target is to stop the next renewal or right-size it, not to break the current contract. Your account manager will offer concessions when they hear "we are evaluating sovereign alternatives." Use that.
Is Active Directory replaceable in practice?
Replaceable in stages. Keycloak handles OIDC/SAML/SCIM well; for Windows-domain authentication on physical desktops, Samba 4 with FreeIPA is the established open-source path. The transition typically runs alongside a "modern workplace" simplification — fewer per-app SSOs, more standard OIDC.
How long does an Azure exit take?
For a mid-size workload (50–200 VMs, 1–2 SQL DBs, AKS, Entra ID): 16–24 weeks elapsed time. With a managed-infrastructure partner driving the choreography: 10–16 weeks. The identity layer is the schedule risk, not the compute.
Planeie a sua saída de Microsoft Azure.
Chamada de scoping de 30 minutos. Mapeamos a sua stack contra alternativas apenas UE, estimamos o esforço de migração e dizemos-lhe se é a decisão certa.