Azure Migration Checklist
for UAE Businesses

Phase 1: Workload Assessment - What Goes Where

The first decision in any Azure migration is not "how do we move" - it is "what should move, what should be refactored, and what should be retired." Microsoft's framework uses four categories, and it is worth understanding each before any cloud spend is committed.

The assessment phase should use Azure Migrate's agentless discovery to inventory all on-premise VMs, physical servers, and SQL instances. This gives you actual performance data - CPU and memory utilisation averaged over 30 days - rather than relying on as-provisioned specs. A server with 32GB RAM that uses 6GB on average should not be migrated as a 32GB Azure VM.

For UAE businesses, the assessment should also capture any data residency constraints. Free zone regulations, healthcare data requirements, or client contractual obligations may specify that data cannot leave UAE borders. Document this before any architecture decisions are made - it narrows your Azure region options and rules out some PaaS services that replicate data to paired regions outside the UAE.

Phase 2: Azure Region and Architecture Decisions

Microsoft operates two Azure regions in the UAE: UAE North (physically in Abu Dhabi) and UAE Central (physically in Dubai, operated by a Microsoft partner). This distinction matters in practice.

UAE North is the primary region with the broadest service availability - most Azure services are available here, and it is the region where new services land first. UAE Central has a more limited service catalogue. For production workloads requiring services like Azure Kubernetes Service, Azure AI, or Azure Virtual Desktop, UAE North is the only viable primary region.

The latency difference between UAE North and UAE Central is small for most applications - typically under 5ms round trip. For real-time applications like VoIP systems, video conferencing backends, or trading platforms where milliseconds count, test actual latency from your office internet connection to both regions before deciding.

Geo-Redundancy Within the UAE

Geo-redundant storage (GRS) in Azure UAE North pairs with Southeast Asia by default - which means your backup data could leave UAE borders. For organisations with data residency requirements, use Locally Redundant Storage (LRS) or Zone-Redundant Storage (ZRS) within UAE North, and handle cross-emirate DR manually by replicating to UAE Central using Azure Site Recovery. This keeps all data within UAE geography.

Phase 3: Licensing Strategy

Licensing decisions made before migration have a significant impact on Azure spend. The two most valuable levers for UAE businesses migrating from on-premise Microsoft infrastructure are Azure Hybrid Benefit and Reserved Instances.

Azure Hybrid Benefit

If your organisation has Windows Server licences with active Software Assurance (SA), you can apply those licences to Azure VMs rather than paying the full Azure compute rate. For a D4s v5 VM (4 vCPUs, 16GB RAM), this typically reduces the cost by around 40 to 49 percent. Verify your SA coverage and expiry dates before migration - SA coverage that expires mid-migration means you pay full rates from that point.

SQL Server Hybrid Benefit works similarly for SQL Server SA licences. If you have Enterprise Edition licences with SA, moving to Azure SQL Managed Instance with Hybrid Benefit can provide substantial savings over the Azure default licensing cost.

Reserved Instances

Reserved Instances (RI) allow you to commit to Azure VM usage for 1 or 3 years in exchange for discounts of 20 to 52 percent over pay-as-you-go pricing. The catch is that RIs are committed spend - if the VM is decommissioned or downsized, the reservation sits unused. Wait until your post-migration VM sizing is stable (typically 30 to 90 days) before buying RIs. Right-size first, commit second.

Phase 4: Identity - Azure AD Connect and Hybrid Identity

Identity migration is where most technical failures in Azure migrations originate. On-premise Active Directory and Azure Active Directory (now called Microsoft Entra ID) are not the same thing - they need to be synchronised, and the synchronisation needs to be configured correctly before anything else moves to Azure.

Azure AD Connect Setup

Azure AD Connect synchronises on-premise AD users, groups, and device objects to Azure AD. Install it on a dedicated server (not a domain controller) with Express or Custom settings depending on your forest complexity. For most UAE SMEs, a single forest with Password Hash Synchronisation is the right choice - it synchronises password hashes to Azure AD so users can authenticate to cloud services without requiring a federated ADFS deployment.

Before running the first sync, audit your on-premise AD for:

• Duplicate UPN suffixes - all users must have a routable UPN (e.g. [email protected], not [email protected])
• Missing email attributes - Exchange hybrid and Microsoft 365 require the proxyAddresses attribute to be populated
• Stale accounts - disable or delete accounts for departed staff before sync to avoid unnecessary Azure AD objects
• Service accounts - document every service account and the applications that use them before migration

Multi-Factor Authentication

Configure Microsoft Entra MFA for all users before cutover, not after. Enabling MFA after migration when users are already working in the new environment causes login disruption and helpdesk calls. Roll out MFA in the weeks before migration, with a test group first. For UAE businesses, the Microsoft Authenticator app works reliably on both UAE telecom networks (du and Etisalat). SMS-based MFA also works but is less secure - prefer the app.

Phase 5: Backup and Recovery Architecture

Azure does not automatically back up your VMs. This surprises more migration projects than it should. Azure infrastructure redundancy (keeping your VM available) is not the same as backup (protecting your data from deletion, corruption, or ransomware). You need to configure Azure Backup or a third-party solution explicitly.

Azure Backup for VMs and SQL

Azure Backup is the native solution and integrates well for straightforward requirements. For VMs, it creates application-consistent snapshots (using VSS on Windows) at a schedule you define, and retains them for a period you specify. For SQL Server inside VMs, Azure Backup can take log backups every 15 to 60 minutes, giving you granular restore points. Enable soft-delete on the Recovery Services Vault - this protects backup data from accidental or malicious deletion for 14 additional days.

Third-Party Backup for Complex Environments

Veeam Backup for Azure and Acronis Cyber Protect Cloud are both used by UAE managed service providers for clients with more complex requirements - multiple clouds, on-premise plus Azure hybrid, or granular Exchange and SharePoint restore needs. These tools add cost but provide more restore flexibility and centralised management across environments. We cover the comparison in more detail in our backup and disaster recovery guide.

Phase 6: Network Design - VPN Gateway vs ExpressRoute

Most UAE businesses migrating to Azure maintain a hybrid environment for at least 12 to 24 months - on-premise systems and Azure workloads that need to communicate with each other. The network connection between them is a critical design decision.

Azure VPN Gateway

VPN Gateway uses IPsec/IKE tunnels over the public internet. It is lower cost and appropriate for workloads where latency is not critical and bandwidth requirements are moderate. The maximum throughput on a VpnGw5 gateway is 10 Gbps - sufficient for most SME hybrid workloads. Configuration involves an on-premise VPN device (Fortinet FortiGate, Cisco ASA, Palo Alto, or similar) and the Azure Virtual Network Gateway. We configure and maintain these for managed IT clients.

ExpressRoute for UAE Businesses

ExpressRoute provides a private, dedicated connection to Azure that bypasses the public internet. In the UAE, ExpressRoute circuits are available through Etisalat (e&) and du, who act as connectivity providers at the Azure peering locations. For businesses running latency-sensitive workloads - real-time databases, VoIP infrastructure, or financial trading systems - ExpressRoute delivers consistent latency that a VPN over shared internet cannot match. The cost is higher, but for the right workload the predictability justifies it.

Phase 7: Cost Governance from Day One

Azure costs can escalate quickly if governance is not established before migration. The most effective controls are tagging, budgets, and right-sizing - all of which are far easier to implement at migration time than to retrofit six months later.

Resource Tagging

Establish a tagging taxonomy before any resources are created. At minimum: Environment (Production/Development/Test), CostCentre, Owner, and Project. Tag every resource group, VM, storage account, and database. Azure Cost Management can then break down spend by any tag dimension - so the finance team can see cloud spend by department without needing to understand the Azure portal.

Budgets and Alerts

Set Azure Budgets at the subscription and resource group level with email alerts at 80% and 100% of threshold. This prevents the scenario - common in first-year Azure deployments - where a misconfigured service or forgotten development VM silently runs for months before anyone notices the bill. Set conservative thresholds initially and adjust upward as you build confidence in your cost baseline.

Common Failure Points in UAE Azure Migrations

Beyond the technical planning failures already covered, a few operational failures repeat across UAE migration projects:

Over-provisioned VMs. The most common cause of unexpectedly high Azure bills. Migrate with right-sized VMs based on Azure Migrate recommendations, not on-premise specs. A server with 256GB RAM that was over-specced for a peak workload years ago does not need 256GB in Azure.

Forgotten development environments. Dev and test VMs are created during the project and never decommissioned. They run at full cost for months after go-live. Create a policy that development VMs are auto-shut-down outside business hours using Azure Automation or Dev/Test Lab policies.

Data transfer costs. Data egress out of Azure is charged - ingress is free. Businesses that replicate large volumes of data out of Azure for on-premise backup or reporting without accounting for egress costs get a surprise on their first bill. Estimate egress volumes during planning and factor them into the total cost of ownership calculation.

Service account authentication breaks. Applications authenticate to on-premise AD using service accounts. After AD Connect sync, these accounts exist in Azure AD - but applications that were not reconfigured to use the new cloud credential path fail silently or with cryptic errors. Document every service account dependency before migration.

Getting Help with Your Azure Migration

Kaizen Star has managed Azure deployments for UAE businesses across manufacturing, healthcare, professional services, and trading sectors. Our cloud solutions service covers assessment, migration planning, implementation, and ongoing management. For organisations already in Azure and looking to optimise costs or improve their backup architecture, we offer standalone assessments.

If you are evaluating whether Azure is the right move or whether on-premise infrastructure still makes sense for your workloads, that conversation is worth having before any commitments are made. Not every workload is better in the cloud - and an honest assessment of your specific situation is more useful than a vendor-led migration proposal. Speak to one of our engineers to start that conversation.

Related reading: Backup & Disaster Recovery UAE, Microsoft 365 Dubai, Virtualisation Services Dubai.

Frequently Asked Questions