Multi-Cloud Orchestration: Microsoft Azure + AWS + GCP
For regulated Fortune 500 enterprises running Azure alongside AWS or GCP — and the senior leadership who refuse to pretend forced single-cloud consolidation is a strategy. EPC Group is the Microsoft anchor in your multi-cloud estate: Entra identity, Purview governance, Defender XDR, Fabric Mirroring, M365 + Copilot. We do not move AWS or GCP workloads that should stay where they are.
EPC Group provides Microsoft-anchored multi-cloud orchestration: Entra identity backbone across Azure, AWS IAM Identity Center, and GCP; Purview catalog spanning ADLS Gen2, S3, and GCS; Defender XDR cross-cloud; Fabric Mirroring of Snowflake and BigQuery into OneLake; Azure AI Foundry calling Bedrock and Vertex AI — without forcing single-cloud consolidation.
Key Facts
- Microsoft Solutions Partner across six designations including Data + AI Azure, Infrastructure Azure, and Security
- 70+ Fortune 500 multi-cloud enterprises served across 29 years
- 216+ Microsoft 365 tenant migrations 2023–2025 (1.83 million users) — most inherited a second or third cloud
- Entra ID federates to AWS IAM Identity Center (formerly AWS SSO) and Google Cloud Identity using standards-based SAML / OIDC
- Microsoft Purview Multicloud Scanning Connectors catalog AWS S3, Snowflake, Databricks, BigQuery, and GCS alongside Azure data estates
- Microsoft Defender for Cloud delivers native CSPM + CWP for AWS and GCP, unified in Microsoft Sentinel as cross-cloud SIEM
- Microsoft Fabric Mirroring continuously syncs Snowflake, BigQuery, Cosmos DB, Azure SQL DB, and Databricks into OneLake as read-only Delta tables
- Compliance-native across HIPAA, SOC 2, FedRAMP, FINRA, CMMC, GxP — applied uniformly across Azure, AWS, and GCP workloads
The Five Reasons Regulated F500 Run Multi-Cloud — and the Rare Case for Consolidation
Most enterprise multi-cloud estates were not architected. They were inherited, regulated into existence, or built around talent that already worked there. Pretending otherwise is the source of more failed consolidation programs than any other single cause. Here is the honest map.
M&A Inheritance
When you acquire a $400M competitor, you inherit their cloud — and 18 months of forced re-platforming is not a board-defensible answer. Roughly seven in ten F500 multi-cloud estates exist because of M&A, not by deliberate design. EPC Group has executed 216+ Microsoft 365 tenant migrations covering 1.83 million users between 2023 and 2025, and in nearly every one we inherited at least one secondary cloud — AWS data lakes, GCP analytics, regional Azure tenants — that the acquirer had no business killing.
Data Sovereignty + Regulatory Geography
Pharma data in the EU may need to land on GCP Frankfurt because the Phase III trial vendor only certifies BigQuery there. Federal subcontract data sits in Azure Government and AWS GovCloud simultaneously because the prime contracts demand both. Sovereignty is not a preference — it is a hard regulatory boundary, and consolidation through it is a compliance violation, not a cost optimization.
Talent + Operational Reality
The data engineering team your CIO inherited was built on Redshift and dbt. Forced migration to Fabric without retention strategy means losing the people who actually know the pipelines. Multi-cloud is sometimes a talent-preservation decision — keep the AWS workload running where the talent lives, layer Microsoft governance on top, and migrate at attrition speed, not at consultant speed.
Cost + Egress Math
Egress fees to pull 400 TB out of S3 every month destroy any consolidation business case before it starts. So does the reserved-instance commitment you signed for three more years. Honest cloud strategy starts with the egress and commitment math, not with a partner pitch deck — and the answer is often "leave it where it is, govern it from Microsoft."
Workload Fit
Some workloads are genuinely better on the cloud they were born on. AWS SageMaker has model registry features Vertex AI does not. Vertex AI has BigQuery integration nothing else matches. Azure has Microsoft 365 + Copilot, which neither competitor will ever replicate. A grown-up enterprise architecture acknowledges that best-of-breed for each workload sometimes beats theoretical TCO from consolidation.
When single-cloud consolidation IS the right call
When the secondary cloud holds fewer than ~15 workloads with no significant data gravity, no regulatory anchor, and the talent supporting it has already attrited. When consolidation aligns with a natural contract renewal or hardware refresh. When the secondary cloud was a side project nobody owns anymore. EPC Group will say "consolidate" when the math says consolidate. We will say it just as quickly the other direction.
The Microsoft-Anchored Multi-Cloud Architecture Pattern
Six layers. Microsoft sits at the center of identity, governance, security, data unification, productivity, and AI orchestration. AWS and GCP workloads stay where they deliver value — with the Microsoft layer making them governable, auditable, and accountable.
1. Microsoft Entra — Identity Backbone Across All Clouds
Microsoft Entra ID becomes the single source of identity truth. Entra federates to AWS IAM Identity Center (formerly AWS SSO), Google Cloud Identity, and any number of regional Azure tenants. Conditional Access policies, Privileged Identity Management, and Entra ID Governance access reviews apply uniformly — so a contractor offboarded in Entra loses access to S3 buckets in 90 seconds, not 90 days. This is the non-negotiable foundation: identity must be one place, or governance is theater.
2. Microsoft Purview — Governance + Catalog Across ADLS, S3, GCS
Microsoft Purview catalogs storage across Azure Data Lake Storage Gen2, AWS S3, Google Cloud Storage, Snowflake, Databricks, BigQuery, and Oracle Autonomous Database — using first-party scanners for the Microsoft estate and the Multicloud Scanning Connectors framework for AWS and GCP. Sensitivity labels, classification rules, and DLP policies apply consistently. One catalog. One lineage map. One audit answer when the regulator asks "where does PHI live."
3. Microsoft Defender XDR — Security Across Azure + AWS + GCP
Microsoft Defender for Cloud delivers native multicloud posture management (CSPM) and workload protection (CWP) for AWS and GCP — not just Azure. Defender XDR correlates signals across Microsoft 365, Entra, Azure VMs, AWS EC2, GCP Compute Engine, and the Microsoft Sentinel SIEM. One SOC, one investigation graph, cross-cloud kill-chain analysis. The alternative — three separate cloud-native security tools that do not share telemetry — is how breaches go undetected for 287 days.
4. Microsoft Fabric Mirroring — Cross-Cloud Data Without Forced Migration
Fabric Mirroring continuously replicates AWS Snowflake, Azure Databricks, Azure SQL DB, Cosmos DB, and Google BigQuery into OneLake as read-only Delta tables — near real-time, no ETL pipeline to maintain, no compute commitment doubling. The analyst opens Power BI, builds a Direct Lake semantic model that joins Snowflake sales data with BigQuery web telemetry and SAP master data — without anyone exporting a single CSV. Mirroring is not just a feature; it is the engineering pattern that makes multi-cloud governable.
5. Microsoft 365 + Copilot on Azure — Productivity Layer Stays Anchored
Microsoft 365 and Microsoft 365 Copilot are not negotiable on multi-cloud. They run on Azure, they ground on SharePoint, OneDrive, Exchange, and Loop, and they integrate with Purview AI Hub for prompt and response governance. Even when the data lake is AWS and the ML platform is Vertex AI, the productivity surface 90% of the business actually touches every day stays Microsoft — and that is the right outcome.
6. Azure AI Foundry + OpenAI — Calling Cross-Cloud Models
Azure OpenAI and Azure AI Foundry become the orchestration plane for AI — but the actual models can live anywhere. A Foundry agent can call Anthropic Claude on AWS Bedrock, Google Gemini on Vertex AI, and an internal Llama 3 endpoint on a GCP GKE cluster, while keeping the governance, content filters, prompt logging, and Purview-anchored data grounding in the Microsoft estate. Best-of-breed model selection, single-cloud governance accountability.
Six Multi-Cloud Workload Patterns EPC Group Has Architected
These are not slideware. Each pattern reflects an architecture EPC Group has shipped in production for at least one Fortune 500 client in 2025 or 2026.
M365 + Copilot on Azure, Data Lake on AWS S3
The most common pattern in our F500 base. Productivity stays on Microsoft 365, raw data lakes stay on S3 (cheap storage, deep AWS-native pipelines), Fabric mirrors the curated tables into OneLake, Power BI Direct Lake builds the semantic layer. Engineering teams keep their existing S3-to-Glue-to-Athena pipelines untouched; business teams get a unified Power BI experience. EPC Group designs the mirroring layer, the Purview catalog spanning both clouds, and the Entra identity flow.
Power BI with Snowflake-Mirrored Fabric Tables
Snowflake is the warehouse. It is not moving — the warehouse engineering team is loyal to Snowflake, the cost model works, and Snowflake has features Fabric does not. Fabric Mirroring continuously syncs the curated marts into OneLake, Power BI Direct Lake reads from OneLake at sub-second latency, and the analyst never knows the underlying source. EPC Group has shipped this pattern for multiple regulated clients in 2025–2026 — it is the single most common "we are not consolidating" outcome and the right answer in most multi-warehouse estates.
Defender XDR Monitoring AWS EC2 + GCP Compute Engine
Customer has Azure VMs, AWS EC2 fleets supporting a SaaS product, and GCP Compute Engine for a regional acquisition. Three separate security toolchains would mean three separate alert queues, three separate analyst skill sets, and detection gaps at every cloud boundary. Microsoft Defender for Cloud agents on EC2 and GCE instances, Defender CSPM across all three subscription accounts, Sentinel as the unified SIEM. One SOC, one runbook, cross-cloud kill-chain correlation.
Entra SSO Across Azure + AWS IAM Identity Center + GCP IAM
Entra ID federates as the identity provider into AWS IAM Identity Center (replacing the old AWS SSO) and Google Cloud Identity. Users sign in once with their Microsoft credentials, get conditional-access-evaluated entry into the AWS console, the GCP console, and every SaaS app that supports SAML or OIDC. PIM-just-in-time elevation works for AWS admin roles. Access reviews run quarterly across all three clouds. Offboarding is one click in Entra, propagated everywhere within minutes.
Purview Catalog Spanning ADLS Gen2 + S3 + GCS
Purview Data Map registers data sources across all three clouds using the Multicloud Scanning Connectors. Classification rules detect PII, PHI, and PCI data consistently regardless of which cloud the bucket lives in. Sensitivity labels propagate. Data lineage flows from raw S3 through Snowflake into the Fabric-mirrored gold layer into the Power BI dataset and finally into the Copilot grounding answer. One catalog. One regulator answer. One DLP enforcement plane.
Azure AI Foundry Calling Vertex AI + AWS Bedrock
Azure AI Foundry hosts the agent orchestration. The agent routes to GPT-4o on Azure OpenAI for general reasoning, to Claude on AWS Bedrock for long-context legal review, and to Gemini on Vertex AI for multimodal medical imaging. All model calls flow through the Foundry observability layer, prompt and response logging hits Purview AI Hub, content filters apply uniformly. Best model per workload. Microsoft accountable for governance and audit.
The EPC Multi-Cloud Methodology — Five Phases
No big-bang cutovers. Identity first, then governance, then security, then data unification, then AI orchestration. Each phase ships with named senior-architect accountability, measurable acceptance criteria, and a documented rollback plan.
Phase 1 — Discovery + Cross-Cloud Inventory (2–4 weeks)
Honest inventory of what is actually running where, who owns each workload, what regulatory constraints anchor each cloud, and where the egress and commitment math lives. Identify the workloads that should stay where they are and the rare ones that genuinely should consolidate.
- Cross-cloud workload inventory — Azure subscriptions, AWS accounts, GCP projects, ownership, regulatory anchors
- Egress + reserved-commitment financial map — what would actually cost to consolidate any given workload
- Identity, data, and security gap analysis — where governance falls off the edge of each cloud today
Phase 2 — Microsoft-Anchored Target Architecture (3–5 weeks)
Design the six-layer Microsoft anchor — Entra identity, Purview governance, Defender XDR, Fabric mirroring strategy, M365+Copilot estate, Azure AI Foundry orchestration — with explicit decisions on what stays multi-cloud, what mirrors, and what (rarely) consolidates. Senior-architect-led, peer-reviewed, documented.
- Target multi-cloud reference architecture with cross-cloud topology diagrams and decision rationale for each workload
- Entra-as-identity-provider design covering AWS IAM Identity Center + GCP Cloud Identity federation
- Fabric Mirroring strategy — which sources mirror, refresh cadence, OneLake shortcut topology, Direct Lake semantic model design
Phase 3 — Integration Build (8–14 weeks)
Implement the Microsoft anchor layers in the right sequence — identity first, then governance, then security, then data mirroring, then AI orchestration. Each layer goes live with measurable acceptance criteria and rollback plan. No big-bang cutovers.
- Entra federation to AWS IAM Identity Center + GCP Cloud Identity operational, with conditional access + PIM applied
- Purview Multicloud Scanning Connectors live for AWS + GCP data estates, with classification rules + sensitivity labels propagating
- Defender for Cloud + Sentinel multicloud connectors enrolled, agents deployed on EC2 + GCE, baseline detection rules tuned
Phase 4 — Governance + Operating Model (4–6 weeks)
Stand up the cross-cloud Center of Excellence, the FinOps practice that actually understands three clouds, and the documented operating model that makes the multi-cloud estate auditable and accountable rather than a shadow-IT collection.
- Multi-cloud Center of Excellence charter, RACI, governance forums, escalation paths
- Cross-cloud FinOps dashboard in Power BI — Azure + AWS + GCP spend, commitments, optimization queue
- Documented operating model — change management, exception process, regulatory evidence pack, runbooks
Phase 5 — Operate + Iterate (ongoing managed services)
Run the orchestrated estate with 24/7 senior-architect escalation, monthly multi-cloud reviews, quarterly architecture refresh, and continuous Purview + Defender tuning as the source clouds evolve.
- 24/7 managed Microsoft + multi-cloud governance operations with named senior architect escalation
- Monthly multi-cloud posture review — security, governance, FinOps, capacity, AI usage
- Quarterly architecture refresh aligned to AWS re:Invent, Google Cloud Next, and Microsoft Ignite roadmap changes
Honest About What EPC Group Is NOT
EPC Group is not a pure-AWS consultancy. We do not have hundreds of AWS-certified architects on staff. We are not the right partner for an AWS-native greenfield build, a deep Lambda architecture, or an EKS platform engineering buildout. For pure AWS work, the better recommendation is an AWS Premier Tier Services Partner such as Slalom, Deloitte, or a specialized AWS-native firm.
EPC Group is not a pure-GCP consultancy. If your shop runs Vertex AI, BigQuery, and GKE end-to-end with no Microsoft estate, a Google Cloud Premier Partner such as SADA or Pythian is the honest recommendation. We will say so.
What EPC Group IS: the Microsoft Solutions Partner across six designations and 29 years of Microsoft consulting leadership, specializing in being the accountable Microsoft layer in regulated multi-cloud estates. When the question is "who owns identity, governance, security, data unification, and AI orchestration across our Microsoft + AWS + GCP estate," the answer is EPC Group. When the question is "rebuild our entire AWS-native data platform," it is not.
Five Multi-Cloud Scenarios EPC Group Has Architected (Anonymized)
Healthcare — Azure + AWS Snowflake (anonymized)
Regional health system inherited a $180M Snowflake-on-AWS investment from an acquired physician group. Forced migration to Fabric would have triggered a 24-month re-platforming and a clinical-data downtime risk no CMIO would sign for. EPC Group designed Fabric Mirroring from Snowflake into OneLake, Power BI Direct Lake on the mirrored layer, Purview cataloging both S3 raw and Snowflake curated, HIPAA-anchored Entra access reviews quarterly. Snowflake stayed. Microsoft governance won.
Financial Services — Azure + GCP (anonymized)
Top-25 US bank ran Vertex AI + BigQuery for the quant-research desk because the model lineage features met FINRA model-risk-management requirements out of the box. Microsoft 365 + Power BI for everyone else. EPC Group built Entra federation into GCP, Purview cataloging BigQuery alongside the Azure data estate, Defender for Cloud monitoring GCP workloads, and a Fabric mirror so the wealth-management Power BI reports could read quant outputs without anyone exporting CSVs.
Retail — Azure + AWS (anonymized)
National retailer with $14B revenue ran the e-commerce platform on AWS (deep Lambda + DynamoDB engineering), corporate on Microsoft 365 + Fabric. Three engineering orgs, two cloud bills, zero unified governance. EPC Group implemented Entra-as-IdP into AWS IAM Identity Center, Defender for Cloud across both estates, Fabric mirroring the curated e-commerce marts, and a Purview catalog spanning S3 and ADLS Gen2 — without touching the e-commerce platform code.
Public Sector — Azure Government + AWS GovCloud (anonymized)
Federal subcontractor under prime contracts demanding both Azure Government (for ITAR and CMMC 2.0 Level 2) and AWS GovCloud (legacy mission system the prime would not move). EPC Group architected the Entra Government tenant as identity backbone, Purview Government as the cross-cloud catalog, Defender for Cloud Government monitoring both cloud postures, and Sentinel as the unified SIEM — all inside the FedRAMP High and CMMC Level 2 control boundary.
Life Sciences — Azure + AWS + GCP (anonymized)
Top-10 pharma with M365 + Fabric on Azure, AWS S3 for the genomics raw data lake (the genomics team will never leave AWS), and GCP BigQuery + Vertex AI for the Phase III trial vendor integration. Three clouds, GxP regulatory scope, 21 CFR Part 11 audit demands. EPC Group designed the Microsoft anchor — Entra identity, Purview spanning all three clouds, Defender XDR cross-cloud, Fabric mirroring genomics curated + trial results into OneLake. One governance answer for the FDA inspector.
EPC Multi-Cloud Architecture Accelerator
90-day fixed-scope engagement
$250K–$800K depending on estate complexity (subscription count, cloud count, regulatory scope)
Named Deliverables
- Cross-cloud workload + identity + data + security topology diagrams, peer-reviewed by senior architects
- Entra-as-identity-provider design covering AWS IAM Identity Center, Google Cloud Identity, regional Azure tenants
- Purview Multicloud Scanning strategy and catalog map across ADLS Gen2 + S3 + GCS + Snowflake + Databricks + BigQuery
- Defender for Cloud + Microsoft Sentinel multicloud coverage plan with named EC2 + GCE agent rollout sequence
- Fabric Mirroring source-by-source decision register — what mirrors, what stays native-only, refresh cadence, Direct Lake semantic model design
- Multi-cloud FinOps baseline + cross-cloud Power BI dashboard pattern (Azure + AWS + GCP spend, commitments, optimization queue)
- 12-month multi-cloud governance roadmap with named Microsoft Center of Excellence operating model
Why EPC Group Can Make This Architectural Call
Microsoft Solutions Partner — Six Designations
EPC Group holds Microsoft Solutions Partner status across Data + AI (Azure), Digital + App Innovation (Azure), Infrastructure (Azure), Modern Work, Security, and Business Applications — the full six-designation envelope very few partners hold. Multi-cloud orchestration is only credible from a partner who has earned every Microsoft designation, not a generalist who claims it.
Compliance-Native Across Multi-Cloud
HIPAA, SOC 2, FedRAMP, FINRA, CMMC, GxP — applied across Azure, AWS, and GCP workloads. Multi-cloud does not create a regulatory escape hatch. EPC Group's governance methodology applies the same Purview classification rules, the same Defender posture baselines, and the same Entra access reviews regardless of which cloud the workload runs on.
216+ M&A Tenant Migrations — Multi-Cloud Was Always the Reality
Across 216+ Microsoft 365 tenant migrations between 2023 and 2025 covering 1.83 million users, nearly every M&A deal we executed involved a second or third cloud the acquirer was not going to kill. Multi-cloud is not theoretical at EPC Group — it is the actual condition of the production engagements that built the methodology.
Author Credibility — Microsoft Press Azure Book
Errin O'Connor is a four-time Microsoft Press bestselling author including the Microsoft Press Azure architecture book. Nearly three decades of Microsoft consulting leadership, plus published authority on Azure architecture, gives EPC Group the credibility to make architectural calls that say "leave the AWS workload where it is" rather than the default partner reflex of "consolidate everything."
Multi-Cloud Microsoft Orchestration — Frequently Asked
Why run multi-cloud at all instead of consolidating to Azure?
Because consolidation is often the wrong answer. M&A inheritance, data sovereignty, talent retention, egress economics, and genuine best-of-breed workload fit make multi-cloud the right strategic choice for most regulated F500. Forced consolidation programs that ignore these realities run 18–36 months over schedule and frequently get cancelled mid-flight. The mature answer is Microsoft-anchored orchestration — keep workloads where they belong, govern them all through one Microsoft control plane.
Is Entra cross-cloud SSO actually real, or marketing?
Real. Microsoft Entra ID federates as the identity provider into AWS IAM Identity Center (formerly AWS SSO) and Google Cloud Identity using standards-based SAML and OIDC flows. Conditional Access, Privileged Identity Management, and Entra ID Governance access reviews apply at the federation layer. EPC Group has shipped this pattern in production for multiple F500 multi-cloud estates — including federal accounts using Entra Government and AWS GovCloud IAM Identity Center.
How does Fabric Mirroring actually work, and is it replication?
Microsoft Fabric Mirroring uses change-data-capture from the source system — Snowflake, Azure SQL DB, Cosmos DB, Databricks, Google BigQuery — and continuously syncs into OneLake as Delta tables. It is near real-time, read-only at the destination, and Microsoft-managed at the compute layer (no ETL pipeline to write or maintain). It is best thought of as managed CDC replication into a governed lake, not point-in-time copy. Power BI Direct Lake reads the mirrored Delta tables with sub-second latency.
How does data residency drive cloud choice?
Data residency is often a hard regulatory boundary — EU pharma trial data, US federal subcontract data, healthcare data in jurisdictions requiring in-country storage. Sometimes the regulator-approved provider in a region is GCP, sometimes AWS, sometimes Azure. Consolidation through a residency requirement is a compliance violation, not a strategy. EPC Group designs cloud selection at the workload level driven by the actual regulatory map, not by partner preference.
We just acquired a company running entirely on AWS. Do we migrate them to Azure?
Probably not — at least not on day one. The first-90-days answer is almost always: federate Entra into their AWS IAM Identity Center, register their S3 and Snowflake into Purview, enroll Defender for Cloud on their EC2 fleet, and mirror their curated marts into OneLake so corporate analytics works. Then evaluate which workloads genuinely should migrate over 12–24 months — and which should stay on AWS forever. EPC Group has run this exact play across 216+ M&A engagements.
How do we optimize cost across three clouds?
Cross-cloud FinOps starts with one dashboard — Azure + AWS + GCP spend, commitments, reservations, savings plans, and optimization queue in a single Power BI semantic model. EPC Group builds this on Fabric, sourcing Azure Cost Management, AWS Cost Explorer, and GCP Billing Export. Then the unglamorous work: rightsizing, commitment portfolio management, egress audit, idle resource elimination, and architecture changes that reduce cross-cloud egress (which is where most multi-cloud cost surprises actually live).
When DOES consolidation actually make sense?
When the secondary cloud has fewer than ~15 workloads, no significant data gravity, no regulatory anchor, and the talent supporting it has already attrited. When the AWS or GCP environment was built as a side project nobody owns anymore. When consolidation aligns with a natural contract renewal or hardware refresh cycle. EPC Group says "consolidate" when the math says consolidate — and just as often says "do not consolidate" when the math says otherwise. Honest architecture is the product.
How does this work for federal — Azure Government + AWS GovCloud?
Many federal subcontractors are required to run both Azure Government (for Microsoft 365 GCC High, Office workloads, and CMMC Level 2 scope) and AWS GovCloud (for legacy mission systems or prime-contract-mandated AWS workloads). EPC Group designs Entra Government as the identity backbone, Purview Government as the catalog, Defender for Cloud Government across both postures, and Sentinel Government as the unified SIEM — all within the FedRAMP High and CMMC Level 2 control boundary. See the federal Microsoft consulting page for the full federal control mapping.
Continue Architecting Your Microsoft + Multi-Cloud Estate
Your multi-cloud estate is already real. Make Microsoft the accountable layer.
Stop pretending consolidation will solve a governance problem that demands real architecture work. EPC Group will tell you which workloads should stay on AWS, which belong on GCP, which need to come to Azure — and how the Microsoft anchor layer makes the whole estate auditable, secure, and AI-ready. Honest architecture from a 29-year Microsoft Solutions Partner who has shipped this pattern across 70+ Fortune 500 clients.
contact@epcgroup.net · 888-381-9725 · Houston, TX