Your Partner in Digital Excellence

Self‑Hosted, GDPR‑Aligned Azure Architecture for a Microsoft 365 Absence Platform

Two critical development platforms—an event‑driven workflow engine and an observability/error‑analysis stack—were re‑engineered in a Self‑Hosted model on Azure to keep European data in‑region and under enterprise controls. This enabled absentify to scale Teams‑ and Outlook‑native experiences while aligning to EU data‑protection expectations through secure networking, TLS, WAF, and governed CI/CD.

About absentify

absentify is a Microsoft 365‑native absence and leave management solution that runs directly in Microsoft Teams and Outlook, offering real‑time dashboards, structured approvals, and instant calendar synchronization for modern, distributed teams.

The platform automates out‑of‑office messages, syncs with Teams and Outlook calendars, and integrates with Entra ID for identity and provisioning—reducing manual workload while improving transparency for HR, managers, and employees.

Custom leave types, quotas, regional public holidays, and team structures are centrally configurable, enabling fast rollouts and a familiar Microsoft 365 user experience with minimal training.

Challenge

To continue product development under GDPR and meet EU‑based customer requirements, absentify needed two development platforms to be self‑hosted: a reliable event‑driven workflow service for approvals and automations, and a comprehensive observability/error‑analysis stack for quality and release velocity.

Both had to operate in EU regions with encrypted transit, segmented VNet design, TLS termination with WAF, least‑privilege access, and auditable CI/CD, while preserving the performance and UX expected inside Teams and Outlook.

The architecture also needed operational guardrails—health checks, backup and update procedures, and monitoring—to provide verifiable evidence of controls and support continuous delivery.

Danilix perspective

Danilix applied an assess‑architect‑operate playbook: design for EU residency first, then layer identity, networking, and supply‑chain controls, and finally automate evidence through health checks, logs, and governed pipelines.

The objective was a secure‑by‑default baseline that scales with product growth—minimizing risk and operational friction while maintaining the speed of Teams‑integrated feature delivery.

Repeatable patterns—segmented VNets, WAF‑fronted ingress, encrypted data planes, and least‑privilege CI/CD—allow faster iterations with lower compliance burden over time.

Example

Self‑hosted workflow platform: containerized on Azure App Service for Linux pulling images from Azure Container Registry, backed by Azure Database for PostgreSQL and Azure Redis Enterprise in EU regions, with GitHub‑based CI/CD and App Service Managed Certificates for TLS.
Self‑hosted observability platform: deployed on an Azure VM (Ubuntu 24.04) via Docker Compose, fronted by Azure Application Gateway (WAF v2) for SSL/TLS termination and rule enforcement, with scripted monitoring, backups, updates, and log rotation.
Access and network posture: VNet/subnet segmentation, NSGs restricting north‑south and east‑west traffic, HTTPS‑only ingress, and least‑privilege Azure RBAC for build and runtime scopes.

Solution

EU residency first: all compute, data, and ingress/egress paths were provisioned in EU regions, minimizing transfers and simplifying assurances to customers and auditors.
Transport and perimeter security: TLS 1.2+ across services, Application Gateway WAF at the edge, and App Service Managed Certificates or uploaded PFX for automated or controlled certificate lifecycles.
Data and supply chain: encrypted connections to PostgreSQL and Redis, secured registry pulls from ACR, isolated secrets in app settings, and CI/CD identities scoped to the minimum required.
Operability: health endpoints, deployment logs, scheduled backups, and scripted updates provide verifiable control effectiveness and reduce mean‑time‑to‑restore.

Security and compliance alignment

Identity and access: workload identities and scoped RBAC limit blast radius; client‑certificate mode where needed adds mutual trust on sensitive endpoints.
Network isolation: VNets and NSGs constrain ingress to WAF‑managed entry points and restrict service backends to known subnets and ports.
Evidence and governance: CI/CD pipelines, change logs, and gateway health checks offer auditable artifacts supporting GDPR accountability and security‑by‑design claims.

Results

Two self‑hosted platforms online in EU: event‑driven workflows for approvals/automations and observability/error analysis now run under EU‑resident Azure control planes with governed CI/CD.
Hardened baseline: TLS/SSL everywhere, WAF protections, segmented networks, encrypted data paths, secrets isolation, and least‑privilege automation form a defendable operating posture.
Compliance‑aligned operations: EU residency and documented controls support GDPR expectations while preserving Teams‑ and Outlook‑native performance and user experience.

Takeaway framework

Design for EU residency: choose EU regions, validate data flows, and prioritize in‑region storage/processing to simplify data‑transfer assessments.
Segment and shield: isolate subnets, restrict NSGs, front with Application Gateway (WAF), and enforce HTTPS‑only ingress for least‑exposed edge surfaces.
Automate the supply chain: standardize builds in ACR, scan/sign images, and deploy via least‑privilege pipelines with secrets isolation for verifiable releases.
Prove it continuously: implement health checks, logs, backups, and scripted updates to supply ongoing evidence of control effectiveness and operational integrity.

Closing

Self‑hosting the two development platforms on Azure—workflows and observability—gave absentify the EU‑resident foundation it needed to keep innovating inside the Microsoft 365 ecosystem while aligning to GDPR expectations.

What part of this blueprint would create the biggest impact in the next quarter: segmenting networks, tightening CI/CD identities, or fronting all ingress with WAF and managed TLS?