Technical Architecture Overview
FourVision Apps are delivered as a Platform-as-a-Service (PaaS) product, leveraging an Azure Managed Application backend. The application is installed in the customer’s tenant, where data resides. Importantly, these apps are not Software-as-a-Service (SaaS) products hosted on FourVision’s side. The deployment process is highly automated, and maintenance windows can be configured for each app.
Note
This architecture does not focus on integration scenarios. The goal is to understand how the FourVision solution fit in the Customer environment landscape.
Below is the overview of the key components of this architecture:
Managed Application:
- A managed application corresponds to a specific environment (e.g., production, sandbox UAT, or sandbox acc).
- Each environment like Production, Sandbox (Test) is represented by a managed application.
- The FourVision Managed Application Connector, available from the Microsoft Store, establishes delegated access control.
- It links to the Managed Resource Group that contains your resources like Application Insights, databases, SQL servers, and firewalls that belong to the envirionment.
- This setup ensures secure hosting within your own tenant.
Managed Resource Group:
- A managed resource group is a container for organizing related resources belonging to a managed application within Azure.
- Unlike traditional resource groups, which might contain resources shared across environments, the MRG is specific to a single environment (e.g., prod, sandbox UAT, or sandbox acc).
- Resources within the MRG are isolated and associated with the corresponding managed application.
- These assets are securely hosted within your tenant and supported by FourVision.
Microsoft Enterprise ID (Entra ID):
- FourVision connects to your Azure Active Directory (Azure AD) using API enterprise applications.
- This connection handles application and interface authentications.
- You can enhance security by implementing additional Azure services like Multi-Factor Authentication (MFA) and conditional access.
Managed Identity:
- FourVision Apps utilize managed identities to access other resources and services without explicit credentials.
- To enable data integration, grant access to connected systems (e.g., Finance and Operations) using the provided Client ID of the managed identity.
Key Vault:
- Azure Key Vault safeguards encryption keys and secrets (such as certificates, connection strings, and passwords).
- Access to key vaults should be restricted to authorized applications and users due to the sensitive and critical nature of this data.
App Service Plan:
- An App Service plan provides managed and scalable virtual machines (VMs) that host your app.
- All apps associated with a plan run on the same server instances.
Web App:
- FourVision applications are deployed on the Web App, a fully managed platform accessible via the Azure Portal.
SQL Server and Database:
- SQL Database, a relational database-as-a-service, shares its code base with Microsoft SQL Server.
- It serves as the backend for data storage and retrieval.
Service bus:
- Integration message broker that enables decoupling of applications and services, while Dynamics 365 Integration facilitates seamless data flow between various business processes, and FourVision Web Apps provides scalable hosting for web applications.
Storage Account:
- Azure Storage stores related content, including documents, attachments, and images used or uploaded within FourVision Apps.
Application Insights and Workspace:
- Azure Monitoring and Alerting are set up for the hosted environment.
- Application Insights provides valuable telemetry data for performance monitoring.
Network and DNS Components:
- Networking assets ensure secure database access from FourVision Apps to the Azure database.
- A Virtual Network (VNet) isolates resources within private address spaces.
- External access to the database is restricted by default.
Graphical overview
This architecture ensures a robust, scalable, and secure environment for FourVision Apps within the Azure ecosystem.
Recommendations
Your requirements might differ from the architecture described here. Use the recommendations in this section as a starting point.
The deployment of the FourVision solution will be done inside the Customer tenant, Provision the FourVision solutions in the same region as the Dynamics 365 solutions to interface, this minimize network latency. Generally, choose the region closest to your users.
Hosting
The deployment of the FourVision solution will be done inside the Customer tenant, this can be in any provided Azure Subscription. We also support Azure subscriptions provided by Enterprise agreements or third-party Partners.
Sizing and scaling
Fourvision Web Apps are running on the Microsoft Azure Platform, Microsoft is committed to an availability of 99.9% per month of the Service.
High Availability functionality provides ways to prevent Downtime caused by the failure of a single node within an Azure data Center. Each Service’s cloud architecture uses Azure availability sets for the compute tier to prevent single-point-of-failure events.
We advise the sizing of services listed based on the production expected usage, the schema below is a common deployment but need a customer based approach on the different products and usage. Deployed recourses will be shared cross all deployed environments and should be monitored for performance and availability. During the test and build phases the sizing can be “lower” than advised.
Described in the sizing area are only the “CORE” server components as they do share resources across sub components; e.g. App service plan is shared over all individual web apps described in the architecture design.
By default we deploy Recommend sizes and have set the following levels of the minimum required sizing per sub item during deployment:
| Component | Description | Sandbox | Production |
|---|---|---|---|
| App Service Plan | In each environment instance, we create an Linux App Service plan. This plan provides managed and scalable virtual machines (VMs) that host your FourVision Apps within a single environment. All apps are associated with the same plan in the environment and run on this server instances, sharing this resource. | P1v3, 1 instance = 195min. ACU/2 vCPU, 8GB | P2v3, 1 instance = 195min. ACU/4 vCPU, 16GB, To reduce cost when having <500 users you can use the P1v3 size |
| SQL Server and Database | In each environment instance, we provision an Azure SQL Database along with a dedicated table for each web app. | S1 Database deployed with 7 days point in time restore | S3 Database deployed zone redundant backup with 35 days point in time restore and 6 weekly backups, To reduce cost when having <500 users you can use the S1 size |
| Key Vault | For each environment instance, we create an Azure Key Vault to securely store setup and connection settings related to the environment and connected systems. | Standard, 7 days retention | Standard, 90 days retention |
| Service Bus | For each environment instance, the message broker that enables scalable integrations with Dynamics 365 for event driven data flow between the FourVision Web App | Basic tier | Basic tier |
| Storage Account | For each environment instance, we create an Azure storage account with a blob container per Web App to store content such as attachments and images. | Local redundant storage, this is cool storage resulting in slightly longer access times, including 7 days of soft deletes (recovering lost files) | Geo redundant storage, including 35 days of soft deletes (recovering lost files) |
Region
Provision the FourVision solutions in the same region as the Dynamics 365 solutions to interface, this minimize network latency. Generally, choose the region closest to your users.
Backups
In the event of data loss, SQL Database and Blob storage provides point-in-time restore. These features are available in all environments and are automatically enabled. You don't need to schedule or manage the backups manually.
Use point-in-time restore to recover from human error by returning the database to an earlier point in time requires you to file a support ticket for now.
Additional you can do managed self-service backups to trigger a backup that will remain until environment deletion for safe keeping or to be used in restoring other environments. Typical usage is copy of Golden Config from Production to Sandbox for acceptance testing.
Additions
Additions can help you to protect service availability and support you in training or testing needs.
Optional we can include the following priced options as add-on services:
- Custom domain names.
- SQL additional automation of periodic (shipped) backups to storage accounts.
- Up to 365 days of Soft Delete and Recovery support for File storage.
- Secondary region/data centre for the Azure SQL and Azure blob storage replications.
When additions are acquired to support Disaster Recovery scenarios it means that this is not an seamless process, there are activities and decisions based on the outage where FourVision, Customers, Partners and Microsoft can need alignment to take proper engagement during recovery. After the recovery site has been setup and service started. Recovered data stores and databases are used to re-deploy the WebApp sites, with a Recovery Time Objective (RTO) of up to 24 hours.
Enterprise applications
Below are the Azure Enterprise Applications (API's) with different usage that you can uptake from FourVision, these applications are in place to grant users or integrations access and optional an administrator role in the FourVision Apps.
During implementation you will be asked to grant tenant-wide admin consent, this requires you to sign in as Global Administrator, an Application Administrator, or a Cloud Application Administrator.
Warning
Granting tenant-wide admin consent to an application will grant the app and the app's publisher access to your organization's data. Carefully review the permissions the application is requesting before granting consent.
| Name | Application Id | Usage |
|---|---|---|
| FourVision Portal | 7f01cbe8-fa65-4d9e-9d8e-59c1950f9e16 | FourVision Management Portal User Access Control |
| Document Management | 38aeba73-92c9-45f9-8b85-99649b6b4bf6 | FourVision Web App User Access Control |
| Boarding | de771043-eb5f-4885-ad88-0995544efaf3 | FourVision Web App User Access Control |
| Payroll Interface | d2bdbf94-6a5c-4660-84d7-7dede68f4749 | FourVision Web App User Access Control |
| Performance Management | bbe0fce7-82d8-4da3-9107-37a6b8929d09 | FourVision Web App User Access Control |
| Request | 1d164022-a013-4964-b490-914da2381763 | FourVision Web App User Access Control |
| Timesheet Management | 393b6e67-0f1c-4190-92bc-02ed31966739 | FourVision Web App User Access Control |
Availability and visibility of above API's is depending on your licenses.
Important
When an application has been granted tenant-wide admin consent, all users will be able to sign into the app unless it has been configured to require user assignment. To restrict which users can sign into an application, require user assignment and then assign users or groups to the application. For more information, see Methods for assigning users and groups.
Licensing
The solution will be licensed with a subscription and integrate with existing products and licenses from Microsoft.
Example overview of tenant containing multiple license subscriptions including Fourvision Web Apps:
Overview of licenses options
| Product | Module | License unit |
|---|---|---|
| Document Management | Base product license | Number of active workers |
| Boarding | Base product license | Number of active workers |
| Payroll Interface | Base product license | Number of active workers |
| Performance Management | Base product license | Number of active workers |
| Performance Management | Strategic workforce planning | Enabled Y/N (# workers of base license) |
| Performance Management | Succession management | Enabled Y/N (# workers of base license) |
| Request | Base product license | Number of active workers |
| Timesheet Management | Base product license | Number of active workers |
| Timesheet Management | Expenses management | Enabled Y/N (# workers of base license) |
Number of active workers
Licenses on the FourVision WebApp products are calculated based on active worker counts. Active workers are defined as unique workers in the worker table having an active employment or contract record attached that is currently been active so not been a future dated or past dated record. This means that an employee is only counted once even if he is employed in 2 or more legal entities, or transferred over time in diferent contracts.
On the Administrator Dashboard of each webapp we show the licensed workers and active worker count, you can also refresh your license here.