At a glance: Building on the prior SAP financial-reporting engagement, ManCom is architecting and delivering a greenfield Azure tenant for Sirtex's SAP / DW / BI workloads — Azure SQL, Azure Data Factory with a Self-Hosted Integration Runtime, Key Vault-backed secrets, Power BI workspaces, and Salesforce / Everstage integrations — all delivered through Infrastructure-as-Code with parallel-run validation against the legacy environment.

Engagement Overview

Following ManCom's earlier remediation of Sirtex's SAP financial reporting pipeline, the next phase modernizes the surrounding data warehouse and reporting estate. The goal: retire a legacy on-prem SSIS and SQL stack in favor of a fully cloud-native Azure tenant that consolidates SAP, Salesforce, and Everstage data into a unified BI layer. The build is staged and run in parallel with the legacy environment so that finance and sales reporting are validated end-to-end before cutover.

Greenfield Azure Tenant & Networking

The new environment is provisioned in a dedicated resource group with a purpose-built virtual network, isolated subnets for data and integration workloads, and private endpoints for both Azure SQL and Key Vault. All cross-service communication stays inside the VNet; no public SQL or Key Vault endpoints are exposed to the internet.

Azure SQL Data Warehouse

Production and development databases (STAT and STAT_DEV) are deployed on Azure SQL with Microsoft Entra ID authentication, eliminating the legacy reliance on shared Windows-auth service accounts. Database access is governed through Entra groups, and connection strings use Active Directory Default authentication so the same code path works for ADF managed identities, developer machines, and CI/CD service principals without embedded credentials.

Azure Data Factory + Self-Hosted Integration Runtime

Azure Data Factory replaces the legacy SSIS package estate. A Self-Hosted Integration Runtime, deployed on a hardened VM inside the VNet, provides connectivity to the on-prem SAP source so that hybrid pulls are possible without exposing SAP to the public internet. Pipelines authenticate to Azure SQL and Key Vault using ADF's managed identity — secrets are never stored in pipeline definitions.

Key Vault & Secret Hygiene

Every credential the platform needs — SQL admin, SAP source, integration API keys, OAuth client IDs/secrets/refresh tokens — is stored in Azure Key Vault with private endpoint access only. Application code and pipeline definitions reference secrets by name; values never appear in source control, configuration files, or environment variables on disk.

Source System Integration

The data layer ingests from three primary sources:

  • SAP — on-prem source pulled through the Self-Hosted IR.
  • Salesforce — OAuth-based REST API integration with credentials brokered through Key Vault.
  • Everstage — commission-platform REST API integration aligned with the corrected SAP commission model from the prior engagement.

Power BI & Reporting Layer

A dedicated Power BI footprint provides workspaces for Finance and Operations, sourced from the curated Azure SQL warehouse. Embedded reporting is delivered through a SharePoint Online site with an Azure AD app registration scoped specifically for embed access, giving business users the reports they need without granting broad workspace permissions.

Observability & Alerting

A Log Analytics workspace centralizes diagnostic logs from Azure SQL, ADF, and Key Vault. Azure Monitor alerts route through a single action group that pages both ManCom support and the Sirtex operations contact, so any pipeline failure, storage threshold, or authentication anomaly is visible to both teams within minutes.

CI/CD & Infrastructure as Code

The entire tenant — resource group, networking, SQL, ADF, Key Vault, monitoring — is defined as code and deployed through GitHub Actions. A federated service principal authenticates the pipeline to Azure without long-lived secrets. main drives production; dev drives the development database. Database schema and ADF artifacts are versioned alongside the infrastructure.

Parallel-Run & Cutover Strategy

The new tenant runs alongside the legacy SSIS / on-prem SQL environment until reconciliation reports confirm row-level parity for finance and commission datasets. Only after sign-off from finance and sales operations does cutover proceed — eliminating the risk profile of a hard switch on revenue-impacting reports.

What This Build Delivers

  • No more silent failures — every job failure alerts immediately via Azure Monitor.
  • No more manual deployments — every schema, pipeline, and report change ships through a reviewed pull request.
  • No more stale reports — Power BI refreshes on schedule, not on a person.
  • No more SFTP/CSV lag — commission and CRM data move via REST API, not nightly file drops.
  • Full audit trail — git history for every SQL object, pipeline definition, and report.
  • Elastic infrastructure — PaaS Azure SQL replaces an unmanaged VM with manual patching.
  • Documented from day one — no archaeology required to understand what the platform does.

Key Capabilities Demonstrated

  • Greenfield Azure tenant architecture & landing zone
  • Azure SQL with Entra ID authentication
  • Azure Data Factory + Self-Hosted Integration Runtime
  • SSIS-to-ADF migration & modernization
  • VNet-isolated private endpoints (SQL, Key Vault)
  • Key Vault-backed secret management
  • Hybrid SAP connectivity through SHIR
  • Salesforce & Everstage REST API integration
  • Power BI workspaces with SharePoint embedded delivery
  • Azure Monitor + Log Analytics observability
  • Infrastructure as Code via GitHub Actions
  • Parallel-run validation & risk-managed cutover
← All Case Studies Prior Sirtex Engagement Discuss Your Environment