Create BizTalk Services using the Azure portal


Microsoft Azure BizTalk Services (MABS) is being retired, and replaced with Azure Logic Apps. If you currently use MABS, then Move from BizTalk Services to Logic Apps provides some guidance on moving your integration solutions to Logic Apps.

If you're brand new to Logic Apps, then we suggest getting started here:


To sign in to the Azure portal, you need an Azure account and Azure subscription. If you don't have an account, you can create a free trial account within a few minutes. See Azure Free Trial.

Create a BizTalk Service

Depending on the Edition you choose, not all BizTalk Service settings may be available.

  1. Sign in to the Azure portal.
  2. In the bottom navigation pane, select NEW:
    Select the New button
    Select BizTalk Service and select Custom Create
  4. Enter the BizTalk Service settings:

    BizTalk service name You can enter any name but be specific. Some examples include:

    "" is automatically added to the name you enter. This creates a URL that is used to access your BizTalk Service, like
    Edition If you are in the testing/development phase, choose Developer. If you are in the production phase, use the BizTalk Services: Editions Chart to determine if Premium, Standard, or Basic is the correct choice for your business scenario.
    Region Select the geographic region to host your BizTalk Service.
    Domain URL Optional. By default, the domain URL is A custom domain can also be entered. For example, if your domain is contoso, you can enter:
    Select the NEXT arrow.

  5. Enter the Storage and Database Settings:

    Monitoring/Archiving storage account Select an existing storage account or create a new storage account.

    If you create a new Storage account, enter the Storage Account Name.
    Tracking database If you use an existing Azure SQL Database, it cannot be used by another BizTalk Service. You need the login name and password entered when that Azure SQL Database Server was created.

    TIP Create the Tracking database and Monitoring/Archiving storage account in the same region as the BizTalk Service.
    Select the NEXT arrow.

  6. Enter the Database settings:

    Name Available when Create a new SQL Database instance is selected in the previous screen.

    Enter a SQL Database name to be used by your BizTalk Service.
    Server Available when Create a new SQL Database instance is selected in the previous screen.

    Select an existing SQL Database Server or create a new SQL Database server.
    Server login name Enter the login user name.
    Server login password Enter the login password.
    Region Available when Create a new SQL Database instance is selected. Select the geographic region to host your SQL Database.

Select the check mark to complete the wizard. The progress icon appears:
Progress icon displays when complete

When complete, the Azure BizTalk Service is created and ready for your applications. The default settings are sufficient. If you want to change the default settings, select BIZTALK SERVICES in the left navigation pane, and then select your BizTalk Service. Additional settings are displayed in the Dashboard, Monitor, and Scale tabs at the top.

Depending on the state of the BizTalk Service, there are some operations that cannot be completed. For a list of these operations, go to BizTalk Services State Chart.

Post-provisioning steps

Install the certificate on a local computer

As part of BizTalk Service provisioning, a self-signed certificate is created and associated with your BizTalk Service subscription. You must download this certificate and install it on computers from where you either deploy BizTalk Service applications or send messages to a BizTalk Service endpoint.

  1. Sign in to the Azure portal.
  2. Select BIZTALK SERVICES in the left navigation pane, and then select your BizTalk Service subscription.
  3. Select the Dashboard tab.
  4. Select Download SSL Certificate:
    Modify SSL Certificate
  5. Double-click the certificate and run through the wizard to install the certificate. Make sure you install the certificate under the Trusted Root Certificate Authorities store.

Add a production-ready certificate

The self-signed certificate that is automatically created when creating BizTalk Services is intended for use in development environments only. For production scenarios, replace it with a production-ready certificate.

  1. On the Dashboard tab, select Update SSL Certificate.
  2. Browse to your private SSL certificate (CertificateName.pfx) that includes your BizTalk Service name, enter the password, and then click the check mark.

Get the Access Control namespace

  1. Sign in to the Azure portal.
  2. Select BIZTALK SERVICES in the left navigation pane, and then select your BizTalk Service.
  3. In the task bar, select Connection Information:
    Select Connection Information
  4. Copy the Access Control values.

When you deploy a BizTalk Service project from Visual Studio, you enter this Access Control namespace. The Access Control namespace is automatically created for your BizTalk Service.

The Access Control values can be used with any application. When Azure BizTalk Services is created, this Access Control namespace controls the authentication with your BizTalk Service deployment. If you want to change the subscription or manage the namespace, select ACTIVE DIRECTORY in the left navigation pane and then select your namespace. The task bar lists your options.

Clicking Manage opens the Access Control Management Portal. In the Access Control Management Portal, the BizTalk Service uses Service identities:
ACS Service Identities in the Access Control Management Portal

The Access Control service identity is a set of credentials that allow applications or clients to authenticate directly with Access Control and receive a token.


The BizTalk Service uses Owner for the default service identity and the Password value. If you use the Symmetric Key value instead of the Password value, the following error may occur.

Could not connect to the Access Control Management Service account with the specified credentials

Managing Your ACS Namespace lists some guidelines and recommendations.

Requirements explained

These requirements do not apply to the Free Edition.

What you need Why you need it
Azure subscription The subscription determines who can sign in to the Azure portal. The Account holder creates the subscription at Azure Subscriptions.

The Azure account can have multiple subscriptions and can be managed by anyone who is permitted. For example, your Azure account holder creates a subscription named BizTalkServiceSubscription and gives the BizTalk Administrators within your company (for example, access to this subscription. In this scenario, the BizTalk Administrators sign in to the Azure portal and have full Administrator rights to all the hosted services in the subscription, including Azure BizTalk Services. The BizTalk Administrators are not the Azure account holders and therefore don't have access to any billing information.

Manage Subscriptions and Storage Accounts in the Azure portal provides more information.
Azure SQL Database Stores the tables, views, and stored procedures used by the BizTalk Service, including the Tracking data.

When you create a BizTalk Service, you can use an existing Azure SQL Server, Azure SQL Database, or automatically create a new Server or Database.

The SQL Database scale is automatically configured. Typically, the default scale is sufficient for a BizTalk Service. Changing the scale impacts pricing. See Accounts and Billing in Azure SQL Database

  • When you create a new Azure SQL Server and Database, Azure Services is automatically enabled. The BizTalk Service requires Azure Services be enabled.
  • If you create a new Azure SQL Database on an existing Azure SQL Server, the firewall rules of the Server are not changed. As a result, it's possible other Azure Services are not allowed access to the Server's databases.
Azure Access Control namespace Authenticates with Azure BizTalk Services. When you deploy a BizTalk Service project from Visual Studio, you enter this Access Control namespace. When you create a BizTalk Service, the Access Control namespace is automatically created.
Azure Storage account Gives access to tables, blobs, and queues used by your BizTalk Service to save the following:
  • Log files that monitor the BizTalk Service. The monitoring output is also displayed in the Monitoring tab in the Azure portal.
  • When creating an X12 or AS2 agreement between partners, you can enable the Archiving feature to store message properties. This data is saved in the Storage account.

When you create a BizTalk Service, you can use an existing Storage account or automatically create a new Storage account.

The default Storage settings are sufficient for a BizTalk Service.

When you create a Storage account, a Primary Key and Secondary Key are automatically created. These Keys control access to your Storage account. The BizTalk Service automatically uses the Primary Key.

See Storage for more information.
SSL private certificate When an Azure BizTalk Service is created, an HTTPS URL that includes your BizTalk Service name is also created. This URL is automatically configured to use a self-signed development-only certificate. For production, you need a private SSL certificate.

Important SSL Certificate Information

  • The certificate expiration date must be less than 5 years.
  • All private certificates require a password. Know this password and as a best practice, share this password with your administrators.
  • Self-signed certificates are used in a test/development environment. When using self-signed certificates, import the certificate to your Personal certificate store and the Trusted Root Certification Authorities certificate store.

When sending the production certificate request to your certification authority, give the following certificate properties:

  • Enhanced Key Usage: At a minimum, Azure BizTalk Services requires Server Authentication.
  • Common Name: Enter the fully qualified domain name (FQDN) of your Azure BizTalk Service URL. See Create a BizTalk Service in this article.

A new or different certificate can be added after the BizTalk Service is created.

Hybrid Connections

When you create an Azure BizTalk Service, the Hybrid Connections tab is available:

Hybrid Connections Tab

Hybrid Connections are used to connect an Azure website or Azure mobile service to any on-premises resource that uses a static TCP port, such as SQL Server, MySQL, HTTP Web APIs, Mobile Services, and most custom Web Services. Hybrid Connections and the BizTalk Adapter Service are different. The BizTalk Adapter Service is used to connect Azure BizTalk Services to an on-premises Line of Business (LOB) system.

See Hybrid Connections to learn more, including creating and managing Hybrid Connections.

Next steps

Now that a BizTalk Service is created, familiarize yourself with the different BizTalk Services: Dashboard, Monitor and Scale tabs. Your BizTalk Service is ready for your applications. To start creating applications, go to Azure BizTalk Services.

See also