Azure OpenAI or OpenAI directly? — What's different for German businesses

If you want to deploy GPT-4o or GPT-5 in a German company today, you have two obvious paths: directly through OpenAI or through Microsoft Azure OpenAI Service. Both paths give you the same models technically. Contractually, in data-protection terms and operationally they differ at several points that matter for DACH customers.

This article summarizes what we explain most often in consulting — and which path makes sense in which configuration.

Contract partners and data residency

OpenAI is headquartered in the US (OpenAI, Inc.) or Ireland (OpenAI Ireland Ltd.). If you sign a contract directly with OpenAI as a German business, it's usually with the Irish subsidiary — so an EU contract partner, but with processing that, depending on configuration, can happen outside the EU.

Microsoft Azure OpenAI runs in an Azure region you choose. For German businesses the relevant regions are Germany West Central (Frankfurt) and Sweden Central. Contract partners are Microsoft Ireland Operations Limited or — more relevantly — Microsoft Deutschland GmbH under the Online Services Terms.

The difference looks subtle but matters for professional secrecy holders: Microsoft Deutschland carries §203 StGB-compatible confidentiality obligations, OpenAI Ireland does not by default.

DPA and subprocessor lists

Both providers ship Article 28 GDPR DPAs. Both publish subprocessor lists. In practice Microsoft's list is more conservative and better documented — audit rights are structured under the Microsoft Online Services Terms, OpenAI handles them through more generic clauses.

For Mittelstand companies without professional-secrecy obligations, OpenAI Ireland is typically sufficient. Once lawyers, doctors, tax advisors or critical-infrastructure operators are involved, we consistently recommend Azure OpenAI with the Microsoft DE DPA.

Identity and access

OpenAI's standard plans use API keys. That's fine for prototypes, but in regulated environments it's a problem: keys end up in code, get shared via Slack, age uncontrollably.

Azure OpenAI integrates with Microsoft Entra ID (formerly Azure AD). You use Managed Identities, conditional access and just-in-time permissions — every call to the model is auditable per Entra ID account, not by an opaque API key.

Logging and monitoring

Azure OpenAI ships service logs in Azure Monitor by default — call counts, latency, errors, content-filter events. Optionally you can log full requests and responses to a storage account in a region of your choice. That gives you a regulator-grade audit trail without extra effort.

OpenAI now offers comparable logging on enterprise plans, but it's a separate setup.

When does each make sense?

OpenAI direct, in our experience:

• Prototypes and internal-only tooling without personal data
• Use cases where the latest models matter and Azure availability lags
• Smaller teams without an existing Microsoft tenant

Azure OpenAI:

• Anything touching client, patient or employee data
• Professional secrecy industries (law, medical, tax)
• Critical infrastructure operators with BSI requirements
• Companies already on Microsoft 365 — Entra ID and tenant integration come for free

Bottom line

For German businesses with regulatory exposure, Azure OpenAI in an EU region is the more defensible default. The contract advantages alone (Microsoft Deutschland, structured audit rights, Entra ID) usually outweigh the model-availability gap, which closes a few weeks after each new GPT release anyway.