At Ignite 2020, Microsoft announced a new Lighthouse solution for Microsoft 365. Designed for Managed Service Providers (MSPs) this offers a central console where you can manage all your Microsoft 365 (M365) clients in a single dashboard. In this article we breakdown what was announced and why this is a big deal for MSPs.

There isn’t much to go on, apart from a Microsoft blog post, and a short breakout session from Ignite 2020 but the concept is very interesting, especially for MSPs managing clients with high numbers of M365 users and frequent onboarding.

We have also covered more on Microsoft Ignite 2020 – check out our analysis on Satya Nadella’s keynote.

What is Microsoft 365 Lighthouse?

It’s quite straightforward – it’s a single place to onboard new M365 clients, monitor their compliance state across different metrics, and standardize automation and auditing across all of your clients. It relies on the MSP having set up Delegated Access Permission (DAP) with Global Administrator permissions in their client’s tenants and devices being enrolled in Intune.

Device Compliance across five clients

What Does Microsoft 365 Lighthouse do?

In the preview, there are three main areas of focus, starting with device compliance. You can see what policies are applied to devices in each client, how many devices are compliant at each client and you can compare policies across clients.

Compliance policy list

The second solution on offer looks at threats across all of your clients and the protection status of Microsoft Defender Antivirus on all Windows 10 devices. This gives you a single console to see whether there are any active threats, which devices have it deployed and if there are pending actions (scans, required OS updates, reboots etc.) as well as if there were threats that were blocked or quarantined. Also, you can see Conditional Access policies across clients.

Threat management dashboard

Finally, you can manage user access management across all clients. Resetting passwords, blocking access, setting up delegated access to a mailbox or OneDrive for Business, adding a user to a group is done in a single pane of glass. This one feature could be worth it for many MSPs, today you either have to create custom PowerShell scripts to automate these tasks or login to each client’s individual management portal to do this.

As Microsoft gets feedback from MSPs participating in the preview, expect more features to be added such as the ability to see M365 service health across different clients and support requests.

Is Microsoft 365 Lighthouse a Gamechanger for MSPs?

As an MSP I find the concept intriguing but given the scant information, I’m cautious. Microsoft will need to add a lot of features to make this a worthy competitor to existing MSP management solutions on the market. But that may not be their aim, at least not initially, it might just be an additional tool to make it easier to manage multiple M365 tenants in a standardized way.

Further, I find the focus on Microsoft Defender worrying, many MSPs don’t use the otherwise excellent Endpoint Detection and Response tool due to its high cost. I’m really looking forward to seeing how this service evolves over the coming months.

If you’re an MSP and you’re interested in trying out M365 Lighthouse when they expand the preview you need to fill in the form.

More info on Microsoft 365 Lighthouse

Are you looking forward to Microsoft 365 Lighthouse? Let us know in the comments.

The post Microsoft 365 Lighthouse – Simple M365 Management for MSPs appeared first on Altaro DOJO | MSP.

In a previous post, I covered the term CSP (Cloud Solution Provider), and what the differences are between a CSP and an MSP. Since then the question of continuing to offer on-premises services has come up a few times with readers and others in the community. Many seem to be wondering, especially given the current situation with COVID-19 and all. I’d like to address this question specifically in today’s blog post.

Before we being, if this is something you’re serious about, watch our on-demand webinar to find out How to Transform your Aging MSP into a Lean CSP Machine.

Should You Make the Move to Cloud-Based Solutions?

If you’ve read many of my blog posts on this site and the other Altaro blogs you’re likely prepared for one of my favorite answers. That is, “It depends”. On-premises requirements vary based on the organization you are providing services for. A small-10 user realtor agency, who only uses document-related apps has far different requirements than a 400-user manufacturer that has a multitude of applications ranging from machine controls to engineering software, such as CAD. However, where possible cloud-based solutions should be strongly considered if not preferred in most situations.

It is your job as the CSP to determine what level of cloud is appropriate for your customer.

That said, the short answer to the question about ditching on-premises servers amounts to this. Most of your customers will likely require some sort of hybrid cloud deployment.

Hybrid Cloud and the CSP

The truth is that very few organizations can go 100% cloud. Don’t get me wrong. That percentage is increasing as time goes on, but right now there are still many use-cases that require an on-premises footprint. For example:

• Highly GPU Intensive Workloads
• Latency Sensitive Applications
• Complex Monitoring Needs
• Poor Connectivity
• Disconnected (No External Connectivity) Scenarios
• Recent Large Capital Investment in On-Prem Infrastructure
• Low Customer Comfort with the Cloud

A good CSP will continue to leverage on-prem (only where it makes sense) and pair that with what works well in the cloud, such as:

• Backup and DR
• Email
• File Storage
• Web Apps
• Office Applications
• Collaboration Software
• More!

Good CSPs provide exceptional value in knowing where on-prem and the public cloud intersect, and they can apply solutions for both with a high degree of skill to fill all the technology needs of a business.

Are there CSPs out there that ONLY do cloud? Sure. However, you’ll likely find that many of those CSPs operate in an industry vertical that organically lends itself well to running cloud-native. Other verticals aren’t so simple. Manufacturing for example often employs complex machine control and supply chain software that doesn’t lend itself well to running in the cloud (yet). This is not to mention engineering and parts-design software that doesn’t work well in cloud scenarios in most cases either.

Another good example is healthcare. There are many functions within a hospital that cannot be off-sited to the cloud either to regulatory reasons, or a given function is so critical to patient care (often life and death), that they can’t risk even the slightest connectivity outage.

Where and How you can Move to Cloud-Based Solutions

My call to action for all new and existing CSPs considering the core question of this article is this: Lead with cloud on all things, but don’t jam a square peg in a round hole. Remember, a good solution provider installs the solution that is right for the business.

Finally, if you’d like to learn more about CSPs and how to transition to the CSP model, watch our free webinar

Wrap-Up

What are your thoughts? Have you been trying to lead with cloud and struggling? Are your customers hesitant to invest in the cloud? Let us know in the comments below!

Thanks for reading!

The post Is it Time you Ditched On-Premises Services Completely? appeared first on Altaro DOJO | MSP.

The technology industry is rife with acronyms, so many readers have likely become numb to new ones hitting the market. However, there has been one acronym that has been seeing much more use these last few years, especially in the service provider space, and the acronym I’m talking about is, of course, CSP. The term CSP has been associated with the industry’s group of service providers and those that are not in the know often wonder why it’s become so prevalent. In this article, we discuss what a CSP is and what services they deliver.

What is a CSP?

In official Microsoft terms, CSP stands for Cloud Solution Provider. This is NOT to be confused with Cloud Service Provider (more on that soon).

A Cloud Solution Provider is what I would term an evolved MSP that has matured into offering flexible, scalable cloud solutions such as Microsoft’s Azure technologies and the Microsoft 365 stack. Other cloud technologies may be offered as a value-add to supplement these offerings, but the core services provided reside in one of these two areas.

If you want to learn more about how to become a CSP or how to transition from an MSP to a CSP, watch our free webinar How to Transform your Aging MSP into a Lean CSP Machine.

Note: You may see the industry term Cloud Service Provider as well, technically-speaking this term is used to describe those organizations that provide and develop cloud-based services such as Amazon, Microsoft, Google….etc. however, it is also been used incorrectly to describe a cloud-based MSP.

What are the Benefits of Being a CSP?

The term CSP is often is associated with a modern-day IT services organization, and many businesses looking to secure those types of services are on the lookout for organizations with the CSP terminology associated with them. Outside of that many of Microsoft’s ongoing partner and channel efforts are being realigned with the CSP nomenclature, so if a partnership with Microsoft has been important to your MSP in the past, switching to the CSP program has never been more important.

Benefits of being in the CSP program include:

• 15% – 20% margin (typically) on recurring MS cloud and office services (may vary based on region and other factors)
• Access to Microsoft Partner resources (support, account management, marketing…etc)
• Backend incentives and opportunities based on current Microsoft defined goals
• Industry recognition
• And more

A lot of providers will look at that margin and say…. that’s awfully low and not worth my time. While yes, that is true, and it is a relatively low margin, however, Microsoft builds their services for partners in such a way that it’s easy to bundle in value-added services on top of it. This could be an additional third-party application you provide that compliments the Microsoft service or special knowledge and expertise you have in-house that forms part of a package that brings the total up to a more appealing margin.

Remember despite industry misconception, the cloud is not easy or simple. Many new CSPs fail to put an adequate value on the knowledge they have and work they put into managing solutions on behalf of their customer base. If you provide value in managing these solutions for your customers, make sure you’re getting paid for it. Again, the service is designed to be bundled with other partner services, so don’t simply rely on the 15% to 20%.

In short, partners can use the Microsoft CSP program to provide the power of the Microsoft Cloud to customers while also providing unique in-house skills and value-add on top of it.

How Do I Become a Microsoft Cloud Solution Provider

The process is actually fairly simple:

• You must first join the Microsoft Partner Network
• Enroll in the CSP Program
• Connect with an Indirect Provider for Additional Assistance

Can a Traditional MSP Become a CSP?

With the tools provided by the CSP program, your organization will be equipped to deal with the modern-day technology challenges facing the world today. On top of that, you’ll be able to easily bundle you special and unique services on top of that to bring true value to your customers. Becoming a CSP is relatively straight-forward and Microsoft is keen to help where they can, however, converting from a traditional MSP and navigating both the practical and business concerns can be tricky.

As I’ve worked in both a traditional MSP and currently for a fast-growing CSP, I have recorded a webinar on the topic: How to Transform your Aging MSP into a Lean CSP Machine. The content is focused specifically on this issue but also covers the CSP model more generally and why now is perfect time to take the leap.

What about you? Any concerns or questions in joining this program? Have you joined the program and had success? Difficulties? Watch the webinar or let me know your questions or experiences in the comments section below!

The post What is a CSP? appeared first on Altaro DOJO | MSP.

We are excited to announce the newest member of the Altaro Backup family, Altaro EndPoint Backup for MSPs!

Altaro designed this solution to simplify backup for an organization’s on-premise and roaming Windows desktops and laptops. With an increasing number of employees working remotely, there has never been a greater need to ensure that offsite resources are regularly backed up. Altaro designed this product for Managed Service Providers (MSPs) as a solution they can offer to their customers and centrally manage through the Altaro Cloud Management Console. Altaro EndPoint Backup is also free for MSPs for internal use (for up to 10 licenses).

As an MSP, you should view this as a new opportunity to offer a valuable service to your customers and protect their business, especially during this time while more of the workforce is connecting from home. Even though they may try to enforce group policies to only store data on their network or in the cloud, end users often store some files locally on their laptops and PCs. This means that this data can also be lost or damaged due to physical disasters, loss, theft, or cyberattacks. Now MSPs customers can help with that through Altaro EndPoint Backup.

Trial & Licensing Altaro EndPoint Backup

The first step to evaluate Altaro EndPoint Backup is to visit the sign-up page for a free 30-day trial. This allows MSPs to test this out in their own environment and prepare to deploy this highly scalable service to their customers. There are no restrictions on the number of users or tenants, and the MSP must provide their own MS Azure cloud storage for the backup files.

Altaro EndPoint Protection is licensed per user as a monthly subscription, with a minimum of 10 EndPoints per month across all an MSP’s customers. Altaro’s outstanding 24/7 support is part of the package.

Altaro EndPoint Backup Free Edition

As an added incentive, Altaro EndPoint Backup offers a completely free edition for MSPs to use internally for their own organization for up to 10 endpoints a month (excluding the cost of cloud storage).

Configuration is also easy using Altaro’s GUI-based wizard.

Getting Started with the Altaro EndPoint Backup Cloud Management Console

Altaro provides backup solutions for Hyper-V and VMware virtual machines, physical Windows servers, Microsoft Office 365, and now Windows EndPoints. These easy-to-use backup solutions have become popular amongst MSPs as they can customers centrally manage all their customers’ different backups using the Altaro Cloud Management Console (CMC).

The first step with Altaro EndPoint Backup is in fact to sign up to the CMC. This provides a single pane of glass to perform all configuration, monitoring and management of the EndPoint backups.

Next, perform a one-time installment of the Altaro EndPoint Manager on one of your  VMs or servers running Windows Server 2016 or 2019, then connecting the services. The Altaro EndPoint Manager stores all configurations and backup policies set up in the CMC for customers’ roaming and on-premise. The subsequent screenshot shows an admin registering this backup utility.

Configuring the Altaro EndPoint Backup Locations

Managed service providers must configure and manage their own Azure Cloud Storage Account which provides the backup storage location for their customers. This can be done in any Azure site using the affordable Azure General Purpose v1 Storage Account, although higher tiers can also be used if a faster recovery speed is needed. The MSP may also add native Azure storage enhancements, such as encryption or geo-replication to ensure that multiple copies of the data are backed up and available in the event of an Azure site outage. The billable cost to customers for each service tier is defined by the MSP. Once the Azure Cloud Storage Account has been configured, it is registered to the Altaro EndPoint Backup service and can be used as a backup location.

Creating an Altaro EndPoint Backup Policy

Altaro EndPoint Backup lets MSPs to create different backup policies which can align to different service offerings. Each plan allows you to define which user directories and file types to include (or exclude), the Azure Cloud Storage Account to use, the backup frequency (ranging from 1 to 42 hours), the backup schedule, backup retention, and network bandwidth throttling.

Installing the Altaro EndPoint Backup Agents

Every device which you are protecting with Altaro EndPoint Backup must have a lightweight agent installed. This can be done via a script remotely (recommended) or manually on any PC running Windows 7, 8.1, or 10 (x64 only).

Restoring a Backup from Altaro EndPoint Backup

Altaro EndPoint Backup also makes recovery easy for MSPs to quickly get their customers’ data restored. Through the Altaro Cloud Management Console, admins can restore the backup to the user’s machine (the original EndPoint) or to a secure location on the corporate network.

The recovery can be from a full backup or individual files can be granularly restored. The Altaro Cloud Management Console shows the status of backups and recoveries across all users. 

Start your Free Trial Now!

Altaro EndPoint Backup is a great addition to the growing suite of reliable backup solutions we have on offer. It was a highly requested service from our current customers who prefer to have one vendor covering all their backup needs and this release is an important step for us to achieve that goal.

We hope that you are ready to start offering Altaro EndPoint Backup to your customers. Start your free trial now!

Remember that this solution is also completely free for MSPs to use internally for up to 10 EndPoints per month, so check it out now!

Read the full press release about Altaro EndPoint Backup for MSPs

The post Introducing Altaro EndPoint Backup for Managed Service Providers appeared first on Altaro DOJO | MSP.

As MSPs, we’re always looking for the next best thing for our customers. It’s a tough market. Budgets are always in flux. Competitors are always chomping at the heels of our clients, and the industry moves so fast that many business owners will scoff at the next wave of updates and features that the industry says are a MUST have.

What is a budding MSP to do? A proven strategy is to focus on hard-hitting features that are game-changing for their day-to-day work. The Microsoft 365 suite contains many such features, many of them known well and others not so much.

In this blog post, we are going to talk about 5 Microsoft 365 features that will wow your customers. These features, when implemented properly, are a sure-fire way of solidifying your relationship with a customer and ensuring more business through their continued success!

Microsoft Teams

If we’re going to start with any hard-hitting application/feature in the Microsoft 365 suite, it’s got to be Microsoft Teams right? There is perhaps no collaboration tool as expansive as teams, and with recent world events such as COVID-19, Teams usage has seen a meteoric rise, according to Microsoft CEO Satya Nadella from a quarterly earnings report:

In April, we saw more than 200 million Microsoft Teams meeting participants in a single day, generating more than 4.1 billion meeting minutes. Also, Teams now has more than 75 million daily active users

Despite recent events, it is fairly clear why this is becoming the case. Teams is supplanting Outlook as the collaboration tool of choice for many organizations. It hadn’t really even dawned on me personally until I was having a conversation with a co-worker a few weeks back. She simply stated, that “Teams has become home base” for her day to day work. I found that’s true for me as well! Historically, Outlook used to be the first app I would open when sipping the morning coffee. Today Outlook takes second place to Teams, and it’s easy to see why. If you’re not familiar with teams, it offers a plethora of collaboration features:

• Individual and Group Chat
• Voice and Video Chat
• Conferencing and Webinar capabilities
• VoIP capabilities
• Mobile Clients with Softphone Options
• Integration with the rest of the M365 suite
• Numerous 3^rd party integrations (Some shown below)

Image 1 – Third-Party Application Addons for Microsoft Teams

I could go on, but in all seriousness, we could spend a whole series of articles on the benefits of teams and how to roll it out to your customers, and maybe we will! If you’re interested in that let us know in the comments below!

That said, in the context of this article, Teams is listed first because it plays a part in some of the following items, which leads us to our number 2 pick!

Microsoft Stream

Many of us don’t enjoy being stuck in meetings, but I’m sure there have been a few occasions where there was a meeting you wanted to be in but were unable to make, right? What if any scheduled meeting could automagically create a recording and have it sent to invited attendees afterwards? Teams meetings, paired with Microsoft Stream allow you to do just that and more!

The best way I can describe Microsoft Stream for those that aren’t aware of it is simply this: Think of Microsoft Stream as YouTube for your Business. That is, Stream is a video hosting platform that can be used in conjunction with other M365 features and apps. I already mentioned the Teams integration, but there are other features worth mentioning, such as:

• Public and Private Channels
• Video Sharing
• Hashtags and Timecode Links
• Watchlists
• Featured Videos
• Searchable Transcripts
• Live Events (Shown Below)
• Screen Capture and Editing (Coming Soon)

Image 2 – Setting up a Live Event in Microsoft Stream

All these features are easily glossed over when organizations are looking at the vast list of applications and features in M365. When employees and business owners truly discover the powerful features Stream provides, it becomes a game-changer. A few more example use cases here:

1. Live or Recorded company updates from Leadership
2. Mandated training materials distributed to workers
3. Project and team briefings recorded for transparency and shelf-life
4. Onboarding materials for new hires

The list goes on and on. With the integrations to the rest of the M365 platform, Stream will help take your customers operations to the next level!

Microsoft Planner

Task management is a bear, especially with distributed teams. You’ve got email, teams, outlook to-dos, sticky notes, napkins, and 100 other places to keep track of ongoing tasks. The true power of the M365 suite is in its integrations. Unlike your sticky notes or a notepad file, Microsoft planner is plugged into and integrated with your core collaboration tools in a big way. This includes:

• Integration with Microsoft To-Do
• Integration with Microsoft Teams (Shown Below)
• Allows Modification via the Microsoft Graph API (For advanced use-cases)

Need to rope in team members in a task or a series of tasks? Need to collaborate with notes and chat in a unified view regarding said task? Need alerts for when the task is updated? How about the ability to attach files, due dates, reminders, categories and more? If you answered yes to all of these, Planner can do it and more.

As mentioned earlier, Teams plays a large role in many of these features and Planner is no different. In any given Team with the Teams app, you can click the plus sign on the top left and link a Microsoft Planner “plan” as a tab directly within teams. This puts the Teams project plan right at their fingertips and enhances the overall collaboration experience.

Image 3 – Microsoft Planner Embedded in Teams as a Tab

One other thing I wanted to touch on before moving onto our next item. From an organizational level, when talking with your clients about Planner, I would recommend you have them plug this feature in at the department level. It really shines at that level. I’m often asked where these tools fit in regards to other task management tools and this is often the advice I provide:

For individuals and light taskers – Use Microsoft To-Do

For departmental teams and heavy taskers – Use Microsoft Planner

For Large Scale and Organization-Wide Project – Use a Project Management Tool such as Microsoft Project

My reasoning behind it is this. Planner provides features over and above your basic to-do list (Which is what To-Do is). That said, it lacks many of the more advanced ITIL and PMP project management capabilities found in more advanced tools. Don’t get me wrong, however! Planner is still super a powerful and stunning addition to any Team looking to leverage Microsoft 365 to the fullest.

Multi-Factor Authentication with Conditional Access

The last item I’m going to talk about today is going to be the least visible of them all, and that’s ok! This particular item will wow your customers because of the fact that it DOESN’T make itself visible!

Those of us working in the technology space these last few years all know that multi-factor authentication is an absolute must. It provides an added layer of security in an age where ransomware and other cyber attacks are rampant. However getting some customers to “deal with the security headache” (yes they are out there), can prove somewhat troublesome. That said, Microsoft has made the experience in Microsoft 365 stupid easy.

Enabling the feature is quick, and end-users are provided with a prompt to enrol in MFA. Assuming you’ve properly communicated the steps to the end-users they should have little problems with the process. Once done they’ll get the typical MFA prompt as needed when logging in and will be given the option of remembering a device as a frequently used device for a length of time.

Some organizations wouldn’t even balk at this much work, and that’s where the beauty of conditional access comes in. Conditional access allows administrators and MSPs the ability to define safe locations that don’t require the MFA prompt. This mainly refers to your corporate network, meaning that if someone is in the office (or connected via VPN), they will not be required to authenticate with MFA. This greatly reduces the amount of effort required by end-users, but still keeps them protected when they need it most when they’re off-site.

      Image 4 – Conditional Access Policies in Azure AD

Now, conditional access does SO MUCH more than just this one thing. Make sure you review the full list on the Microsoft Docs article on conditional access.

One final thing you may be wondering about before we wrap-up is what kind of licensing do you need to get MFA with conditional access? See the image below for that information along with the source in the caption!

Image 5 –  Available versions of Azure Multi-Factor Authentication

Wrap-Up

This article should give you a good list of features you might want to talk about with your customers if you haven’t already. All of these features can take their collaboration and productivity efforts to the next level. So many organizations buy into Microsoft 365 and only enable mail and a few other features. Don’t let your customers waste the value! Help them squeeze every ounce of value out of what they’re paying for. In the end, you’ll continue to be their trusted IT partner and you’ll share in their success moving forward!

What about you? Have you tried these features? Do you have customers using them? Would you like to see more content about anything we talked about today? Let us know in the comments section below!

Thanks for reading!

The post 4 Powerful Microsoft 365 Features Every MSP Should be Using appeared first on Altaro DOJO | MSP.

Some MSPs with in-house dev teams can consider themselves ISVs (Independent Software Vendors). This post talks about the benefits of Azure Lighthouse for ISVs.

Windows Azure lets ISVs not only publish their cloud software on the Azure Marketplace, but also monetize from offering services to help their customers operate it. Many companies using cloud services lack the in-house expertise to optimize the deployment, configuration, management, and reporting of their specific cloud services. Azure Lighthouse provides ISVs with an opportunity to upsell managed services on top of their software. As the developer of a piece of software, you are likely to be the world’s leading expert in making it run as efficiently as possible. ISVs have been able to offer managed services through Azure for some time, but one of their major challenges was how to efficiently support every customer who subscribed to their service. In the past, the ISV’s service administrator would have to log in and manage dozens, perhaps hundreds, or even thousands of individual accounts. The administrative overhead alone added significant cost which would often be passed down to the end-users. Azure Lighthouse has provided a solution to allow ISV to centrally manage tasks for all of their tenants from a single interface, which will be detailed throughout this blog. For more information about Azure Lighthouse, check out the Altaro blog series about the Azure Lighthouse solutions, its foundational technologies using ADRM and AAD, Azure integration, and the go-to-market strategy.

Azure Lighthouse Benefits to Independent Software Developers (ISVs)

For a few years, I was an executive for a Microsoft Partner which created security software for Microsoft Azure, Windows Server and System Center. As most ISVs know, being able to publish your software and make it discoverable on the Azure Marketplace is an incredible benefit and it reduces your customer acquisition cost by expanding your audience size. We found that about a third of customers would also purchase our managed services, which included assessment, deployment and ongoing maintenance. Unfortunately, Azure Lighthouse was not available to us back then, so we were required to work with hundreds of customers individually. Our operating procedure was as inefficient as that of any consultant who has to securely manage hundreds of sets of credentials. The onboarding process took days or weeks as we went back and forth with customers over email to be given the correct permissions for each managed resources. Since many of these clients were smaller companies and new to Azure, it was often a frustrating experience for both parties. When you have just signed up a new customer, you want the first interactions with them to be positive so that you can establish trust.

One of the main benefits of Azure Lighthouse is streamlining the onboarding process. If you are an ISV, when you publish your managed services offering, you can specify which of your customer’s resources groups contain your software that you will need access to. You can also use role-based access control (RBAC) to select the minimum type of access your team will need to complete your operations. Microsoft Azure provides over 70 different types of roles, and transparently shows the customer what you will have access to. Since some of your customers may only want your help for the initial assessment or deployment, and others may only want support for operations or maintenance, this gives you and your customers granular control. This means that once a new customer buys your software, and selects the type of managed service(s) they need assistance with, Azure will automatically configure the correct permissions on the appropriate resource groups. Now, you can see your customers’ subscriptions by going to the My Customers page, clicking on Customers.

Through the centralized management provided by Azure Lighthouse, it is now easy for ISVs to scale their operational efficiency, standardize their services, automate operations, increase security and compliance. This is because of the unified view of all managed resources which is now visible through the Azure Portal GUI, or by scripting with Azure PowerShell or Azure APIs. Azure Lighthouse creates a new management layer at the customer level, allowing ISVs to add, sort, and delegate access to all Azure resources which their tenants have permitted them to view, edit, create or delete. This lets you act as the managed service provider of your own software. You can now spend more time on enhancing these managed offerings, adding new core competencies and services, instead of performing repetitive tasks across multiple accounts. These new capabilities from Azure Lighthouse are offered through Microsoft Azure at no cost, although the cloud resources which are consumed are still billed to the ISV or their customer.

Azure Lighthouse offers ISVs new operational efficiencies through automation of repetitive tasks, such as patching their software. Through either the GUI or scripts, you can programmatically perform tasks against thousands of resources at once, provided that they are managed by Azure Resource Manager (ARM). This includes reporting, alerting, querying, servicing, security updates or even running custom scripts to deploy a new service. For example, you can run a global query to discover customer’s virtual machines (VMs) running your software which need to be updated and repair them at scale.

These security enhancements of delegated resource management provided by Azure Lighthouse help both the ISV and their tenants. Since you can use delegated access to manage your customers’ resources, you keep all of your custom scripts or templates under your own management and do not need to run them directly within your tenants’ environment. This means that your customers cannot view any of your proprietary scripts, allowing you to protect their own intellectual property (IP). This also provides stickiness to your services, helping you retain your customers. As an ISV you can now offer more services with less effort, letting you maximize your profits or pass on these cost savings to your customers.

Azure Lighthouse Benefits to the Customers of ISVs

Many Azure users are developers or from smaller organizations without a large IT staff, and a lot are new to Azure itself. Users want to spend their time operating their core business and services, so they often find the task of integrating third-party software to be daunting, distracting, and potentially a security risk if they misconfigure the software. Azure Lighthouse solves these issues by making it easy to find expert consulting services for specific software by the authors of the software itself. Using the Azure Marketplace, Azure customers can easily acquire cloud software like any “app store”, but also easily purchase deployment or management services from trusted providers.

These software customers become “tenants” of the ISV who now act as a service provider. The onboarding process is easy through Azure Lighthouse which uses the Azure Delegated Resource Manager (ADRM) technology to easily and transparently assign management rights to the ISV. While the customer can tweak any of the permissions, one of the benefits they will find is the streamlined onboarding process where they can just review the permissions needed to give the ISV access to operate their new software. An advanced customer can even configure which of the 70+ Azure user roles has access to each of their resources.

Through detailed logging and auditing, customers also have transparency into every action on each resource taken by their ISV. Each tenant is fully isolated from their peers to ensure that actions performed by the ISV on another tenant will not interfere with their systems if the change is unauthorized. The customer still maintains full control of their budget and billing. They can provide their own licenses, get billed directly for services from the ISV, or purchase a service directly through the Azure Marketplace, provided that consumption can be metered through ARM. The customer can see the connected service(s) by navigating to the Service Providers Page, selecting Service Providers Offers and seeing the subscription(s) with the correct offer name.

Ultimately Azure Lighthouse provides a better management experience for ISVs and their customers. Developers can upsell their software by also including deployment and support services. It easily plugs into existing programs and solutions, so now ISVs can spend more time with their customers and less time managing credentials. If you are an ISV who is going to publish their managed services through Azure Lighthouse, make sure that you check out the blog post on the go-to-market strategy so you can learn the best practices to stand out from the crowd.

The post Why ISVs Should Use Azure Lighthouse appeared first on Altaro DOJO | MSP.

This blog post will show you how to onboard your customers’ Azure resources in Azure Lighthouse.

Azure Lighthouse is a new collection of technologies that allows Managed Service Providers (MSPs) and software developers (ISVs) to centrally manage their tenants and monetize hosted services. These providers are able to use the Azure Marketplace as a web portal to post public offerings that are available worldwide, similar to an app store. MSPs can list IT services they can offer to deploy, manage, optimize, secure or make compliant their customers’ cloud infrastructures and ISVs will include their Azure software with additional services. The providers can use Azure Delegated Resource Manager (ADRM) and Azure Active Directory (AAD) to centrally manage all of their tenants from a single interface. For more information, check all from a single interface. Check out the Altaro blog series about the Azure Lighthouse solutions, its foundational technologies using ADRM and AAD, Azure integration, and the go-to-market strategy.

There are three ways that a tenant can subscribe to a service from the MSP, which changes that way that the customer grants the MSP access to their environment.

The most common way is for a provider to publish a service to the Azure Marketplace, and this can be configured to be public or private. A public service is accessible to everyone, but there is not any way to restrict the subscribers by location, size nor any other factor. These customers who purchase a public service will automatically grant access to the MSP automatically during the onboarding process. It is important to realize that there are multiple ways that a tenant can subscribe to a service from the MSP. The most common way is for them to publish a service to the Azure Marketplace, and this can be configured to be public or private. A public service is accessible to everyone, but there is not any way to restrict users by location or size and they are onboarded automatically as described in how to publish a managed service on the Azure Marketplace.

• To make a service private and only accessible to certain predefined users (“private”), a specific list of tenant subscription IDs must be defined when the offering is created in the Azure Marketplace provided. Once the private customer has purchased an Azure Lighthouse service, the service provider must onboard their tenant which requires delegating resources through Azure Active Directory (AAD).
• Alternatively, the entire Azure Marketplace process can skipped and a MSP can onboard a tenant through the same series of steps which are described in this blog using the following steps:
  • Collect Details for the Tenant and their Subscription
  • Either
    • Create Azure AD User Groups and Define Permissions
    • Create Service Principals and Define Permissions
  • Create an Azure Resource Manager (ARM) Template
  • Deploy an Azure Resource Manager (ARM) Template
  • Confirm Successful Onboarding for Both Parties

For either scenario, make sure that you’ve associated the tenant’s subscription ID with your Microsoft Partner Network (MPN) ID so that you get credited for consumption. While this guide is written from the perspective of an MSP, these same best practices are also applicable to ISVs who are offering managed services to deploy their software.

Step 1) Collect Details for the Tenant and their Subscription

When you are onboarding a customer you have to know some of their unique identifier information so that you add the correct user and their subscription information. Make sure that have the following information:

• Your Tenant ID (as an MSP or ISV). This can be found in the Azure Portal by hovering over your account name in the upper-right corner in the Azure Portal.
• The Tenant ID of the customer. This can be found in the Azure Portal by asking the tenant to hover over their account name in the upper-right corner in the Azure Portal.
• The Subscription ID of the customer for the subscription of every resource that you will be managing. If you are managing multiple resources that are in different subscriptions then you will need each of these subscription IDs. This can be found by searching for the subscription(s) in Azure Active Directory. This will also create a new resource provider (Microsoft Managed Services) to be registered for the selected subscription(s).

Next, you need to set up the security framework using either Azure AD user groups, service principals or individual Azure user accounts (not recommended). Whenever you manage tenants’ accounts, especially if you have multiple tenants, you should never assign access to any individual user. This is because your staff may change over time, so as you need to add or remove certain administrators you can do this at the group level, instead of on each individual resource group. Not only does this provide centralized and simplified management at scale, but it also makes you look better to your tenants as they are not seeing your company’s turnover.

Steps for the user groups and service principals are described below. First, you must connect to the Azure subscription which is done using the following PowerShell cmdlet:

PS C:\> Select-AZSubscription <SubscriptionID>

Step 2) Create Azure AD User Groups and Define Permissions

Configuration for AAD user groups is fairly easy. It requires creating a new group for each role or task, then adding the appropriate administrators. You will then assign the type of administrative role that that group has from the 70+ Azure user roles. You should also use a friendly name to help you and your tenants understand what that resource group is used for.

Next, you will get the object ID and role definitions for each Azure AD group which can be determined through the following PowerShell queries:

PS C:\> (Get-AzADGroup -DisplayName ‘<GroupName>’).id

PS C:\> (Get-AzRoleDefinition -Name ‘<roleName>’).id

Instead of using AD User Groups for user account access you can create an Azure service principal for application access.

Or: Step 2b) Create Service Principals and Define Permissions

An Azure service principal is an alternatives type of identity which is used for tools, services, and applications to provide role-based access control (RBAC), rather than user accounts. It only supports a subset of the Azure roles to restrict a single application from having too much control. Also, you should pick the role which provides the minimum access that your staff needs. You want to ensure that you do not request more than is necessary, as potential clients could view this negatively and you may get the perception of not being trustworthy.

You will also need to know the object ID and role definitions for each Azure service principle which can be determined through the following PowerShell queries:

PS C:\> (Get-AzADApplication -DisplayName '<DisplayName>').objectId

PS C:\> (Get-AzRoleDefinition -Name '<RoleName>').id

Whenever you manage tenants’ accounts, especially if you have multiple tenants, Microsoft recommends:

“using Azure AD user groups for each role, allowing you to add or remove individual users to the group rather than assigning permissions directly to that user. You may also want to assign roles to a service principal. Be sure to follow the principle of least privilege so that users only have the permissions needed to complete their job, helping to reduce the chance of inadvertent errors.”

For more info, see Recommended security practices.

3) Create an Azure Resource Manager (ARM) Template

An ARM template lets administrators deploy an Azure-managed resource or resources group the exact same way every time. The template provides the framework to ensure consistency, which is critical so that you can automate and scale the management of this resource across multiple tenants. Your ARM template should include the following fields:

• MSPName: This is your service provider name
• MSPOfferDescription: This is a short description of your offer
• ManagedByTenantID: This is the ID of your tenant
• Authorizations: This describes the access needed, which can include:
  • RoleDefinitionID: This is the level of access needed for the resource template
  • PrincipalID: This the ID for either your Azure group or Azure service principal
  • PrincipalDisplayName: This is the display name which your tenants see for your Azure group or Azure service principal

Since ARM templates can be tricky to create for inexperienced service providers, Microsoft provides code samples for different scenarios. These include both the template file along with a parameter file which are found here: https://github.com/Azure/Azure-Lighthouse-samples/. Here are the links to onboard:

• Subscription (through the Azure Marketplace)
  • Template: MarketplaceDelegatedResourceManagement.json
  • Parameter file: MarketplaceDelegatedResourceManagement.parameters.json
• Subscription (without the Azure Marketplace)
  • Template: DelegatedResourceManagement.json
  • Parameter file: DelegatedResourceManagement.parameters.json
• Resource Group
  • Template: RGDelegatedResourceManagement.json
  • Parameter file:RGDelegatedResourceManagement.parameters.json
• Multiple Resource Groups in a Subscription
  • Template: MultipleRgDelegatedResourceManagement.json
  • Parameter file:MultipleRgDelegatedResourceManagement.parameters.json

4) Deploy an Azure Resource Manager (ARM) Template

The hardest step is usually the deployment of the ARM template within the customer’s environment because either the MSP needs to do it on the tenant’s behalf, or the tenant must grant the MSP the correct permissions. And since a Guest account cannot be used, it makes it tougher for a novice customer. Every subscription needs a separate deployment, however, if you have multiple resource groups within a single subscription you can do this in a single deployment.

Once the correct permissions are configured, the following PowerShell cmdlets can be used for a remote deployment:

PS C:\> New-AzDeployment -Name <DeploymentName> `

-TemplateUri <TemplateURI> `

-TemplateParameterUri <ParameterURI> `

-Location <AzureRegion> `

-Verbose

5) Confirm Successful Onboarding for Both Parties

Now that the ARM template has been deployed, it is important to test that it can be effectively managed by the MSP within the tenant’s environment. Both the MSP and the tenant should be able to see the connected subscription and ARM resources. After the template has been initially deployed, it could take a few minutes for this to appear while the portal refreshes.

The tenant can see the connected service(s) by navigating to the Service Providers Page, selecting Service Providers Offers and seeing the subscription(s) with the correct offer name.

As the MSP, you can see this by going to the My Customers page, clicking on Customers, and verifying that you can see the tenant’s subscription(s).

Using these steps, you will have successfully onboarded a tenant by knowing the security identifiers, creating the appropriate security groups, creating an ARM template, deploying the template and verifying that both parties can see it. Remember that when doing this at scale, that consistency is critical so that the same ongoing management processes and scripts can be replicated on identical templates. Keep in mind that with Azure Lighthouse, one of your greatest assets is the operational efficiency that you can achieve through consistent global management. So if you make a change to your template after deploying it for several tenants, be sure to update their versions so that every template in production is identical to avoid any challenges with version control. With the steps you have learned, you will be able to streamline deployment and management for all of your Azure Lighthouse tenants. If you experience any issues with these steps, let me know in the comments below and I’ll get back to you!

The post How to Onboard Customers in Azure Lighthouse appeared first on Altaro DOJO | MSP.

Azure Lighthouse provides Managed Service Providers (MSPs) and software developers (ISVs) with a centralized management portal to view all of their customers’ resources. Additionally, it makes it easy for the MSPs and ISVs to find new customers by https://azuremarketplace.microsoft.com/marketplace/apps/company.servicename publishing their offerings on the Azure Marketplace. The Azure Marketplace is a web portal that functions like an app store for Azure applications. Additionally, it lets MSPs publish IT services that they can offer, and ISVs can publish deployment or management services for their software. These managed services let the publishers maximize their revenue by monetizing from their specialized skills to help Azure users deploy, manage, optimize and even secure their cloud infrastructure. Check out the Altaro blog series about the Azure Lighthouse solutions, its foundational technologies using ADRM and AAD, Azure integration and the go-to-market strategy. This blog post will walk you through the process to publish a managed service in the Azure Marketplace, allowing you to then use Azure Delegrated Resource Management (ADRM) to access that customer’s cloud resources. While it refers to publication from the perspective of an MSP, these same best practices are also applicable to ISVs.

Prerequisites to Publishing a Managed Service

First, you must have access to publish to the Azure Marketplace, which means that you need to have a Microsoft Partner Account. To set this up, following these instructions from Microsoft: https://docs.microsoft.com/en-us/azure/marketplace/partner-center-portal/create-account. You will need to have a Microsoft Partner Network (MPN) ID which means that you have passed the requirements to be a certified partner. By linking your MPN account to your Azure Lighthouse offering, you will automatically be credited for the consumption of any customers who subscribe to your service(s). This is helpful for MSPs who are trying to move to a high certification tier which requires proof of higher consumption.

You must also offer a standardized service to all possible customers, which is known as a public offering. In its current release, it is not possible to make a service offering only available to certain classes of customers based on their geography or other factors. Providing customized services must be done through a private offering that uses an Azure Resource Manager (ARM) template, which is a topic we’ll be covering in detail in a future blog post.

It is also important to spend some time evaluating the marketplace to see what offers are already out there. There may not be much value in being the hundredth organization to offer basic Azure VM management. Take time to think about your team’s unique skill set and any IP which you have developed.  Which scripts have you created which scale up and secure workloads faster? How can you add greater resiliency or faster recovery to a service?  Do you have expertise within a regulated industry and can ensure that your tenants will be compliant? Can you offer better Tier 1 support or SLAs?  Make you that you are going to offer something to stand out from the crowd so that customers will select you over your competitors.

Also, consider asking your company’s search engine optimization (SEO) expert to help you build and define compelling keywords to increase your discoverability.  This is known as App Store Optimization (ASO). You can use publicly available tools like Google Keyword Planner or Bing Keyword Research to filter through organic search traffic. While these tools are designed for Google and Bing’s respective search engines, rather than the Azure Marketplace, they can provide good guidelines for how customers may be searching for your types of services. And since any offer listed on the Azure Marketplace will get propagated to Google and Bing, this will also maximize your chance of getting more hits. Also, request that any of your customers who have subscribed to your offer give you a review. This will increase your visibility on the Azure Marketplace as positive recommendations increase your ranking.

Step 1) Create the Managed Service Offer & Settings

Once you have determined the public service to offer through the Azure Marketplace you will go into the Cloud Partner Portal and select New Offer > Managed Services. You will then provide the following information:

• Name: This is the friendly name that customers will see when they access the offer details. Make sure to include your company name and a clear description. This is limited to 50 characters.
• Offer ID: This is a unique identifier for your offer which appears in the billing reports and product URLs. Since product URLs are indexed by search engines and increase discoverability, it is helpful to include your company name and keywords here. This string is also restricted to 50 characters, but only lowercase letters, numbers, underscores and dashes. Once this is created, it cannot be changed.
• Publisher ID: You will select your publisher ID. This option is only provided since some partners have multiple publishing accounts.

After saving this information you will create a new plan.

Step 2) Create a Plan

A plan is a variation of your offering, similar to an SKU. Consider using standard terms for the different tiers, like Bronze/Silver/Gold or Basic/Premium/Enterprise. Customers will be able to browse and select the best plan for their requirements and budget. For each plan you will select New Plan and complete the following information:

• Plan ID: This is a unique identifier for your offer which has the same uses and restrictions as the Offer ID from Step 1. It also cannot be changed.
• Public / Private: By default, all plans are public and accessible to everyone in the marketplace. If you want to restrict your plan to specific users, you can select a private plan, however, this cannot be changed. If you wish to limit the plan to certain users, you can then provide a list of unique customer IDs who are whitelisted to subscribe to this plan. You can enter these manually (currently limited to 10 subscriptions) or upload a CSV file (up to 20,000 subscriptions). It is also a good idea to include the subscription ID of your own test accounts so that you can validate the offering is published and working as expected.
• Title: This is the friendly name that customers will see when they browse to the details of the plan. Make sure to include your company name, a clear description, and any search optimized keywords. This is limited to 50 characters.
• Summary: This lets you add a short description of the plan. Make sure to include your company name, a clear description, and any important keywords. This is limited to 100 characters.
• Description: Here you can add a long description which lets you go into details of exactly what you are offering and how you can differentiate yourself. Here you should include the following information:
  • Specific services which are included
  • Onboarding steps
  • Costs and billing process
  • Technical support and SLA
  • Company profile and experience

• Billing Model: This option is a little confusing, as for managed services you must always select Bring your own license. This is because Microsoft will not bill you for any expenses directly, rather, you will bill your customers directly for any associated costs.

After you Save you’ll move on to the manifest details section.

Step 3) Configure the Manifest Details

The manifest defines exactly which of your tenants’ resources you will have access to, and what permissions will be assigned. One of the fundamental technologies powering Azure Lighthouse is ADRM which allows granular role-based access control (RBAC) that is requested by the MSP and approved by the customer. Any Azure resource with is managed by Azure Resource Manager (ARM) can be granted access to any of the 70+ different Azure user roles. Keep in mind that with a public plan, all users will be required to assign identical access to the MSP. It is best to minimize what you are requesting so as to avoid unnecessarily exposing any of your potential customer’s infrastructure, or scaring them off since they do not yet know or trust you.

For the manifest, you will provide the following information:

• Version: Provide a version number in the format x.y.z, such as 2.1.1.
• Tenant ID: Enter the GUID which is linked to your organization’s Azure Active Directory account. You can find this identifier for your directory from the upper right-hand corner of the Azure Portal.
• A list of Authorizations: These define each of the resources which your staff can access for every customer who subscribes to the plan. These include:
  • Azure AD Object Display Name: This assigns a friendly name for each Azure resource which will be placed under management by the MSP. Make this clear and descriptive so that your customers understand the usage.
  • Azure Object ID: This provides the Azure AD GUID of the MSP’s admin, an MSP-managed Azure AD group, or the application which will be granted access to the customer’s resource group. If you are providing access to users, a best practice is to assign this to a group, rather than individual admin(s). This simplifies management as it lets you add and remove admins from that group as your staff changes, instead of having to make updates to every tenant’s workload each time someone joins or leaves your organization.
  • Role Definition: You will select which of the 70+ Azure AD built-in roles to assign to this Azure AD Object. This designates the permissions of that role to the specific object.
    • Assignable Roles: This option will only appear if you select the User Access Administrator role definition. In this case, you will define a list of different possible roles that the user can select and designate for their MSP.  This is helpful if you do not require one specific type of access to a resource group, want to build trust, and empower your users to specify the level of access themselves.

Click Save, then you can add more details about your offering in the Marketplace section.

Step 4) Provide Marketplace Details

Next, you will enter the details which get published in the Azure Marketplace. These are publicly displayed and picked up by search engines.  Use your SEO/ASO best practices here with descriptive keywords to maximize your discoverability. Some of these fields are repetitive from details that you have previously entered, so you may wish to go back to earlier menus in a new browser tab so you can copy the previously entered text.

You will need to provide the following information:

• Title: This is the friendly name that customers will see in the Azure Marketplace. Make sure to include your company name, a clear description, and any search optimized keywords. This is limited to 50 characters.
• Marketing Identifier: This lets you add some customized text into URLs, which should include your company name and the name of your service. Including this text in the website link also helps with SEO/ASO. The URL will then follow the format https://azuremarketplace.microsoft.com/marketplace/apps/company.servicename.
• Summary: This lets you add a short description of the plan. Make sure to include your company name, a clear description, and any search optimized keywords. This is limited to 100 characters.
• Long Summary: This section allows you to enter a longer description using search optimized keywords. This has a maximum length of 256 characters.
• Description: Here you can add a long description which lets you go into details of exactly what you are offering and how you can differentiate yourself. This also supports simple HTML and supports to up 3000 characters. You ought to include the string “managed service” or “managed services” so that it gets picked up by internal and external search engines.  Here you should include the following information:
  • Specific services which are included
  • Onboarding steps
  • Costs and billing process
  • Technical support and SLA
  • Company profile and experience
• Useful Links: You can add a list of hyperlinks to your company’s website, product page, contact forms or anything else.
• Categories: Select which categories you would like your managed services to be listed under. You can select a maximum of 5 categories, and it is best to select as many as are applicable so that potential customers who are browsing by category will discover your service.
• Marketing Artifacts: Here you can upload your logos (required), screenshots (optional) or add links to product videos (optional). Adding logo in four sizes is required in 255×115 pixels (wide), 115×115 (large), 90×90 (medium) and 40×40 (small). Microsoft recommends keeping the logo simple with basic colors and with no text so that it looks consistent with the rest of their enterprise business offerings. You can also add a “hero logo” (815×290) which is a large background image that helps your service get visibility in the Azure Marketplace. Text for your company name, title and summary will automatically be added in white. Once published, you cannot remove the hero logo, but you can replace it.
• Lead Management & Lead Destination: This section allows you to specify a CRM system where any customer leads will be automatically imported and stored.
• Legal: Add the URLs for your Privacy Policy and for your Terms of Use.
• Preview Subscription ID: You should always test that your Azure Marketplace offering looks right before you publish it. This is possible through adding a list of up to 100 subscription IDs for accounts that can preview the offer before it goes live. Microsoft’s product and support teams will also be able to view the marketplace preview.

Save your changes then move to the support section.

Step 5) Add Support Information

This section allows you to list contact information for your customer support and engineering teams. This includes a name, email address, and phone number. You will also be required to add URLs for support information. Make sure you keep this information current so that prospective customers can contact you. Microsoft may also use this contact information. Click Save so then you can review the information before it goes live.

Step 6) Publish your Managed Service Offering

You are almost ready to make your service offering go live. Take time to preview the offer from an account you defined using the Preview Subscription ID from Step 4. Once you click the Publish button, the offering will go through an automatic review and shortly afterward will appear in the Azure Marketplace.

Congratulations, you have now published your managed service in the Azure Marketplace. From here you can expect new customers to discover your services and help you bring in new revenue. Make sure that you check out the next post from Altaro about onboarding Azure Lighthouse customers to understand the additional steps to access your tenants’ workloads.

The post How to Publish Managed Services Through Azure Lighthouse appeared first on Altaro DOJO | MSP.

If you are a Managed Service Provider (MSP), I hope you are excited about what Azure Lighthouse can do for your business. And if not, you should be. Not only can you reach more customers, but your operations can be simplified through the centralized view that Azure Delegated Resource Management (ADRM) gives you across all of your tenants. Microsoft does not even charge a fee to MSPs for using Azure Lighthouse and selling their Managed Services, so the revenue is yours to keep! This is the fourth blog in the series which will help you define your go-to-market (GTM) strategy for your services using Azure Marketplace, Azure Resource Manager (ARM) templates or Managed Apps. First make sure that you check out the earlier posts about the Azure Lighthouse solution, its foundational technologies using ADRM and AAD, and Azure integration. That last blog post describes all the different Azure Services which integrate with Azure Lighthouse to help you to maximize your customer base and revenue.

Managed Services in the Azure Marketplace

For anyone that builds or buys cloud software that runs on Azure, the Azure Marketplace is an incredible resource.  It aggregates every product that third parties can offer to Azure users, like an app store for the Microsoft cloud.  Now MSPs can offer their services to clients through the Azure Marketplace, opening up their business to millions of new customers around the world. Managed Services are a new type of offering which rely on Azure Lighthouse, ADRM and Azure Active Directory (AAD), and allows customers to easily purchase and onboard an MSP. While Consulting Services are not new to the Azure Marketplace, they have a broad scope and usually a fixed price.  Managed Services are different in that they are an ongoing engagement and use ADRM.

A Managed Service can be either public or private. Public ones are published in the Azure Marketplace and available to all users. At the time of this writing, there is no way to limit the consumer by their geography or Azure region, although this will likely be added in the future. The way to restrict who can access a plan is by configuring it to be private. MSPs can then provide a preapproved list (a “whitelist”) of subscription IDs than can access this service. Public plans are recommended for service providers trying to expand their business and find new customers without paying any additional customer acquisition costs. However, new customers may be hesitant to grant an unknown service provider with broad access to their infrastructure. It can be best to keep the public offering fairly simple but have extended private offerings that you can upsell to these new tenants as you build trust with them. Also, consider offering them important services they may not have realized they could request, such as the Azure Health Service.

Another option is to have a hybrid offering, which allows you to include both private and public plans within the same offer. This gives you the broadest solution, allowing you to discover new customers, and upsell them on additional services as you develop a relationship. You should also be aware that once you publish a public plan you cannot change it to a private plan, you would need to remove it entirely if you want to republish it with any restrictions. Part of the publishing process requires you to provide a title, description, and other searchable terms.  We’ll provide some best practices for app store optimization (ASO) in a future post, so be sure to keep an eye out for that!

Once a customer has purchased a Managed Service through the Azure Marketplace, they go through an onboarding process. This allows them to identify which subscriptions and resource groups can be managed by the MSP to perform their service. A manifest defined by the service provider will detail which Azure AD services, users and groups will need access to the customer’s groups, which the tenant can accept, change or decline. Once these permissions are assigned, the onboarding is complete and Azure Delegated Resource Management (ADRM) will grant the MSP access to the approved tenant resources.

Azure Lighthouse with ARM Templates

If you are setting up services for a tenant without going through the Azure Marketplace then you will use Azure Resource Manager (ARM) templates. An ARM template is a JSON file that defines the exact configuration of an Azure group, including all of its resources, settings, dependencies, and permissions. This is essentially a blueprint that is used to streamline deployment and guarantee consistency instead of repeating a series of manual configuration steps. The ARM template can be configured via the GUI-based Azure Portal, Visual Studio, Visual Studio Code or IntelliJ IDEA.

ARM templates are used with Azure Lighthouse as they allow an MSP to deploy a service for a tenant. This can be a fresh deployment for a new tenant or adding additional services to an existing tenant, such as after an upsell opportunity from the Azure Marketplace. Since the template will be created by the MSP, they can guarantee consistency across all of the tenants. This not only simplifies deployment, but also ongoing management and operations. For example, when the service provider needs to make a configuration change, they can do that programmatically across all their tenants. These ARM templates should be considered as valuable intellectual property for the service provider, as they take considerable time to craft and perfect. One advantage of using Azure Lighthouse and ADRM is that these templates remain in the service providers’ infrastructure, so by not exposing them directly to their tenants, they can retain and protect their IP.

Azure Lighthouse with Managed Applications (Apps) and ISVs

These Managed Services offered through Azure Lighthouse are not restricted to just service providers, but ISVs can publish these alongside their software, known as Azure Managed Applications (Apps). Azure Marketplace lets a developer not only sell their software but to upsell the deployment and management services for it. When a customer purchases the software, they will deploy it into a resource group with ADRM access provided to that publisher. The ISV can then perform ongoing maintenance, troubleshooting and operational tasks for their customers. Azure Lighthouse has made this easier for ISVs or any MSP with expertise in managing a specific app. Again, we’ll be talking about this topic in a bit more detail in an upcoming blog post

Azure Lighthouse with APIs, Scripts & GitHub

Microsoft invested significant effort in making the management experience for Azure Lighthouse consistent between the GUI in the Azure Portal and its APIs. While service providers who are new to Azure may start with the Azure Portal, it is important to learn Azure PowerShell or Azure CLI to be able to provide automated management for their tenants at scale. When using Azure Lighthouse, scripting your operational tasks becomes important so that you can save each step into an ARM template to ensure that it is run the same every time. Fortunately, Microsoft has provided numerous code samples for ARM templates and a GitHub repository for Azure Lighthouse to get you started.

Final Go-To-Market Strategies

To summarize, you should publish your Managed Services with low-touch offerings through the Azure Marketplace to find new customers. As you build trust, offer tenants value-added services that you can deploy for them through private offerings or through your portfolio of ARM templates. Consider targeting specific (regulated) industries or verticals so that you can build up expertise in these areas and differentiate yourself. As a service provider, you are likely also part of the Microsoft Partner Network (MPN). When you first sign up or during your annual renewal you will have to provide some customer references. With Azure Lighthouse you can simplify this step by associating your MPN ID with the tenant subscriptions you manage. The revenue you create through managing these customers is credited to your organization. If you publish an offer through the Azure Marketplace this happens automatically. If you are onboarding a customer independently using an ARM template, you can still manually associate their ID so you are given credit. Remember that Microsoft does not take a cut of the revenue generated from these Managed Services, which will encourage broader Azure Lighthouse adoption.

Thoughts, comments, or concerns? Let us know in the comments section below!

Thanks for reading!

The post An MSP Go-to-Market Strategy for Azure Lighthouse appeared first on Altaro DOJO | MSP.

Azure Lighthouse is changing the way that Managed Service Providers (MSPs) operate their business through its model of centralized multi-tenant management. Now MSPs can run multiple businesses more securely without having to switch accounts, directories or subscriptions. What this means is that all operations can be applied across multiple tenants at scale. MSPs can significantly reduce their operational costs and complexity while reaching more customers and maximizing their revenue. Check out the first blog post from Altaro which covers an overview of the Azure Lighthouse solution and the second post which explains the underlying Azure Lighthouse technology. This third post will cover key integrations with Azure services in the control plane and give you some ideas to help you scale your service provider business.

Azure Lighthouse with Existing Azure Services

Since Azure Lighthouse is a new solution offering, not every Azure service is supported yet. The key requirement for integration is that the Azure component must support Azure Delegated Resource Management (ADRM) allowing tenants to assign role-based access control (RBAC) to their service provider. The following list of services are fully supported and should be considered by MSPs to include in their service offerings. The order below is a good way to think through your Azure Lighthouse offerings, starting with the most basic services and ending with more advanced options.

1. Azure Policy with Azure Lighthouse

For the MSP and tenant partnerships to be successful, one of the fundamental philosophies is to ensure that there is trust between both groups. Azure Policy ensures that all managed resources stay compliant with corporate standards.  With Azure Lighthouse, this can be an effective tool for both parties.  If a tenant has strict security standards, Azure Policy can ensure that their service provider adheres to them and this can be particularly important if the tenant is within a regulated industry.  However, many tenants are inexperienced with configuring Azure, which is why they have delegated their operations to an MSP.  As a service provider, you may already have high operational standards or part of your offering may be to guarantee compliance within a regulated industry, so you can apply your Azure Policy best practices to your tenants’ infrastructure.  This is also a great use case of how Azure Lighthouse allows MSPs to maintain their technical intellectual property (IP) while extending their services to new tenants.

2. Azure Resource Graph with Azure Lighthouse

Azure Resource Graph is an extension of Azure (Delegated) Resource Manager (ARM/ADRM) which allows service providers to run queries at scale to test for compliance. It provides an Azure PowerShell and Azure CLI interface for MSPs to test against their tenants’ environments across multiple subscriptions. It can verify that Azure Policy rules are enforced correctly and flag any misconfigurations. The results can be sorted with advanced filtering based on resource properties, including by tenant (customer). You can even track changes and configuration drifts across your tenants.

3. Azure Service Health with Azure Lighthouse

Set up Azure Service Health for your managed accounts to get a global view of the health of your tenants’ services and resources. Service Health also lets you view the Azure infrastructure operated by Microsoft which you tenants are using.  ou can set up different types of alerting for outages, which can be a useful value-added service for an MSP which is offering Tier 1 support. Many tenants will want to defer critical support to their MSP.  Even if you have a tenant that has not subscribed to your Tier 1 support, if an outage happens and you can use Azure Service Health to show them that you could have more quickly identified the problem for them, they will be more likely to subscribe to your premium services.

4. Azure Monitor with Azure Lighthouse

Now that you have set up access and security policies for your tenants, configure Azure Monitor to begin collecting data about their environment.  Even if you do not know how to leverage this information yet, turning it on immediately is a good best practice so you have the data when you need it. You can now view alerts across numerous subscriptions and view activity logs for managed resources. You can also run a single query across all of your tenants to see if an issue or security threat which impacted one customer has a broader impact. If you are an MSP focusing on a specific regulated industry, then having this visibility across multiple customers can give your valuable insight, operational efficiencies, and competitive advantage.

5. Azure Virtual Network with Azure Lighthouse

Once your tenants’ infrastructure is secure and protected, you may wish to optimize their virtual infrastructure.  Networking is usually one of the more challenging IT management operations, and Azure imposes additional restrictions that may take a specialist to understand. This is another value-added service that MSPs can offer, Azure network administration. Azure Lighthouse allows delegated access to virtual networks and virtual NICs, letting MSPs optimize the traffic, make it resilient to failures, apply security policies, and monitor the bandwidth utilization.

6. Azure Virtual Machines with Azure Lighthouse

Probably the most popular delegated management service will be for Azure Virtual Machines. Tenants can permit MSPs to have full access to their virtual machines (VMs), with the exception of managing their product licenses via Key Vault. This means that the service provider can deploy VMs, configure storage, networking, memory, run post-deployment configuration tasks, scripts, diagnostics, and almost every other aspect of operations. The MSP can also log into that VM to configure any guest workloads. Since a majority of Azure workloads run inside Azure VMs, the delegated management services offered through Azure Lighthouse will support almost every tenant virtual machine scenario.

7. Azure Kubernetes Service (AKS) with Azure Lighthouse

There are a growing number of organizations using containers instead of VMs to run their virtualized services.  Azure Kubernetes Service (AKS) allows organizations to use Azure to manage a Kubernetes cluster, handling all administrative tasks from deployment to monitoring to maintenance. Containerization offers numerous resource optimization and consolidation benefits as compared to traditional VMs, yet they are generally considered more complicated to manage. This presents a great opportunity for MSPs to manage Kubernetes as a service for their tenants using Azure Lighthouse.

8. Azure Security Center with Azure Lighthouse

Perhaps one of the best use cases for MSPs to support their tenants is through the Azure Security Center. This Azure service centrally manages and protects and the Azure resources, bringing together proactive and reactive best practices from Microsoft’s security experts. Organizations that need to outsource their IT management usually do not have security experts on their staff, so they are likely to want to offload security management to their MSP.  The cloud adds additional security challenges since it is changing so rapidly and has a broad attack surface on public infrastructure. Leveraging Azure Security Center is highly recommended for any organization, especially those in regulated industries or protecting sensitive data. With Azure Lighthouse, MSPs can monitor all of their tenants from a single interface and apply changes at scale. All of the security data is centrally collected to show industry-wide trends, which MSPs can build into their IP. Some advanced features available to MSPs include the ability to provide just-in-time (JIT) access to VMs, dynamic (adaptive) network hardening, registry change monitoring, and whitelisting only permitted applications or processes.

9. Azure Backup with Azure Lighthouse

Azure Lighthouse gives MSPs the ability to manage backups for the tenants’ infrastructures using Azure Backup.  Although Azure Backup is fairly easy to use, backups are so important to the business that it often makes risk-averse Azure users want to hand off this responsibility to experts.  Service providers can centrally manage backup and restore for their tenants’ Azure VMs and storage.  Since Azure Backup offers different options around the frequency (RPO), recovery time (RTO), storage retention, and storage redundancy, an MSP can offer a simplified plan like “Gold”, “Silver” and “Bronze”.  If you manage tenants who are in a regulated industry, then storage compliance can be especially important as you will often need to retain all data and destroy specific records after a certain period.

10. Azure Site Recovery with Azure Lighthouse

One of the most popular Azure features is Azure Site Recovery (ASR). This lets the organization replicate their on-premises Hyper-V or VMware virtual machines to Microsoft Azure, using the public cloud as a disaster recovery site. For MSPs, offering disaster recovery as a service (DRaaS) is a great way to discover new customers who have not yet embraced the public cloud for their daily operations and drive Azure adoption.  Since ASR requires some settings to be configured in the tenant’s existing datacenter, and those customers are likely using the legacy Windows Server Active Directory, ADRM may not provide an end-to-end delegated solution. The MSP will likely need to be given remote access (or can provide instructions) so that the on-premises configuration can happen to set up the Hyper-V replica on a host or cluster. Once that is set up, then replication using ASR can run and be managed by the service provider using a replicated virtual hard disk and VM running in Azure.

11. Azure Automation with Azure Lighthouse

Azure Automation may be one of the most valuable services which MSPs can provide through Azure Lighthouse.  This was included last in this list as it is best for service providers to set up their service offerings before they start automating them at scale. Azure Automation includes process/workflow automation, configuration management, update manage and scheduling for both Windows and Linux. This is where the service provider’s intellectual property (IP) really becomes valuable from custom scripts and processes they’ve created. This could include streamlining deployment, enforcing compliance, dynamically adjusting to infrastructure changes or simplified reporting. Azure Automation will allow MSPs to differentiate their offerings and create new value for their customers. While Azure Automation supports both public and private management, on-premises management through Azure Lighthouse may still be limited because it requires ADRM and Azure AD.

Wrap-Up

Azure Lighthouse already supports many Azure services, and these will continue to increase in time and with industry adoption.  If there are additional services that you would like to see, post about them in the comments section of this blog and request them through the Microsoft Partner Network (MPN) portal. From this blog series, you should now understand the value of the Azure Lighthouse solution, its foundational technologies using ADRM and AAD, and in the next post, we will review the Azure Marketplace go-to-market strategies.

What are your thoughts so far? Do you see yourself using this within your organization? Do you see it helping you do more Azure business? Let us know in the comments section below!

The post 11 Rad Ways Azure Lighthouse Integrates with Azure Services appeared first on Altaro DOJO | MSP.