At Ignite 2020, Microsoft announced a new Lighthouse solution for Microsoft 365. Designed for Managed Service Providers (MSPs) this offers a central console where you can manage all your Microsoft 365 (M365) clients in a single dashboard. In this article we breakdown what was announced and why this is a big deal for MSPs.

There isn’t much to go on, apart from a Microsoft blog post, and a short breakout session from Ignite 2020 but the concept is very interesting, especially for MSPs managing clients with high numbers of M365 users and frequent onboarding.

We have also covered more on Microsoft Ignite 2020 – check out our analysis on Satya Nadella’s keynote.

What is Microsoft 365 Lighthouse?

It’s quite straightforward – it’s a single place to onboard new M365 clients, monitor their compliance state across different metrics, and standardize automation and auditing across all of your clients. It relies on the MSP having set up Delegated Access Permission (DAP) with Global Administrator permissions in their client’s tenants and devices being enrolled in Intune.

Device Compliance across five clients

What Does Microsoft 365 Lighthouse do?

In the preview, there are three main areas of focus, starting with device compliance. You can see what policies are applied to devices in each client, how many devices are compliant at each client and you can compare policies across clients.

Compliance policy list

The second solution on offer looks at threats across all of your clients and the protection status of Microsoft Defender Antivirus on all Windows 10 devices. This gives you a single console to see whether there are any active threats, which devices have it deployed and if there are pending actions (scans, required OS updates, reboots etc.) as well as if there were threats that were blocked or quarantined. Also, you can see Conditional Access policies across clients.

Threat management dashboard

Finally, you can manage user access management across all clients. Resetting passwords, blocking access, setting up delegated access to a mailbox or OneDrive for Business, adding a user to a group is done in a single pane of glass. This one feature could be worth it for many MSPs, today you either have to create custom PowerShell scripts to automate these tasks or login to each client’s individual management portal to do this.

As Microsoft gets feedback from MSPs participating in the preview, expect more features to be added such as the ability to see M365 service health across different clients and support requests.

Is Microsoft 365 Lighthouse a Gamechanger for MSPs?

As an MSP I find the concept intriguing but given the scant information, I’m cautious. Microsoft will need to add a lot of features to make this a worthy competitor to existing MSP management solutions on the market. But that may not be their aim, at least not initially, it might just be an additional tool to make it easier to manage multiple M365 tenants in a standardized way.

Further, I find the focus on Microsoft Defender worrying, many MSPs don’t use the otherwise excellent Endpoint Detection and Response tool due to its high cost. I’m really looking forward to seeing how this service evolves over the coming months.

If you’re an MSP and you’re interested in trying out M365 Lighthouse when they expand the preview you need to fill in the form.

More info on Microsoft 365 Lighthouse

Are you looking forward to Microsoft 365 Lighthouse? Let us know in the comments.

The post Microsoft 365 Lighthouse – Simple M365 Management for MSPs appeared first on Altaro DOJO | MSP.

In a previous post, I covered the term CSP (Cloud Solution Provider) and the differences between a CSP and an MSP. Since then, the question of continuing to offer on-premises services has come up a few times with readers and others in the community. Many seem to be wondering. I’d like to address this question specifically in today’s blog post

Should You Make the Move to Cloud-Based Solutions?

If you’ve read many of my blog posts on this site and the other Hornetsecurity blogs, you’re likely prepared for one of my favorite answers. That is, “It depends.” On-premises requirements vary based on the organization for which you are providing services. The suitability of cloud solutions is not a one-size-fits-all proposition; it significantly depends on the unique operational needs and technological infrastructure of each organization.

Consider, for instance, a small realtor agency with a modest team of 10 users primarily utilizing document-oriented applications. Their technological footprint and demands are substantially different from a large-scale manufacturing entity, which might have 400 users interacting with a diverse suite of applications, including machine controls and intricate engineering software like CAD. These distinct operational scales and complexities inherently dictate the degree and manner of cloud integration that would be beneficial.

Cloud-based solutions, with their promise of scalability, flexibility, and cost-efficiency, should be earnestly considered and often preferred in many scenarios. As Cloud Solution Providers (CSPs), it is incumbent upon you to judiciously evaluate and recommend the appropriate level of cloud integration tailored to each client’s specific needs.

However, transitioning entirely away from on-premises servers is not always the optimal or feasible route. The current trend leans towards a hybrid cloud model, blending the security and control of on-premises infrastructure with the agility and innovation of cloud computing. This hybrid approach allows organizations to leverage the best of both worlds, accommodating a wide array of workloads and applications.

In conclusion, while the momentum is undeniably shifting towards cloud-based solutions, a thorough analysis of each organization’s requirements, coupled with a strategic approach to integrating cloud services, is paramount. CSPs must navigate this transition with a balanced perspective, aiming to harness the cloud’s potential while ensuring alignment with the business’s operational realities and long-term objectives.

Hybrid Cloud and the CSP

The truth is that very few organizations can go 100% cloud. Don’t get me wrong. That percentage is increasing as time goes on. But right now, many use cases still require an on-premises footprint. For example:

• Highly GPU Intensive Workloads
• Latency Sensitive Applications
• Complex Monitoring Needs
• Poor Connectivity
• Disconnected (No External Connectivity) Scenarios
• Recent Large Capital Investment in On-Prem Infrastructure
• Low Customer Comfort with the Cloud

A good CSP will continue to leverage on-prem (only where it makes sense) and pair that with what works well in the cloud, such as:

• Backup and DR
• Email
• File Storage
• Web Apps
• Office Applications
• Collaboration Software
• More!

Good CSPs provide exceptional value in knowing where on-prem and the public cloud intersect, and they can apply solutions for both with a high degree of skill to fill all the technology needs of a business.

Are there CSPs out there that ONLY do cloud? Sure. However, you’ll likely find that many of those CSPs operate in an industry vertical that organically lends itself well to running cloud-native. Other verticals aren’t so simple. Manufacturing, for example, often employs complex machine control and supply chain software that doesn’t lend itself well to running in the cloud (yet). This is not to mention engineering and parts-design software that doesn’t work well in cloud scenarios in most cases either.

Another good example is healthcare. Many functions within a hospital cannot be off-site to the cloud for regulatory reasons, or a given function is so critical to patient care (often life and death) that they can’t risk even the slightest connectivity outage.

Where and How You Can Move to Cloud-Based Solutions

In addressing the critical issue of shifting towards cloud-based services, my directive to both budding and seasoned Cloud Solution Providers (CSPs) is clear and straightforward: Prioritize cloud solutions in all your strategic planning and implementation. 

However, it is crucial to tailor these solutions to fit the specific needs and context of each business. Avoid forcing a universal solution onto diverse problems — akin to the futility of forcing a square peg into a round hole. Remember, the hallmark of a proficient solution provider is the ability to discern and deploy the most appropriate technology that aligns with the unique requirements and goals of a business.

As CSPs, your objective should be to guide businesses through the cloud transition smoothly and efficiently, ensuring that every technological adoption enhances operational excellence, cost-effectiveness, and competitive edge. This means conducting a thorough analysis of the business’s existing infrastructure, understanding its future goals, and accordingly, recommending cloud solutions that offer scalability, flexibility, and security.

It is also imperative to educate business leaders about the benefits and implications of cloud adoption, addressing any misconceptions or reservations they might have. By fostering a collaborative environment, you can work together to identify areas where cloud solutions can bring immediate value and areas where a gradual transition is more appropriate.

Ultimately, your role as a CSP is not just to implement technology but to be a strategic partner in your client’s journey towards digital transformation. By leading with cloud solutions yet respecting the unique shape of each business’s needs, you can carve a path to modernization that is both effective and sustainable. Embrace the cloud, but do so with the wisdom and adaptability that ensures every solution is a perfect fit for the business it serves.

Wrap-Up

What are your thoughts? Have you been trying to lead with cloud and struggling? Are your customers hesitant to invest in the cloud?

Thanks for reading!

The post Is it Time you Ditched On-Premises Services Completely? appeared first on Altaro DOJO | MSP.

The technology industry is rife with acronyms, so many readers have likely become numb to new ones hitting the market. However, there has been one acronym that has been seeing much more use these last few years, especially in the service provider space, and the acronym I’m talking about is, of course, CSP. The term CSP has been associated with the industry’s group of service providers and those that are not in the know often wonder why it’s become so prevalent. In this article, we discuss what a CSP is and what services they deliver.

What is a CSP?

In official Microsoft terms, CSP stands for Cloud Solution Provider. This is NOT to be confused with Cloud Service Provider (more on that soon).

A Cloud Solution Provider is what I would term an evolved MSP that has matured into offering flexible, scalable cloud solutions such as Microsoft’s Azure technologies and the Microsoft 365 stack. Other cloud technologies may be offered as a value-add to supplement these offerings, but the core services provided reside in one of these two areas.

If you want to learn more about how to become a CSP or how to transition from an MSP to a CSP, watch our free webinar How to Transform your Aging MSP into a Lean CSP Machine.

Note: You may see the industry term Cloud Service Provider as well, technically-speaking this term is used to describe those organizations that provide and develop cloud-based services such as Amazon, Microsoft, Google….etc. however, it is also been used incorrectly to describe a cloud-based MSP.

What are the Benefits of Being a CSP?

The term CSP is often is associated with a modern-day IT services organization, and many businesses looking to secure those types of services are on the lookout for organizations with the CSP terminology associated with them. Outside of that many of Microsoft’s ongoing partner and channel efforts are being realigned with the CSP nomenclature, so if a partnership with Microsoft has been important to your MSP in the past, switching to the CSP program has never been more important.

Benefits of being in the CSP program include:

• 15% – 20% margin (typically) on recurring MS cloud and office services (may vary based on region and other factors)
• Access to Microsoft Partner resources (support, account management, marketing…etc)
• Backend incentives and opportunities based on current Microsoft defined goals
• Industry recognition
• And more

A lot of providers will look at that margin and say…. that’s awfully low and not worth my time. While yes, that is true, and it is a relatively low margin, however, Microsoft builds their services for partners in such a way that it’s easy to bundle in value-added services on top of it. This could be an additional third-party application you provide that compliments the Microsoft service or special knowledge and expertise you have in-house that forms part of a package that brings the total up to a more appealing margin.

Remember despite industry misconception, the cloud is not easy or simple. Many new CSPs fail to put an adequate value on the knowledge they have and work they put into managing solutions on behalf of their customer base. If you provide value in managing these solutions for your customers, make sure you’re getting paid for it. Again, the service is designed to be bundled with other partner services, so don’t simply rely on the 15% to 20%.

In short, partners can use the Microsoft CSP program to provide the power of the Microsoft Cloud to customers while also providing unique in-house skills and value-add on top of it.

How Do I Become a Microsoft Cloud Solution Provider

The process is actually fairly simple:

• You must first join the Microsoft Partner Network
• Enroll in the CSP Program
• Connect with an Indirect Provider for Additional Assistance

Can a Traditional MSP Become a CSP?

With the tools provided by the CSP program, your organization will be equipped to deal with the modern-day technology challenges facing the world today. On top of that, you’ll be able to easily bundle you special and unique services on top of that to bring true value to your customers. Becoming a CSP is relatively straight-forward and Microsoft is keen to help where they can, however, converting from a traditional MSP and navigating both the practical and business concerns can be tricky.

As I’ve worked in both a traditional MSP and currently for a fast-growing CSP, I have recorded a webinar on the topic: How to Transform your Aging MSP into a Lean CSP Machine. The content is focused specifically on this issue but also covers the CSP model more generally and why now is perfect time to take the leap.

What about you? Any concerns or questions in joining this program? Have you joined the program and had success? Difficulties? Watch the webinar or let me know your questions or experiences in the comments section below!

The post What is a CSP? appeared first on Altaro DOJO | MSP.

We are excited to announce the newest member of the Altaro Backup family, Altaro EndPoint Backup for MSPs!

Altaro designed this solution to simplify backup for an organization’s on-premise and roaming Windows desktops and laptops. With an increasing number of employees working remotely, there has never been a greater need to ensure that offsite resources are regularly backed up. Altaro designed this product for Managed Service Providers (MSPs) as a solution they can offer to their customers and centrally manage through the Altaro Cloud Management Console. Altaro EndPoint Backup is also free for MSPs for internal use (for up to 10 licenses).

As an MSP, you should view this as a new opportunity to offer a valuable service to your customers and protect their business, especially during this time while more of the workforce is connecting from home. Even though they may try to enforce group policies to only store data on their network or in the cloud, end users often store some files locally on their laptops and PCs. This means that this data can also be lost or damaged due to physical disasters, loss, theft, or cyberattacks. Now MSPs customers can help with that through Altaro EndPoint Backup.

Trial & Licensing Altaro EndPoint Backup

The first step to evaluate Altaro EndPoint Backup is to visit the sign-up page for a free 30-day trial. This allows MSPs to test this out in their own environment and prepare to deploy this highly scalable service to their customers. There are no restrictions on the number of users or tenants, and the MSP must provide their own MS Azure cloud storage for the backup files.

Altaro EndPoint Protection is licensed per user as a monthly subscription, with a minimum of 10 EndPoints per month across all an MSP’s customers. Altaro’s outstanding 24/7 support is part of the package.

Altaro EndPoint Backup Free Edition

As an added incentive, Altaro EndPoint Backup offers a completely free edition for MSPs to use internally for their own organization for up to 10 endpoints a month (excluding the cost of cloud storage).

Configuration is also easy using Altaro’s GUI-based wizard.

Getting Started with the Altaro EndPoint Backup Cloud Management Console

Altaro provides backup solutions for Hyper-V and VMware virtual machines, physical Windows servers, Microsoft Office 365, and now Windows EndPoints. These easy-to-use backup solutions have become popular amongst MSPs as they can customers centrally manage all their customers’ different backups using the Altaro Cloud Management Console (CMC).

The first step with Altaro EndPoint Backup is in fact to sign up to the CMC. This provides a single pane of glass to perform all configuration, monitoring and management of the EndPoint backups.

Next, perform a one-time installment of the Altaro EndPoint Manager on one of your  VMs or servers running Windows Server 2016 or 2019, then connecting the services. The Altaro EndPoint Manager stores all configurations and backup policies set up in the CMC for customers’ roaming and on-premise. The subsequent screenshot shows an admin registering this backup utility.

Configuring the Altaro EndPoint Backup Locations

Managed service providers must configure and manage their own Azure Cloud Storage Account which provides the backup storage location for their customers. This can be done in any Azure site using the affordable Azure General Purpose v1 Storage Account, although higher tiers can also be used if a faster recovery speed is needed. The MSP may also add native Azure storage enhancements, such as encryption or geo-replication to ensure that multiple copies of the data are backed up and available in the event of an Azure site outage. The billable cost to customers for each service tier is defined by the MSP. Once the Azure Cloud Storage Account has been configured, it is registered to the Altaro EndPoint Backup service and can be used as a backup location.

Creating an Altaro EndPoint Backup Policy

Altaro EndPoint Backup lets MSPs to create different backup policies which can align to different service offerings. Each plan allows you to define which user directories and file types to include (or exclude), the Azure Cloud Storage Account to use, the backup frequency (ranging from 1 to 42 hours), the backup schedule, backup retention, and network bandwidth throttling.

Installing the Altaro EndPoint Backup Agents

Every device which you are protecting with Altaro EndPoint Backup must have a lightweight agent installed. This can be done via a script remotely (recommended) or manually on any PC running Windows 7, 8.1, or 10 (x64 only).

Restoring a Backup from Altaro EndPoint Backup

Altaro EndPoint Backup also makes recovery easy for MSPs to quickly get their customers’ data restored. Through the Altaro Cloud Management Console, admins can restore the backup to the user’s machine (the original EndPoint) or to a secure location on the corporate network.

The recovery can be from a full backup or individual files can be granularly restored. The Altaro Cloud Management Console shows the status of backups and recoveries across all users. 

Start your Free Trial Now!

Altaro EndPoint Backup is a great addition to the growing suite of reliable backup solutions we have on offer. It was a highly requested service from our current customers who prefer to have one vendor covering all their backup needs and this release is an important step for us to achieve that goal.

We hope that you are ready to start offering Altaro EndPoint Backup to your customers. Start your free trial now!

Remember that this solution is also completely free for MSPs to use internally for up to 10 EndPoints per month, so check it out now!

Read the full press release about Altaro EndPoint Backup for MSPs

The post Introducing Altaro EndPoint Backup for Managed Service Providers appeared first on Altaro DOJO | MSP.

As MSPs, we’re always looking for the next best thing for our customers. It’s a tough market. Budgets are always in flux. Competitors are always chomping at the heels of our clients, and the industry moves so fast that many business owners will scoff at the next wave of updates and features that the industry says are a MUST-have.

But what is a budding MSP to do? A proven strategy is to focus on hard-hitting features that are game-changing for their day-to-day work. The Microsoft 365 suite contains many such features, many known well and others not so much.

In this blog post, we are going to talk about 4 Microsoft 365 features that will wow your customers. When implemented properly, these features are a surefire way of solidifying your relationship with a customer and ensuring more business through their continued success!

Microsoft Teams

If we’re going to start with any hard-hitting application/feature in the Microsoft 365 suite, it’s got to be Microsoft Teams, right? There is perhaps no collaboration tool as expansive as Teams. And since the COVID-19 pandemic, Teams usage has surpassed 280 million users, according to Microsoft CEO Satya Nadella from a quarterly earnings report:

“Teams surpassed 280 million monthly active users this quarter, showing durable momentum since the pandemic. And we continue to take share across every category, from collaboration, to chat, to meetings, to calling.” 

Moreover, Mr. Nadella mentioned that “There are more than 500,000 active Teams Rooms devices, up 70 percent year-over-year. And the number of customers with more than 1,000 rooms doubled year-over-year.”

Teams is supplanting Outlook as the collaboration tool of choice for many organizations. It hadn’t really even dawned on me personally until I was having a conversation with a co-worker a few weeks back. She simply stated that “Teams has become home base” for her day-to-day work. I found that’s true for me as well! Historically, Outlook was the first app I would open when sipping the morning coffee. Today Outlook takes second place to Teams, and it’s easy to see why. If you’re not familiar with teams, it offers a plethora of collaboration features:

• Individual and Group Chat
• Voice and Video Chat
• Conferencing and Webinar capabilities
• VoIP capabilities
• Mobile Clients with Softphone Options
• Integration with the rest of the M365 suite
• Numerous 3rd party integrations (Some shown below)

Image 1 – Third-Party Application Addons for Microsoft Teams

I could go on, but in all seriousness, we could spend a whole series of articles on the benefits of teams and how to roll it out to your customers, and maybe we will!

That said, in the context of this article, Teams is listed first because it plays a part in some of the following items, which leads us to our number 2 pick!

Microsoft Stream

Many of us don’t enjoy being stuck in meetings, but I’m sure there have been a few occasions where there was a meeting you wanted to be in but were unable to make, right? What if any scheduled meeting could automatically create a recording and send it to invited attendees afterward? Teams meetings, paired with Microsoft Stream, allow you to do just that and more!

The best way I can describe Microsoft Stream for those who aren’t aware of it is simply this: Think of Microsoft Stream as YouTube for your Business. Stream is a video hosting platform that can be used in conjunction with other M365 features and apps. I already mentioned the Teams integration, but there are other features worth mentioning, such as:

• Public and Private Channels
• Video Sharing
• Hashtags and Timecode Links
• Watchlists
• Featured Videos
• Searchable Transcripts
• Live Events (Shown Below)
• Screen Capture and Editing
• Polls, surveys, and quizzes (Coming Soon)

Image 2 – Setting up a Live Event in Microsoft Stream

All these features are easily glossed over when organizations look at the vast list of applications and features in M365. When employees and business owners truly discover the powerful features Stream provides, it becomes a game-changer. A few more example use cases here:

1. Live or Recorded company updates from Leadership
2. Mandated training materials distributed to workers
3. Project and team briefings recorded for transparency and shelf-life
4. Onboarding materials for new hires

The list goes on and on. With the integrations to the rest of the M365 platform, Stream will help take your customers’ operations to the next level!

Microsoft Planner

Task management is a bear, especially with distributed teams. You’ve got email, teams, outlook to-dos, sticky notes, napkins, and 100 other places to keep track of ongoing tasks. The true power of the M365 suite is in its integrations. Unlike your sticky notes or a notepad file, Microsoft Planner is plugged into and integrated with your core collaboration tools in a big way. This includes:

• Integration with Microsoft To-Do
• Integration with Microsoft Teams (Shown Below)
• Allows Modification via the Microsoft Graph API (For advanced use-cases)

Need to rope team members in a task or a series of tasks? Need to collaborate with notes and chat in a unified view regarding said task? Need alerts for when the task is updated? How about the ability to attach files, due dates, reminders, categories, and more? If you answered yes to all of these, Planner can do it and more.

As mentioned earlier, Teams plays a large role in many of these features, and Planner is no different. In any given Team with the Teams app, you can click the plus sign on the top left and link a Microsoft Planner “plan” as a tab directly within Teams. This puts the Teams project plan right at their fingertips and enhances the overall collaboration experience.

Image 3 – Microsoft Planner Embedded in Teams as a Tab

One other thing I wanted to touch on before moving onto our next item. From an organizational level, when talking with your clients about Planner, I would recommend you have them plug this feature in at the department level. It really shines at that level. I’m often asked where these tools fit in regard to other task management tools, and this is often the advice I provide:

For individuals and light taskers – Use Microsoft To-Do

For departmental teams and heavy taskers – Use Microsoft Planner

For Large Scale and Organization-Wide Projects – Use a Project Management Tool such as Microsoft Project

My reasoning behind it is this. Planner provides features over and above your basic to-do list (Which is what To-Do is). That said, it lacks many of the more advanced ITIL and PMP project management capabilities found in more advanced tools. Don’t get me wrong, however! Planner is still super a powerful and stunning addition to any Team looking to leverage Microsoft 365 to the fullest.

Multi-Factor Authentication with Conditional Access

The last item I’m going to talk about today is going to be the least visible of them all, and that’s ok! This particular item will wow your customers because of the fact that it DOESN’T make itself visible!

Those of us working in the technology space these last few years all know that multi-factor authentication is an absolute must. It provides an added layer of security in an age where ransomware and other cyber attacks are rampant. However, getting some customers to “deal with the security headache” (yes they are out there) can prove somewhat troublesome. That said, Microsoft has made the experience in Microsoft 365 stupidly easy.

Enabling the feature is quick, and end-users are provided with a prompt to enroll in MFA. Assuming you’ve properly communicated the steps to the end-users they should have little problems with the process. Once done, they’ll get the typical MFA prompt as needed when logging in and will be given the option of remembering a device as a frequently used device for a length of time.

Some organizations wouldn’t even balk at this much work, and that’s where the beauty of conditional access comes in. Conditional access allows administrators and MSPs the ability to define safe locations that don’t require the MFA prompt. This mainly refers to your corporate network, meaning that someone in the office (or connected via VPN) will not be required to authenticate with MFA. This greatly reduces the effort required by end-users but still keeps them protected when they need it most when they’re off-site.

      Image 4 – Conditional Access Policies in Azure AD

Now, conditional access does SO MUCH more than just this one thing. Make sure you review the full list in the Microsoft Docs article on conditional access.

One final thing you may be wondering about before we wrap up is what kind of licensing you need to get MFA with conditional access. See the image below for that information, along with the source in the caption!

Image 5 –  Available versions of Azure Multi-Factor Authentication

Wrap-Up

This article should give you a good list of features you might want to talk about with your customers if you haven’t already. All of these features can take their collaboration and productivity efforts to the next level. So many organizations buy into Microsoft 365 and only enable mail and a few other features. Don’t let your customers waste the value! Help them squeeze every ounce of value out of what they’re paying for. In the end, you’ll continue to be their trusted IT partner, and you’ll share in their success moving forward!

What about you? Have you tried these features? Do you have customers using them? Would you like to see more content about anything we talked about today?

Thanks for reading!

The post 4 Powerful Microsoft 365 Features Every MSP Should be Using appeared first on Altaro DOJO | MSP.

Some MSPs with in-house dev teams can consider themselves ISVs (Independent Software Vendors). This post talks about the benefits of Azure Lighthouse for ISVs.

Windows Azure lets ISVs publish their cloud software on the Azure Marketplace and monetize from offering services to help their customers operate it. Many companies using cloud services lack the in-house expertise to optimize their specific cloud services’ deployment, configuration, management, and reporting. 

Azure Lighthouse allows ISVs to upsell managed services on top of their software. As the developer of a piece of software, you are likely to be the world’s leading expert in making it run as efficiently as possible. ISVs have been able to offer managed services through Azure for some time, but one of their major challenges was supporting every customer who subscribed to their service efficiently. 

In the past, the ISV’s service administrator would have to log in and manage dozens, perhaps hundreds, or even thousands of individual accounts. The administrative overhead alone added significant costs, which would often be passed down to the end-users. Azure Lighthouse has provided a solution to allow ISV to centrally manage tasks for all of their tenants from a single interface, which will be detailed throughout this blog. 

For more information about Azure Lighthouse, check out the Altaro blog series about the Azure Lighthouse solutions, its foundational technologies using ADRM and AAD, Azure integration, and the go-to-market strategy.

Azure Lighthouse Benefits to Independent Software Developers (ISVs)

Azure Lighthouse brings a multitude of benefits to Independent Software Vendors (ISVs), significantly enhancing their operational capabilities, market reach, and customer service. Here’s a detailed breakdown of the advantages:

Streamlined Onboarding and Access Control 

Previously, the onboarding process for software and managed services was tedious, often involving prolonged email exchanges to secure the correct permissions. Azure Lighthouse revolutionizes this process by allowing ISVs to specify precisely which of the customer’s resource groups contain the software that will need access.  With over 70 different types of roles available, ISVs can use role-based access control (RBAC) to determine the minimum access necessary for their team to perform operations effectively. This streamlined approach not only enhances the efficiency of onboarding new customers but also sets a positive tone for initial interactions, fostering trust and satisfaction from the get-go.

Enhanced Operational Efficiency and Service Standardization

Centralized management provided by Azure Lighthouse enables ISVs to scale their operational efficiency, standardize services, automate operations, and increase security and compliance. This unified management is accessible through the Azure Portal GUI or scripting with Azure PowerShell or Azure APIs.  Such centralization allows for the management of resources across multiple customer accounts, making it easier to handle repetitive tasks and focus on enhancing managed offerings, adding new core competencies, and expanding services. Moreover, these capabilities are provided by Microsoft Azure at no additional cost, though the consumed cloud resources are still billed to the ISV or their customer.

Security and Intellectual Property Protection 

With Azure Lighthouse, ISVs can maintain a secure environment for their and their customers’ intellectual property. Delegated access ensures that ISVs can manage customer resources without exposing any proprietary scripts or templates. This not only protects the ISVs’ intellectual property but also assures customers about the integrity and confidentiality of their resources. Security enhancements from Azure Lighthouse help maintain a robust service offering, retaining customers by ensuring that operations are secure and compliant. Moreover, this added security allows ISVs to focus more on adding value through their services, potentially maximizing profits or offering cost savings to customers.

Operational Efficiency through Automation 

Azure Lighthouse enables ISVs to automate repetitive tasks such as patching software. Through the GUI or scripts, ISVs can programmatically perform tasks against thousands of resources at once if they are managed by Azure Resource Manager (ARM).  This includes reporting, alerting, querying, servicing, security updates, or even deploying new services. For instance, an ISV can run a global query to identify all customer VMs running their software that need updates or repairs. This level of automation and control allows ISVs to efficiently maintain their software across various customer environments, enhancing service quality and customer satisfaction. Azure Lighthouse offers ISVs new operational efficiencies, enhanced security, and streamlined processes, allowing them to focus on innovation and growth while ensuring a secure, efficient, and customer-friendly service delivery. The multitude of benefits provided by Azure Lighthouse positions it as a game-changer in the realm of cloud services, particularly for those involved in providing managed services and software solutions.

Azure Lighthouse Benefits to the Customers of ISVs

Azure Lighthouse offers substantial benefits to the customers of Independent Software Vendors (ISVs), particularly enhancing the ease of integrating third-party software and managing cloud services. Here’s how it impacts the customers:

Simplified Integration and Management 

Many Azure customers, especially developers and those from smaller organizations, find the task of integrating third-party software daunting and potentially risky. Azure Lighthouse alleviates these concerns by simplifying the onboarding process using Azure Delegated Resource Manager (ADRM) technology. It transparently assigns management rights to the ISV, streamlining the process of software deployment and management.  Customers, now tenants of the ISV, can review and tweak permissions as needed, enjoying an easy setup while maintaining control. The Azure Marketplace further simplifies this by allowing customers to acquire cloud software and associated services from trusted providers, much like any app store.

Enhanced Transparency and Control 

Customers gain unparalleled transparency and control over their resources with Azure Lighthouse. Detailed logging and auditing provide insight into every action the ISV takes on their resources, ensuring accountability. Isolation between tenants guarantees that actions an ISV performs on one do not affect others, safeguarding against unauthorized changes.  Despite the delegated management, customers retain full control over their budget and billing, with the freedom to provide their own licenses, be billed directly for services, or purchase services through the Azure Marketplace. All these aspects are managed and visible through ARM, allowing customers to easily navigate to the Service Providers Page and view the subscriptions and services connected to their account.

Streamlined Onboarding and Permissions 

The onboarding process is significantly streamlined with Azure Lighthouse. Customers no longer need to navigate complex permission settings or worry about giving excessive access to their resources. They can simply review the permissions needed for the ISV to operate the new software.  For those with more advanced needs, configuring specific access from the 70+ Azure user roles to each resource is straightforward, allowing for granular control over who has access to what. This ease of managing permissions not only saves time but also ensures that the software is integrated and managed securely and efficiently.

Budget and Billing Autonomy 

Azure Lighthouse empowers customers to maintain autonomy over their budget and billing aspects. They can choose to provide their licenses, directly handle billing for ISV services, or opt for services through the Azure Marketplace. 

This flexibility ensures that they can align the services with their financial and operational strategies. Furthermore, the visibility provided by the Service Providers Page allows customers to monitor connected services and subscriptions effectively, ensuring they are always in control of their expenditures and service arrangements.

Wrap Up

Ultimately, Azure Lighthouse provides a better management experience for ISVs and their customers. Developers can upsell their software by also including deployment and support services. It easily plugs into existing programs and solutions, so now ISVs can spend more time with their customers and less time managing credentials. If you are an ISV that is going to publish its managed services through Azure Lighthouse, make sure that you check out the blog post on the go-to-market strategy so you can learn the best practices to stand out from the crowd.

The post Why ISVs Should Use Azure Lighthouse appeared first on Altaro DOJO | MSP.

This blog post will show you how to onboard your customers’ Azure resources in Azure Lighthouse.

Azure Lighthouse is a new collection of technologies that allows Managed Service Providers (MSPs) and software developers (ISVs) to centrally manage their tenants and monetize hosted services. These providers are able to use the Azure Marketplace as a web portal to post public offerings that are available worldwide, similar to an app store. MSPs can list IT services they can offer to deploy, manage, optimize, secure or make compliant their customers’ cloud infrastructures and ISVs will include their Azure software with additional services. The providers can use Azure Delegated Resource Manager (ADRM) and Azure Active Directory (AAD) to centrally manage all of their tenants from a single interface. For more information, check all from a single interface. Check out the Altaro blog series about the Azure Lighthouse solutions, its foundational technologies using ADRM and AAD, Azure integration, and the go-to-market strategy.

There are three ways that a tenant can subscribe to a service from the MSP, which changes that way that the customer grants the MSP access to their environment.

The most common way is for a provider to publish a service to the Azure Marketplace, and this can be configured to be public or private. A public service is accessible to everyone, but there is not any way to restrict the subscribers by location, size nor any other factor. These customers who purchase a public service will automatically grant access to the MSP automatically during the onboarding process. It is important to realize that there are multiple ways that a tenant can subscribe to a service from the MSP. The most common way is for them to publish a service to the Azure Marketplace, and this can be configured to be public or private. A public service is accessible to everyone, but there is not any way to restrict users by location or size and they are onboarded automatically as described in how to publish a managed service on the Azure Marketplace.

• To make a service private and only accessible to certain predefined users (“private”), a specific list of tenant subscription IDs must be defined when the offering is created in the Azure Marketplace provided. Once the private customer has purchased an Azure Lighthouse service, the service provider must onboard their tenant which requires delegating resources through Azure Active Directory (AAD).
• Alternatively, the entire Azure Marketplace process can skipped and a MSP can onboard a tenant through the same series of steps which are described in this blog using the following steps:
  • Collect Details for the Tenant and their Subscription
  • Either
    • Create Azure AD User Groups and Define Permissions
    • Create Service Principals and Define Permissions
  • Create an Azure Resource Manager (ARM) Template
  • Deploy an Azure Resource Manager (ARM) Template
  • Confirm Successful Onboarding for Both Parties

For either scenario, make sure that you’ve associated the tenant’s subscription ID with your Microsoft Partner Network (MPN) ID so that you get credited for consumption. While this guide is written from the perspective of an MSP, these same best practices are also applicable to ISVs who are offering managed services to deploy their software.

Step 1) Collect Details for the Tenant and their Subscription

When you are onboarding a customer you have to know some of their unique identifier information so that you add the correct user and their subscription information. Make sure that have the following information:

• Your Tenant ID (as an MSP or ISV). This can be found in the Azure Portal by hovering over your account name in the upper-right corner in the Azure Portal.
• The Tenant ID of the customer. This can be found in the Azure Portal by asking the tenant to hover over their account name in the upper-right corner in the Azure Portal.
• The Subscription ID of the customer for the subscription of every resource that you will be managing. If you are managing multiple resources that are in different subscriptions then you will need each of these subscription IDs. This can be found by searching for the subscription(s) in Azure Active Directory. This will also create a new resource provider (Microsoft Managed Services) to be registered for the selected subscription(s).

Next, you need to set up the security framework using either Azure AD user groups, service principals or individual Azure user accounts (not recommended). Whenever you manage tenants’ accounts, especially if you have multiple tenants, you should never assign access to any individual user. This is because your staff may change over time, so as you need to add or remove certain administrators you can do this at the group level, instead of on each individual resource group. Not only does this provide centralized and simplified management at scale, but it also makes you look better to your tenants as they are not seeing your company’s turnover.

Steps for the user groups and service principals are described below. First, you must connect to the Azure subscription which is done using the following PowerShell cmdlet:

PS C:\> Select-AZSubscription <SubscriptionID>

Step 2) Create Azure AD User Groups and Define Permissions

Configuration for AAD user groups is fairly easy. It requires creating a new group for each role or task and then adding the appropriate administrators. You will then assign the type of administrative role that that group has from the 70+ Azure user roles. You should also use a friendly name to help you and your tenants understand what that resource group is used for.

Next, you will get the object ID and role definitions for each Azure AD group, which can be determined through the following PowerShell queries:

PS C:\> (Get-AzADGroup -DisplayName ‘<GroupName>’).id

PS C:\> (Get-AzRoleDefinition -Name ‘<roleName>’).id

Instead of using AD User Groups for user account access you can create an Azure service principal for application access.

Or: Step 2b) Create Service Principals and Define Permissions

An Azure service principal is an alternative type of identity used for tools, services, and applications to provide role-based access control (RBAC) rather than user accounts. It only supports a subset of the Azure roles to restrict a single application from having too much control. 

Also, you should pick the role which provides the minimum access that your staff needs. You want to ensure that you do not request more than is necessary, as potential clients could view this negatively, and you may get the perception of not being trustworthy.

You will also need to know the object ID and role definitions for each Azure service principle which can be determined through the following PowerShell queries:

PS C:\> (Get-AzADApplication -DisplayName '<DisplayName>').objectId

PS C:\> (Get-AzRoleDefinition -Name '<RoleName>').id

Whenever you manage tenants’ accounts, especially if you have multiple tenants, Microsoft recommends:

“using Azure AD user groups for each role, allowing you to add or remove individual users to the group rather than assigning permissions directly to that user. You may also want to assign roles to a service principal. Be sure to follow the principle of least privilege so that users only have the permissions needed to complete their job, helping to reduce the chance of inadvertent errors.”

For more info, see Recommended security practices.

3) Create an Azure Resource Manager (ARM) Template

An ARM template lets administrators deploy an Azure-managed resource or resources group the exact same way every time. The template provides the framework to ensure consistency, which is critical so that you can automate and scale the management of this resource across multiple tenants. Your ARM template should include the following fields:

• MSPName: This is your service provider name
• MSPOfferDescription: This is a short description of your offer
• ManagedByTenantID: This is the ID of your tenant
• Authorizations: This describes the access needed, which can include:
  • RoleDefinitionID: This is the level of access needed for the resource template
  • PrincipalID: This the ID for either your Azure group or Azure service principal
  • PrincipalDisplayName: This is the display name which your tenants see for your Azure group or Azure service principal

Since ARM templates can be tricky to create for inexperienced service providers, Microsoft provides code samples for different scenarios. These include both the template file along with a parameter file which are found here: https://github.com/Azure/Azure-Lighthouse-samples/. Here are the links to onboard:

• Subscription (through the Azure Marketplace)
  • Template: MarketplaceDelegatedResourceManagement.json
  • Parameter file: MarketplaceDelegatedResourceManagement.parameters.json
• Subscription (without the Azure Marketplace)
  • Template: DelegatedResourceManagement.json
  • Parameter file: DelegatedResourceManagement.parameters.json
• Resource Group
  • Template: RGDelegatedResourceManagement.json
  • Parameter file:RGDelegatedResourceManagement.parameters.json
• Multiple Resource Groups in a Subscription
  • Template: MultipleRgDelegatedResourceManagement.json
  • Parameter file:MultipleRgDelegatedResourceManagement.parameters.json

4) Deploy an Azure Resource Manager (ARM) Template

The hardest step is usually deploying the ARM template within the customer’s environment because either the MSP needs to do it on the tenant’s behalf or the tenant must grant the MSP the correct permissions. And since a Guest account cannot be used, it makes it tougher for a novice customer. Every subscription needs a separate deployment. However, you can do this in a single deployment if you have multiple resource groups within a single subscription.

Once the correct permissions are configured, the following PowerShell cmdlets can be used for a remote deployment:

PS C:\> New-AzDeployment -Name <DeploymentName> `

-TemplateUri <TemplateURI> `

-TemplateParameterUri <ParameterURI> `

-Location <AzureRegion> `

-Verbose

5) Confirm Successful Onboarding for Both Parties

Now that the ARM template has been deployed, testing that the MSP can effectively manage it within the tenant’s environment is important. The MSP and the tenant should be able to see the connected subscription and ARM resources. After the template has been initially deployed, it could take a few minutes to appear while the portal refreshes.

The tenant can see the connected service(s) by navigating to the Service Providers Page, selecting Service Providers Offers, and seeing the subscription(s) with the correct offer name.

As the MSP, you can see this by going to the My Customers page, clicking on Customers, and verifying that you can see the tenant’s subscription(s).

Using these steps, you will have successfully onboarded a tenant by knowing the security identifiers, creating the appropriate security groups, creating an ARM template, deploying the template, and verifying that both parties can see it. Remember that when doing this at scale, consistency is critical so that the same ongoing management processes and scripts can be replicated on identical templates. 

Remember that with Azure Lighthouse, one of your greatest assets is the operational efficiency you can achieve through consistent global management. So, if you change your template after deploying it for several tenants, be sure to update their versions so that every template in production is identical to avoid any challenges with version control. With the steps you have learned, you can streamline deployment and management for all of your Azure Lighthouse tenants. 

The post How to Onboard Customers in Azure Lighthouse appeared first on Altaro DOJO | MSP.

Azure Lighthouse provides Managed Service Providers (MSPs) and software developers (ISVs) with a centralized management portal to view their customers’ resources. Additionally, it makes it easy for the MSPs and ISVs to find new customers by https://azuremarketplace.microsoft.com/marketplace/apps/company.servicename publishing their offerings on the Azure Marketplace. 

The Azure Marketplace web portal functions like an app store for Azure applications. It also lets MSPs publish IT services they can offer, and ISVs can publish deployment or management services for their software. These managed services let the publishers maximize their revenue by monetizing from their specialized skills to help Azure users deploy, manage, optimize, and even secure their cloud infrastructure. 

Check out the Altaro blog series about the Azure Lighthouse solutions, its foundational technologies using ADRM and AAD, Azure integration, and the go-to-market strategy. This blog post will walk you through publishing a managed service in the Azure Marketplace, allowing you to use Azure Delegrated Resource Management (ADRM) to access that customer’s cloud resources. While it refers to publication from the perspective of an MSP, these same best practices are also applicable to ISVs.

Prerequisites to Publishing a Managed Service

First, you must have access to publish to the Azure Marketplace, which means that you need to have a Microsoft Partner Account. To set this up, follow these instructions from Microsoft: https://docs.microsoft.com/en-us/azure/marketplace/partner-center-portal/create-account. You will need to have a Microsoft Partner Network (MPN) ID, which means that you have passed the requirements to be a certified partner. 

By linking your MPN account to your Azure Lighthouse offering, you will automatically be credited for consuming any customers who subscribe to your service(s). This is helpful for MSPs trying to move to a high certification tier, which requires proof of higher consumption.

You must also offer a standardized service to all possible customers, which is known as a public offering. In its current release, it is not possible to make a service offering only available to certain classes of customers based on their geography or other factors. Customized services must be provided through a private offering that uses an Azure Resource Manager (ARM) template, which is a topic we’ll be covering in detail in a future blog post.

It is also important to evaluate the marketplace to see what offers are already out there. Being the hundredth organization to offer basic Azure VM management may not be of much value. Take time to think about your team’s unique skill set and any IP that you have developed.  Which scripts have you created that scale up and secure workloads faster? How can you add greater resiliency or faster recovery to a service?  

Do you have expertise within a regulated industry and can ensure that your tenants will be compliant? Can you offer better Tier 1 support or SLAs?  Make sure that you are going to offer something to stand out from the crowd so that customers will select you over your competitors.

Also, consider asking your company’s search engine optimization (SEO) expert to help you build and define compelling keywords to increase your discoverability.  This is known as App Store Optimization (ASO). You can use publicly available tools like Google Keyword Planner or Bing Keyword Research to filter through organic search traffic. 

While these tools are designed for Google and Bing’s respective search engines rather than the Azure Marketplace, they can provide good guidelines for how customers may be searching for your types of services. And since any offer listed on the Azure Marketplace will get propagated to Google and Bing, this will also maximize your chance of getting more hits. Also, request that any of your customers who have subscribed to your offer give you a review. This will increase your visibility on the Azure Marketplace as positive recommendations increase your ranking.

Step 1) Create the Managed Service Offer & Settings

Once you have determined the public service to offer through the Azure Marketplace, you will go into the Cloud Partner Portal and select New Offer > Managed Services. You will then provide the following information:

• Name: This is the friendly name that customers will see when they access the offer details. Make sure to include your company name and a clear description. This is limited to 50 characters.
• Offer ID: This unique identifier for your offer appears in the billing reports and product URLs. Since product URLs are indexed by search engines and increase discoverability, including your company name and keywords here is helpful. This string is also restricted to 50 characters, but only lowercase letters, numbers, underscores, and dashes. Once this is created, it cannot be changed.
• Publisher ID: You will select your publisher ID. This option is only provided since some partners have multiple publishing accounts.

After saving this information, you will create a new plan.

Step 2) Create a Plan

A plan is a variation of your offering, similar to an SKU. Consider using standard terms for the different tiers, like Bronze/Silver/Gold or Basic/Premium/Enterprise. Customers can browse and select the best plan for their requirements and budget. For each plan, you will select New Plan and complete the following information:

• Plan ID: This is a unique identifier for your offer, which has the same uses and restrictions as the Offer ID from Step 1. It also cannot be changed.
• Public / Private: By default, all plans are public and accessible to everyone in the marketplace. You can select a private plan if you want to restrict your plan to specific users. However, this cannot be changed. If you wish to limit the plan to certain users, you can provide a list of unique customer IDs that are whitelisted to subscribe to this plan. You can enter these manually (currently limited to 10 subscriptions) or upload a CSV file (up to 20,000 subscriptions). It is also a good idea to include the subscription ID of your own test accounts to validate that the offering is published and working as expected.
• Title: This is the friendly name that customers will see when they browse the plan’s details. Include your company name, a clear description, and any optimized search keywords. This is limited to 50 characters.
• Summary: This lets you add a short description of the plan. Include your company name, a clear description, and any important keywords. This is limited to 100 characters.
• Description: Here, you can add a long description, which lets you go into details of what you are offering and how to differentiate yourself. Here, you should include the following information:
  • Specific services that are included
  • Onboarding steps
  • Costs and billing process
  • Technical support and SLA
  • Company profile and experience

• Billing Model: This option is a little confusing. As for managed services, you must always select Bring your own license. This is because Microsoft will not bill you for any expenses directly. Rather, you will bill your customers directly for any associated costs.

After you Save, you’ll move on to the manifest details section.

Step 3) Configure the Manifest Details

The manifest defines exactly which of your tenants’ resources you will have access to and what permissions will be assigned. One of the fundamental technologies powering Azure Lighthouse is ADRM, which allows granular role-based access control (RBAC) that is requested by the MSP and approved by the customer. 

Any Azure resource managed by Azure Resource Manager (ARM) can be granted access to any of the 70+ Azure user roles. Remember that with a public plan, all users will be required to assign identical access to the MSP. It is best to minimize what you are requesting to avoid unnecessarily exposing any of your potential customer’s infrastructure or scaring them off since they do not yet know or trust you.

For the manifest, you will provide the following information:

• Version: Provide a version number in the format x.y.z, such as 2.1.1.
• Tenant ID: Enter the GUID which is linked to your organization’s Azure Active Directory account. You can find this identifier for your directory from the upper right-hand corner of the Azure Portal.
• A list of Authorizations: These define each of the resources which your staff can access for every customer who subscribes to the plan. These include:
  • Azure AD Object Display Name: This assigns a friendly name for each Azure resource which will be placed under management by the MSP. Make this clear and descriptive so that your customers understand the usage.
  • Azure Object ID: This provides the Azure AD GUID of the MSP’s admin, an MSP-managed Azure AD group, or the application which will be granted access to the customer’s resource group. If you are providing access to users, a best practice is to assign this to a group, rather than individual admin(s). This simplifies management as it lets you add and remove admins from that group as your staff changes, instead of having to make updates to every tenant’s workload each time someone joins or leaves your organization.
  • Role Definition: You will select which of the 70+ Azure AD built-in roles to assign to this Azure AD Object. This designates the permissions of that role to the specific object.
    • Assignable Roles: This option will only appear if you select the User Access Administrator role definition. In this case, you will define a list of different possible roles that the user can select and designate for their MSP.  This is helpful if you do not require one specific type of access to a resource group, want to build trust, and empower your users to specify the level of access themselves.

Click Save, then you can add more details about your offering in the Marketplace section.

Step 4) Provide Marketplace Details

Next, you will enter the details that get published in the Azure Marketplace. These are publicly displayed and picked up by search engines.  Use your SEO/ASO best practices here with descriptive keywords to maximize your discoverability. Some of these fields are repetitive from details that you have previously entered, so you may wish to go back to earlier menus in a new browser tab so you can copy the previously entered text.

You will need to provide the following information:

• Title: This is the friendly name that customers will see in the Azure Marketplace. Make sure to include your company name, a clear description, and any search optimized keywords. This is limited to 50 characters.
• Marketing Identifier: This lets you add some customized text into URLs, which should include your company name and the name of your service. Including this text in the website link also helps with SEO/ASO. The URL will then follow the format https://azuremarketplace.microsoft.com/marketplace/apps/company.servicename.
• Summary: This lets you add a short description of the plan. Make sure to include your company name, a clear description, and any search optimized keywords. This is limited to 100 characters.
• Long Summary: This section allows you to enter a longer description using search optimized keywords. This has a maximum length of 256 characters.
• Description: Here you can add a long description which lets you go into details of exactly what you are offering and how you can differentiate yourself. This also supports simple HTML and supports to up 3000 characters. You ought to include the string “managed service” or “managed services” so that it gets picked up by internal and external search engines.  Here you should include the following information:
  • Specific services which are included
  • Onboarding steps
  • Costs and billing process
  • Technical support and SLA
  • Company profile and experience
• Useful Links: You can add a list of hyperlinks to your company’s website, product page, contact forms or anything else.
• Categories: Select which categories you would like your managed services to be listed under. You can select a maximum of 5 categories, and it is best to select as many as are applicable so that potential customers who are browsing by category will discover your service.
• Marketing Artifacts: Here you can upload your logos (required), screenshots (optional) or add links to product videos (optional). Adding logo in four sizes is required in 255×115 pixels (wide), 115×115 (large), 90×90 (medium) and 40×40 (small). Microsoft recommends keeping the logo simple with basic colors and with no text so that it looks consistent with the rest of their enterprise business offerings. You can also add a “hero logo” (815×290) which is a large background image that helps your service get visibility in the Azure Marketplace. Text for your company name, title and summary will automatically be added in white. Once published, you cannot remove the hero logo, but you can replace it.
• Lead Management & Lead Destination: This section allows you to specify a CRM system where any customer leads will be automatically imported and stored.
• Legal: Add the URLs for your Privacy Policy and for your Terms of Use.
• Preview Subscription ID: You should always test that your Azure Marketplace offering looks right before you publish it. This is possible through adding a list of up to 100 subscription IDs for accounts that can preview the offer before it goes live. Microsoft’s product and support teams will also be able to view the marketplace preview.

Save your changes then move to the support section.

Step 5) Add Support Information

This section allows you to list contact information for your customer support and engineering teams. This includes a name, email address, and phone number. You will also be required to add URLs for support information. Make sure you keep this information current so that prospective customers can contact you. Microsoft may also use this contact information. Click Save so that you can review the information before it goes live.

Step 6) Publish your Managed Service Offering

You are almost ready to make your service offering go live. Take time to preview the offer from an account you defined using the Preview Subscription ID from Step 4. Once you click the Publish button, the offering will go through an automatic review and shortly afterward will appear in the Azure Marketplace.

Wrapping Up

Congratulations, you have now published your managed service in the Azure Marketplace. From here, you can expect new customers to discover your services and help you bring in new revenue. Make sure that you check out the next post from Altaro about onboarding Azure Lighthouse customers to understand the additional steps to access your tenants’ workloads.

The post How to Publish Managed Services Through Azure Lighthouse appeared first on Altaro DOJO | MSP.

If you are a Managed Service Provider (MSP), I hope you are excited about what Azure Lighthouse can do for your business. And if not, you should be. Not only can you reach more customers, but your operations can be simplified through the centralized view that Azure Delegated Resource Management (ADRM) gives you across all your tenants. 

Microsoft does not even charge a fee to MSPs for using Azure Lighthouse and selling their Managed Services, so the revenue is yours to keep! This is the fourth blog in the series, which will help you define your go-to-market (GTM) strategy for your services using Azure Marketplace, Azure Resource Manager (ARM) templates, or Managed Apps. 

But first, make sure that you check out the earlier posts about the Azure Lighthouse solution, its foundational technologies using ADRM and AAD, and Azure integration. That last blog post describes all the Azure Services that integrate with Azure Lighthouse to help you maximize your customer base and revenue.

Managed Services in the Azure Marketplace

The Azure Marketplace is an incredible resource for anyone who builds or buys cloud software that runs on Azure.  It aggregates every product that third parties can offer to Azure users, like an app store for the Microsoft cloud.  Now, MSPs can offer their services to clients through the Azure Marketplace, opening up their business to millions of new customers around the world. Managed Services are a new type of offering that rely on Azure Lighthouse, ADRM, and Azure Active Directory (AAD), and allows customers to easily purchase and onboard an MSP. 

While Consulting Services are not new to the Azure Marketplace, they have a broad scope and usually a fixed price.  Managed Services are different in that they are an ongoing engagement and use ADRM.

A Managed Service can be either public or private. Public ones are published in the Azure Marketplace and available to all users. At this time, there is no way to limit the consumer by their geography or Azure region, although this will likely be added in the future. 

The way to restrict who can access a plan is by configuring it private. MSPs can then provide a preapproved list (a “whitelist”) of subscription IDs that can access this service. Public plans are recommended for service providers trying to expand their business and find new customers without paying any additional customer acquisition costs. 

However, new customers may be hesitant to grant an unknown service provider broad access to their infrastructure. It can be best to keep the public offering fairly simple but have extended private offerings that you can upsell to these new tenants as you build trust with them. Also, consider offering them important services they may not have realized they could request, such as the Azure Health Service.

Another option is to have a hybrid offering, which allows you to include both private and public plans within the same offer. This gives you the broadest solution, allowing you to discover new customers and upsell them on additional services as you develop a relationship. You should also be aware that once you publish a public plan, you cannot change it to a private plan; you would need to remove it entirely if you want to republish it with any restrictions. Part of the publishing process requires you to provide a title, description, and other searchable terms.  

We’ll provide some best practices for app store optimization (ASO) in a future post, so be sure to keep an eye out for that!

Once a customer has purchased a Managed Service through the Azure Marketplace, they go through an onboarding process. This allows them to identify which subscriptions and resource groups can be managed by the MSP to perform their service. A manifest defined by the service provider will detail which Azure AD services, users, and groups will need access to the customer’s groups, which the tenant can accept, change, or decline. Once these permissions are assigned, the onboarding is complete, and Azure Delegated Resource Management (ADRM) will grant the MSP access to the approved tenant resources.

Azure Lighthouse with ARM Templates

If you are setting up services for a tenant without going through the Azure Marketplace, then you will use Azure Resource Manager (ARM) templates. An ARM template is a JSON file that defines the exact configuration of an Azure group, including all of its resources, settings, dependencies, and permissions. This is essentially a blueprint that is used to streamline deployment and guarantee consistency instead of repeating a series of manual configuration steps. The ARM template can be configured via the GUI-based Azure Portal, Visual Studio, Visual Studio Code or IntelliJ IDEA.

ARM templates are used with Azure Lighthouse as they allow an MSP to deploy a service for a tenant. This can be a fresh deployment for a new tenant or adding additional services to an existing tenant, such as after an upsell opportunity from the Azure Marketplace. Since the template will be created by the MSP, they can guarantee consistency across all of the tenants. This not only simplifies deployment, but also ongoing management and operations. For example, when the service provider needs to make a configuration change, they can do that programmatically across all their tenants. These ARM templates should be considered as valuable intellectual property for the service provider, as they take considerable time to craft and perfect. One advantage of using Azure Lighthouse and ADRM is that these templates remain in the service providers’ infrastructure, so by not exposing them directly to their tenants, they can retain and protect their IP.

Azure Lighthouse with Managed Applications (Apps) and ISVs

These Managed Services offered through Azure Lighthouse are not restricted to just service providers, but ISVs can publish these alongside their software, known as Azure Managed Applications (Apps). Azure Marketplace lets a developer sell their software and upsell the deployment and management services for it. When a customer purchases the software, they will deploy it into a resource group with ADRM access provided to that publisher. 

The ISV can perform ongoing maintenance, troubleshooting, and operational tasks for their customers. Azure Lighthouse has made this easier for ISVs or any MSP with expertise in managing a specific app. Again, we’ll discuss this topic in more detail in an upcoming blog post.

Azure Lighthouse with APIs, Scripts & GitHub

Microsoft invested significant effort in making the Azure Lighthouse management experience consistent between the Azure Portal GUI and its APIs. While service providers new to Azure may start with the Azure Portal, learning Azure PowerShell or Azure CLI is essential to provide automated management for their tenants at scale. When using Azure Lighthouse, scripting your operational tasks becomes necessary so that you can save each step into an ARM template to ensure that it is run the same every time. Fortunately, Microsoft has provided numerous code samples for ARM templates and a GitHub repository for Azure Lighthouse to get you started.

Final Go-To-Market Strategies

To summarize, you should publish your Managed Services with low-touch offerings through the Azure Marketplace to find new customers. As you build trust, offer tenants value-added services that you can deploy through private offerings or your portfolio of ARM templates. Consider targeting specific (regulated) industries or verticals to build expertise in these areas and differentiate yourself. As a service provider, you are likely also part of the Microsoft Partner Network (MPN). When you first sign up or during your annual renewal, you must provide some customer references. 

With Azure Lighthouse, you can simplify this step by associating your MPN ID with the tenant subscriptions you manage. The revenue you create through managing these customers is credited to your organization. If you publish an offer through the Azure Marketplace, this happens automatically. If you are onboarding a customer independently using an ARM template, you can still manually associate their ID so you are given credit. Remember that Microsoft does not take a cut of the revenue generated from these Managed Services, which will encourage broader Azure Lighthouse adoption.

Thanks for reading!

The post An MSP Go-to-Market Strategy for Azure Lighthouse appeared first on Altaro DOJO | MSP.

Azure Lighthouse is changing how Managed Service Providers (MSPs) operate their business through its model of centralized multi-tenant management. Now, MSPs can run multiple businesses more securely without switching accounts, directories, or subscriptions. This means that all operations can be applied across multiple tenants at scale. MSPs can significantly reduce their operational costs and complexity while reaching more customers and maximizing their revenue. 

Check out the first blog post from Altaro, which covers an overview of the Azure Lighthouse solution, and the second post, which explains the underlying Azure Lighthouse technology. This third post will cover key integrations with Azure services in the control plane and give you some ideas to help you scale your service provider business.

Azure Lighthouse with Existing Azure Services

Since Azure Lighthouse is a new solution offering, not every Azure service is supported yet. The key requirement for integration is that the Azure component must support Azure Delegated Resource Management (ADRM), allowing tenants to assign role-based access control (RBAC) to their service provider. The following list of services is fully supported and should be considered by MSPs to include in their service offerings. The order below is a good way to think through your Azure Lighthouse offerings, starting with the most basic services and ending with more advanced options.

1. Azure Policy with Azure Lighthouse

For the MSP and tenant partnerships to be successful, one of the fundamental philosophies is to ensure that there is trust between both groups. Azure Policy ensures that all managed resources stay compliant with corporate standards.  With Azure Lighthouse, this can be an effective tool for both parties.  

If a tenant has strict security standards, Azure Policy can ensure that their service provider adheres to them, and this can be particularly important if the tenant is within a regulated industry.  However, many tenants are inexperienced with configuring Azure, so they have delegated their operations to an MSP.  As a service provider, you may already have high operational standards, or part of your offering may be to guarantee compliance within a regulated industry so you can apply your Azure Policy best practices to your tenants’ infrastructure.  This is also a great use case of how Azure Lighthouse allows MSPs to maintain their technical intellectual property (IP) while extending their services to new tenants.

2. Azure Resource Graph with Azure Lighthouse

Azure Resource Graph is an extension of Azure (Delegated) Resource Manager (ARM/ADRM), which allows service providers to run queries at scale to test for compliance. It provides an Azure PowerShell and Azure CLI interface for MSPs to test against their tenants’ environments across multiple subscriptions. It can verify that Azure Policy rules are enforced correctly and flag any misconfigurations. The results can be sorted with advanced filtering based on resource properties, including by tenant (customer). You can even track changes and configuration drifts across your tenants.

3. Azure Service Health with Azure Lighthouse

Set up Azure Service Health for your managed accounts to get a global view of the health of your tenants’ services and resources. Service Health also lets you view the Azure infrastructure operated by Microsoft, which your tenants are using.  

You can set up different types of alerting for outages, which can be a useful value-added service for an MSP offering Tier 1 support. Many tenants will want to defer critical support to their MSP.  Even if you have a tenant that has not subscribed to your Tier 1 support, if an outage happens and you can use Azure Service Health to show them that you could have more quickly identified the problem for them, they will be more likely to subscribe to your premium services.

4. Azure Monitor with Azure Lighthouse

Now that you have set up access and security policies for your tenants, configure Azure Monitor to begin collecting data about their environment.  Even if you do not know how to leverage this information yet, turning it on immediately is a good best practice, so you have the data when you need it. 

You can now view alerts across numerous subscriptions and view activity logs for managed resources. You can also run a single query across all of your tenants to see if an issue or security threat that impacted one customer has a broader impact. If you are an MSP focusing on a specific regulated industry, then having this visibility across multiple customers can give you valuable insight, operational efficiencies, and competitive advantage.

5. Azure Virtual Network with Azure Lighthouse

Once your tenants’ infrastructure is secure and protected, you may wish to optimize their virtual infrastructure.  Networking is usually one of the more challenging IT management operations, and Azure imposes additional restrictions that may take a specialist to understand. This is another value-added service that MSPs can offer: Azure network administration. Azure Lighthouse allows delegated access to virtual networks and virtual NICs, letting MSPs optimize the traffic, make it resilient to failures, apply security policies, and monitor bandwidth utilization.

6. Azure Virtual Machines with Azure Lighthouse

Probably the most popular delegated management service will be for Azure Virtual Machines. Tenants can permit MSPs full access to their virtual machines (VMs), except for managing their product licenses via Key Vault. This means that the service provider can deploy VMs, configure storage, networking, and memory, and run post-deployment configuration tasks, scripts, diagnostics, and almost every other aspect of operations. 

The MSP can also log into that VM to configure any guest workloads. Since most Azure workloads run inside Azure VMs, the delegated management services offered through Azure Lighthouse will support almost every tenant virtual machine scenario.

7. Azure Kubernetes Service (AKS) with Azure Lighthouse

There are a growing number of organizations using containers instead of VMs to run their virtualized services.  Azure Kubernetes Service (AKS) allows organizations to use Azure to manage a Kubernetes cluster, handling all administrative tasks from deployment to monitoring to maintenance. 

Containerization offers numerous resource optimization and consolidation benefits as compared to traditional VMs, yet they are generally considered more complicated to manage. This presents a great opportunity for MSPs to manage Kubernetes as a service for their tenants using Azure Lighthouse.

8. Azure Security Center with Azure Lighthouse

Perhaps one of the best use cases for MSPs to support their tenants is through the Azure Security Center. This Azure service centrally manages and protects and the Azure resources, bringing together proactive and reactive best practices from Microsoft’s security experts. 

Organizations that need to outsource their IT management usually do not have security experts on their staff, so they are likely to want to offload security management to their MSPs.  The cloud adds additional security challenges since it is changing so rapidly and has a broad attack surface on public infrastructure. Leveraging Azure Security Center is highly recommended for any organization, especially those in regulated industries or protecting sensitive data.

 With Azure Lighthouse, MSPs can monitor all of their tenants from a single interface and apply changes at scale. All of the security data is centrally collected to show industry-wide trends, which MSPs can build into their IP. Some advanced features available to MSPs include the ability to provide just-in-time (JIT) access to VMs, dynamic (adaptive) network hardening, registry change monitoring, and whitelisting only permitted applications or processes.

9. Azure Backup with Azure Lighthouse

Azure Lighthouse gives MSPs the ability to manage backups for the tenants’ infrastructures using Azure Backup.  Although Azure Backup is fairly easy to use, backups are so important to the business that they often make risk-averse Azure users want to hand off this responsibility to experts.  Service providers can centrally manage backup and restore for their tenants’ Azure VMs and storage.  

Since Azure Backup offers different options around the frequency (RPO), recovery time (RTO), storage retention, and storage redundancy, an MSP can offer a simplified plan like “Gold,” “Silver,” and “Bronze.”  Manage tenants who are in a regulated industry. Storage compliance can be especially important as you will often need to retain all data and destroy specific records after a certain period.

10. Azure Site Recovery with Azure Lighthouse

One of the most popular Azure features is Azure Site Recovery (ASR). This lets the organization replicate their on-premises Hyper-V or VMware virtual machines to Microsoft Azure, using the public cloud as a disaster recovery site. For MSPs, offering disaster recovery as a service (DRaaS) is a great way to discover new customers who have not yet embraced the public cloud for their daily operations and drive Azure adoption.  

Since ASR requires some settings to be configured in the tenant’s existing datacenter, and those customers are likely using the legacy Windows Server Active Directory, ADRM may not provide an end-to-end delegated solution. The MSP will likely need to be given remote access (or can provide instructions) so that the on-premises configuration can happen to set up the Hyper-V replica on a host or cluster. Once that is set up, then replication using ASR can run and be managed by the service provider using a replicated virtual hard disk and VM running in Azure.

11. Azure Automation with Azure Lighthouse

Azure Automation may be one of the most valuable services that MSPs can provide through Azure Lighthouse.  This was included last in this list as service providers should set up their service offerings before they start automating them at scale. 

Azure Automation includes process/workflow automation, configuration management, update management, and scheduling for both Windows and Linux. This is where the service provider’s intellectual property (IP) really becomes valuable from custom scripts and processes they’ve created. This could include streamlining deployment, enforcing compliance, dynamically adjusting to infrastructure changes, or simplifying reporting. 

Azure Automation will allow MSPs to differentiate their offerings and create new value for their customers. While Azure Automation supports both public and private management, on-premises management through Azure Lighthouse may still be limited because it requires ADRM and Azure AD.

Wrap-Up

Azure Lighthouse already supports many Azure services, and these will continue to increase in time and with industry adoption.  If there are additional services that you would like to see, post about them in the comments section of this blog and request them through the Microsoft Partner Network (MPN) portal. From this blog series, you should now understand the value of the Azure Lighthouse solution and its foundational technologies using ADRM and AAD, and in the next post, we will review the Azure Marketplace go-to-market strategies.

What are your thoughts so far? Do you see yourself using this within your organization? Do you see it helping you do more Azure business?

The post 11 Rad Ways Azure Lighthouse Integrates with Azure Services appeared first on Altaro DOJO | MSP.