If you’re an MSP, there’s a big change coming in how you manage your client’s Office 365 tenants and Microsoft 365 tenants. Microsoft 365 Lighthouse is a modern way to manage multiple clients’ users and devices in a single pane of glass. This article will show you how to set up the preview, how to make sure your clients appear, and how to manage settings and policies across all of them. 

Note that Microsoft 365 Lighthouse is a different service than Azure Lighthouse, which lets an MSP manage resources in their client’s Azure subscriptions securely. It makes sense to name the services similarly since the concept of a “service provider managing a client’s cloud service” is the same, but it’s bound to cause some confusion. We’ve looked at Azure Lighthouse here:

• An MSP Go-to-Market Strategy for Azure Lighthouse

• Azure Lighthouse Core Services

• 11 Rad Ways Azure Lighthouse Integrates with Azure Services

Just as Azure Lighthouse has been a game-changer for the business model of MSPs, Microsoft 365 Lighthouse will be a turning point for MSPs as well, with the difference that every MSP I know has all their clients on Office / Microsoft 365, while not everyone uses Azure.

Signing up for the preview

Before we get to the requirements to use Microsoft 365 Lighthouse, let’s get it activated in your MSPs M365 tenant. It’s a straightforward process. But it can take up to 24 hours; in my case, it only took a few hours.

Sign into your tenant at admin.microsoft.com, go to Billing > Purchase services > Other services, search for Microsoft 365 Lighthouse public preview, and buy a single license for $0. There’s no cost for Microsoft 365 Lighthouse during the preview or after General Availability, just like Azure Lighthouse.

Purchase Lighthouse public preview

After some time, you’ll receive an email to let you know that your tenant has been enabled for the preview.

Microsoft 365 Lighthouse enabled

Microsoft 365 Lighthouse requirements

There are a few things that need to be in place for you to take advantage of Microsoft 365 Lighthouse.

First, your MSP must be enrolled in the Cloud Solution Provider (CSP) program as an Indirect Reseller or Direct Bill partner.

Secondly, each client must provide Delegated Admin Privileges (DAP) to your MSP.

Thirdly, at this time, each client must have at least one Microsoft 365 Business Premium license and fewer than 500 licensed users. I suspect some of these limitations will be lifted after General Availability (GA). I’m sure many businesses larger than 500 users are already using an MSP to manage their Office 365 tenant, just as many smaller businesses rely on the advanced security features in Microsoft 365 E5, for instance. 

Still, their MSP would like to manage them using Lighthouse. With no inside information, I suspect Microsoft is focusing on this market segment to start with because it’s the one many MSPs focus on, and converging on Business Premium only also makes sense as it gives a common set of features to manage using Lighthouse.

Fourth, if you want to manage tenant devices, they must be enrolled in Microsoft Endpoint Manager (MEM).

Fifth, for user account data to appear in reports, the client’s tenants must have Azure Active Directory Premium P1, which is included in Microsoft 365 Business Premium.

Sixth, to see devices on the threat management pages, they must be running Microsoft Defender Antivirus (built into Windows). This one could be a bit tricky; many MSPs rely on their favorite AV tool and may not want to move to the built-in solution, but (if you’re stuck in the past) know that Defender AV is quite capable these days and is also a stepping stone to the excellent Microsoft Defender for Endpoint (MDE).

The last three on the list won’t stop you from using Microsoft 365 Lighthouse but will limit the functionality as mentioned.

In summary:

1. Enroll in the Cloud Solution Provider program
2. Invite each client to Delegated Admin Privileges
3. Ensure the clients have at least one Microsoft 365 Business Premium license
4. Enroll devices in Microsoft Endpoint Manager
5. Make sure the clients have Azure Active Directory Premium P1
6. Enable Defender Antivirus

Enrolling in the Cloud Solutions Provider program

I suspect most Microsoft-based MSPs have already completed this step, and my MSP took this step a few years ago, so I don’t have screenshots to show you the process, but here’s the official documentation.

Your primary choice is between being an indirect reseller, where you buy Azure / Microsoft 365 and on-premises licensing through CSP via a distributor, or being a direct bill partner. The latter requires you to provide the first level of support for your clients, fully manage customer billing and provisioning, and generate at least 300,000 USD revenue in cloud sales in a 12-month period. Here’s the page to get started as an indirect reseller. 

Once enrolled, the CSP area in the Partner Center lights up, and you can manage clients here.

CSP in Partner Center

Invite a client to Delegated Admin Privileges

I suspect there’s a bit of dirty laundry in most MSPs’ cupboards (including mine) where they don’t have delegated access to their client’s tenants but instead have Global Admin accounts to log in directly to each tenant to do any administration. If that’s the case, please ensure that those Admin accounts have MFA enabled.

To use Microsoft 365 Lighthouse, you need to set up your MSP with delegated admin rights to each tenant. Start by clicking the link “Request a reseller relationship” in the CSP portal. Pick your indirect provider, make sure “Include delegated administration privileges” is selected, and edit the email before sending it to your client. Note that the recipient must be a Global Administrator in the tenant to be able to action it.

Request a reseller relationship in the CSP partner portal

When a global admin for the tenant clicks the link in the email, they’re greeted with this screen and simply click the Authorize button.

Authorize client for Delegated Admin Privileges

They should now show up under customers in your CSP portal, in my case, this was nearly instantaneous.

Exploring the Microsoft 365 Lighthouse portal

Logging on to the Home page

Go to https://lighthouse.microsoft.com and sign in with an account in your MSP tenant with Global Admin credentials and MFA enabled. If the account doesn’t have MFA enabled, you’ll need to enable it before being able to sign in. 

In case you find this burdensome, understand that you’re effectively accessing all your tenants in one place using Lighthouse, so enforcing MFA is a must. I would also suggest that access to Lighthouse should be limited to approved, locked-down admin workstations, something you can do using Conditional Access in AAD.

According to Microsoft, it can take up to 48 hours before client data starts showing up in the portal. Again, in my experience, it took less than two hours.

Home in the Microsoft 365 Lighthouse Portal

On the Home page is an overview of my clients, with tiles for threats (Defender Antivirus), devices with it installed, risky users, and device compliance. You can filter this view with the Tenants button in the top left.

User account pages

When I drill into the Risky user’s tile, I’m taken to the Users part of Lighthouse, where four tabs show accounts that have been flagged as risky and their current status (At risk or remediated). Clicking View risk detections for an individual account takes me to the AAD portal for that tenant to investigate the risk. 

The Multi-Factor Authentication tab shows the tenant’s status for MFA enablement and users not registered for MFA. In contrast, the Password reset tab shows the tenants’ state and accounts for Self-service password reset (SSPR). I can also search across all usernames, and when I find a particular user, I can reset their password or block sign-in. Particularly, password reset is a very common action for MSP helpdesk staff. Instead of signing into a client’s tenant, finding the user, and then resetting their password, you can do it here for any user.

Risky users blade

Antivirus and Threats

Clicking either the Threat or Antivirus tile takes me to the Threat management area, where an overview tab shows me threats (active / mitigated / resolved), devices missing Defender AV, and devices overdue for scans. The Threats tab shows a list of active, mitigated, resolved, and allowed threats, whereas the Antivirus protection tab shows me a list of devices, their state, if the AV is up to date, real-time protection state, and if any scheduled quick or full scans are due.

Antivirus status across each device

The orange warnings in the screenshot show quick scans that are overdue. Clicking on an individual device brings up its details, plus options to run a quick or full scan, update the signatures and reboot the device.

Device details in Antivirus view

Note that you can also multi-select several devices and run scans on all of them or even reboot all of them in one fell swoop. You can also filter the view of the devices based on device state, threat protection, update status, and any overdue scans.

Devices & Tenants

The Device area has four tabs: Overview shows devices managed by compliance policies in MEM, whereas the Devices tab shows the compliance status for each device with the ability to filter the view based on whether the device is corporate or personal, the OS it is running, and its status. 

The Policies tab syncs from MEM, whereas the Settings tab shows non-compliant settings across tenants. In this area of Lighthouse, I noticed that the data on some tabs were missing, possibly due to the 48 hours not having passed after adding the tenant. You can also click an individual device to see details and click a link there to see it in the full Endpoint Manager console.

Device compliance with MEM policies view

The Tenants view shows tenants, including ones ineligible for Lighthouse (missing license for Microsoft 365 Business Premium, for instance) or ones that don’t yet have Delegated Administrative privilege. You can create and assign tags to different tenants as a way to organize them.

Security and Baselines

There are two specific role-based access control (RBAC) roles associated with the Microsoft 365 Lighthouse: Admin Agent and Helpdesk Agent. The former has permission to change most settings, whereas the latter can view everything but only reset passwords, block sign-ins, and update customer contact / website details. 

Microsoft recommends using Privileged Identity Management (PIM), a feature in AAD Premium P2 (in the partner tenant) to enforce the principle of least privilege so that a Helpdesk Agent can be eligible to be an Admin Agent but must go through a PIM workflow, which can include entering a service ticket, being approved by a supervisor and perform an MFA to elevate to that permission, for a restricted time of a few hours.

Security baselines are a key feature in Microsoft 365 Lighthouse. Today, you can’t edit them; there are six default baselines:

• Require MFA for admins (CA report only policy)

• Require MFA for end users (CA report only policy)

• Block legacy authentication (CA report only policy)

• Enroll devices in MEM & Azure AD Join

• Antivirus policy – a Device Configuration profile

• Windows 10 Compliance policy

In the baseline area, I can see the Default baseline and apply it to groups of clients. Note that the three Conditional Access policies are reported only and thus won’t actually enforce the setting. Just give you reports on where it would have been applied. This is a good way to get a grip on the state of MFA and legacy authentication usage across your tenants but in today’s security-challenged business landscape, it’s vital to move to enforcing MFA and disabling the legacy protocols as soon as possible.

There are two other areas in Microsoft 365 Lighthouse: Windows 365 gives a view of any Cloud PCs in your client’s tenants and their network connections to on-premises. I don’t have any clients using Windows 365 yet, but it makes great sense to surface this information in Lighthouse.

The final area is Service health, which shows advisories and incidents across Teams / Microsoft 365 / Exchange Online and another 20 services. It’s the same view as in the Microsoft 365 Admin Centre, but having it handy in this portal makes sense.

Conclusion

This is a public preview, and both the functionality and requirements are a bit limited, but I suspect this will change as feedback comes to Microsoft, particularly now that it’s in public preview. There’s a specific UserVoice for Microsoft 365 Lighthouse – join here.

I think Microsoft 365 Lighthouse will be a game-changer for MSPs. It’s a shift in how you manage your clients’ digital estates at scale, and I suspect that it’ll find fans in both large and small MSPs. At this stage, I have questions about the shared MSP model, which works in Azure Lighthouse, where you can have one MSP managing your backups and IaaS VMs and another MSP handling your databases. Today, that’s not supported in Microsoft 365 Lighthouse.

Another concern is the overlap with third-party MSP management tools, and my initial take is that I’m far more likely to trust Microsoft to get security right rather than the RMM software vendors of today (especially given recent news), plus a first-party provided tool is always preferable to me personally. Full disclosure – I don’t use an MSP tool in my business, but I do rely on N-Able Take Control for remote access to devices.

Microsoft 365 Lighthouse isn’t replacing a Remote Monitoring and Management (RMM) tool today. Once the functionality is expanded, I can see this being one of the main tools in your MSP toolbox.

The post How to Manage Multiple Office 365 Tenants with M365 Lighthouse appeared first on Altaro DOJO | MSP.

In a previous post, I covered the term CSP (Cloud Solution Provider) and the differences between a CSP and an MSP. Since then, the question of continuing to offer on-premises services has come up a few times with readers and others in the community. Many seem to be wondering. I’d like to address this question specifically in today’s blog post

Should You Make the Move to Cloud-Based Solutions?

If you’ve read many of my blog posts on this site and the other Hornetsecurity blogs, you’re likely prepared for one of my favorite answers. That is, “It depends.” On-premises requirements vary based on the organization for which you are providing services. The suitability of cloud solutions is not a one-size-fits-all proposition; it significantly depends on the unique operational needs and technological infrastructure of each organization.

Consider, for instance, a small realtor agency with a modest team of 10 users primarily utilizing document-oriented applications. Their technological footprint and demands are substantially different from a large-scale manufacturing entity, which might have 400 users interacting with a diverse suite of applications, including machine controls and intricate engineering software like CAD. These distinct operational scales and complexities inherently dictate the degree and manner of cloud integration that would be beneficial.

Cloud-based solutions, with their promise of scalability, flexibility, and cost-efficiency, should be earnestly considered and often preferred in many scenarios. As Cloud Solution Providers (CSPs), it is incumbent upon you to judiciously evaluate and recommend the appropriate level of cloud integration tailored to each client’s specific needs.

However, transitioning entirely away from on-premises servers is not always the optimal or feasible route. The current trend leans towards a hybrid cloud model, blending the security and control of on-premises infrastructure with the agility and innovation of cloud computing. This hybrid approach allows organizations to leverage the best of both worlds, accommodating a wide array of workloads and applications.

In conclusion, while the momentum is undeniably shifting towards cloud-based solutions, a thorough analysis of each organization’s requirements, coupled with a strategic approach to integrating cloud services, is paramount. CSPs must navigate this transition with a balanced perspective, aiming to harness the cloud’s potential while ensuring alignment with the business’s operational realities and long-term objectives.

Hybrid Cloud and the CSP

The truth is that very few organizations can go 100% cloud. Don’t get me wrong. That percentage is increasing as time goes on. But right now, many use cases still require an on-premises footprint. For example:

• Highly GPU Intensive Workloads
• Latency Sensitive Applications
• Complex Monitoring Needs
• Poor Connectivity
• Disconnected (No External Connectivity) Scenarios
• Recent Large Capital Investment in On-Prem Infrastructure
• Low Customer Comfort with the Cloud

A good CSP will continue to leverage on-prem (only where it makes sense) and pair that with what works well in the cloud, such as:

• Backup and DR
• Email
• File Storage
• Web Apps
• Office Applications
• Collaboration Software
• More!

Good CSPs provide exceptional value in knowing where on-prem and the public cloud intersect, and they can apply solutions for both with a high degree of skill to fill all the technology needs of a business.

Are there CSPs out there that ONLY do cloud? Sure. However, you’ll likely find that many of those CSPs operate in an industry vertical that organically lends itself well to running cloud-native. Other verticals aren’t so simple. Manufacturing, for example, often employs complex machine control and supply chain software that doesn’t lend itself well to running in the cloud (yet). This is not to mention engineering and parts-design software that doesn’t work well in cloud scenarios in most cases either.

Another good example is healthcare. Many functions within a hospital cannot be off-site to the cloud for regulatory reasons, or a given function is so critical to patient care (often life and death) that they can’t risk even the slightest connectivity outage.

Where and How You Can Move to Cloud-Based Solutions

In addressing the critical issue of shifting towards cloud-based services, my directive to both budding and seasoned Cloud Solution Providers (CSPs) is clear and straightforward: Prioritize cloud solutions in all your strategic planning and implementation. 

However, it is crucial to tailor these solutions to fit the specific needs and context of each business. Avoid forcing a universal solution onto diverse problems — akin to the futility of forcing a square peg into a round hole. Remember, the hallmark of a proficient solution provider is the ability to discern and deploy the most appropriate technology that aligns with the unique requirements and goals of a business.

As CSPs, your objective should be to guide businesses through the cloud transition smoothly and efficiently, ensuring that every technological adoption enhances operational excellence, cost-effectiveness, and competitive edge. This means conducting a thorough analysis of the business’s existing infrastructure, understanding its future goals, and accordingly, recommending cloud solutions that offer scalability, flexibility, and security.

It is also imperative to educate business leaders about the benefits and implications of cloud adoption, addressing any misconceptions or reservations they might have. By fostering a collaborative environment, you can work together to identify areas where cloud solutions can bring immediate value and areas where a gradual transition is more appropriate.

Ultimately, your role as a CSP is not just to implement technology but to be a strategic partner in your client’s journey towards digital transformation. By leading with cloud solutions yet respecting the unique shape of each business’s needs, you can carve a path to modernization that is both effective and sustainable. Embrace the cloud, but do so with the wisdom and adaptability that ensures every solution is a perfect fit for the business it serves.

Wrap-Up

What are your thoughts? Have you been trying to lead with cloud and struggling? Are your customers hesitant to invest in the cloud?

Thanks for reading!

The post Is it Time you Ditched On-Premises Services Completely? appeared first on Altaro DOJO | MSP.

As MSPs, we’re always looking for the next best thing for our customers. It’s a tough market. Budgets are always in flux. Competitors are always chomping at the heels of our clients, and the industry moves so fast that many business owners will scoff at the next wave of updates and features that the industry says are a MUST-have.

But what is a budding MSP to do? A proven strategy is to focus on hard-hitting features that are game-changing for their day-to-day work. The Microsoft 365 suite contains many such features, many known well and others not so much.

In this blog post, we are going to talk about 4 Microsoft 365 features that will wow your customers. When implemented properly, these features are a surefire way of solidifying your relationship with a customer and ensuring more business through their continued success!

Microsoft Teams

If we’re going to start with any hard-hitting application/feature in the Microsoft 365 suite, it’s got to be Microsoft Teams, right? There is perhaps no collaboration tool as expansive as Teams. And since the COVID-19 pandemic, Teams usage has surpassed 280 million users, according to Microsoft CEO Satya Nadella from a quarterly earnings report:

“Teams surpassed 280 million monthly active users this quarter, showing durable momentum since the pandemic. And we continue to take share across every category, from collaboration, to chat, to meetings, to calling.” 

Moreover, Mr. Nadella mentioned that “There are more than 500,000 active Teams Rooms devices, up 70 percent year-over-year. And the number of customers with more than 1,000 rooms doubled year-over-year.”

Teams is supplanting Outlook as the collaboration tool of choice for many organizations. It hadn’t really even dawned on me personally until I was having a conversation with a co-worker a few weeks back. She simply stated that “Teams has become home base” for her day-to-day work. I found that’s true for me as well! Historically, Outlook was the first app I would open when sipping the morning coffee. Today Outlook takes second place to Teams, and it’s easy to see why. If you’re not familiar with teams, it offers a plethora of collaboration features:

• Individual and Group Chat
• Voice and Video Chat
• Conferencing and Webinar capabilities
• VoIP capabilities
• Mobile Clients with Softphone Options
• Integration with the rest of the M365 suite
• Numerous 3rd party integrations (Some shown below)

Image 1 – Third-Party Application Addons for Microsoft Teams

I could go on, but in all seriousness, we could spend a whole series of articles on the benefits of teams and how to roll it out to your customers, and maybe we will!

That said, in the context of this article, Teams is listed first because it plays a part in some of the following items, which leads us to our number 2 pick!

Microsoft Stream

Many of us don’t enjoy being stuck in meetings, but I’m sure there have been a few occasions where there was a meeting you wanted to be in but were unable to make, right? What if any scheduled meeting could automatically create a recording and send it to invited attendees afterward? Teams meetings, paired with Microsoft Stream, allow you to do just that and more!

The best way I can describe Microsoft Stream for those who aren’t aware of it is simply this: Think of Microsoft Stream as YouTube for your Business. Stream is a video hosting platform that can be used in conjunction with other M365 features and apps. I already mentioned the Teams integration, but there are other features worth mentioning, such as:

• Public and Private Channels
• Video Sharing
• Hashtags and Timecode Links
• Watchlists
• Featured Videos
• Searchable Transcripts
• Live Events (Shown Below)
• Screen Capture and Editing
• Polls, surveys, and quizzes (Coming Soon)

Image 2 – Setting up a Live Event in Microsoft Stream

All these features are easily glossed over when organizations look at the vast list of applications and features in M365. When employees and business owners truly discover the powerful features Stream provides, it becomes a game-changer. A few more example use cases here:

1. Live or Recorded company updates from Leadership
2. Mandated training materials distributed to workers
3. Project and team briefings recorded for transparency and shelf-life
4. Onboarding materials for new hires

The list goes on and on. With the integrations to the rest of the M365 platform, Stream will help take your customers’ operations to the next level!

Microsoft Planner

Task management is a bear, especially with distributed teams. You’ve got email, teams, outlook to-dos, sticky notes, napkins, and 100 other places to keep track of ongoing tasks. The true power of the M365 suite is in its integrations. Unlike your sticky notes or a notepad file, Microsoft Planner is plugged into and integrated with your core collaboration tools in a big way. This includes:

• Integration with Microsoft To-Do
• Integration with Microsoft Teams (Shown Below)
• Allows Modification via the Microsoft Graph API (For advanced use-cases)

Need to rope team members in a task or a series of tasks? Need to collaborate with notes and chat in a unified view regarding said task? Need alerts for when the task is updated? How about the ability to attach files, due dates, reminders, categories, and more? If you answered yes to all of these, Planner can do it and more.

As mentioned earlier, Teams plays a large role in many of these features, and Planner is no different. In any given Team with the Teams app, you can click the plus sign on the top left and link a Microsoft Planner “plan” as a tab directly within Teams. This puts the Teams project plan right at their fingertips and enhances the overall collaboration experience.

Image 3 – Microsoft Planner Embedded in Teams as a Tab

One other thing I wanted to touch on before moving onto our next item. From an organizational level, when talking with your clients about Planner, I would recommend you have them plug this feature in at the department level. It really shines at that level. I’m often asked where these tools fit in regard to other task management tools, and this is often the advice I provide:

For individuals and light taskers – Use Microsoft To-Do

For departmental teams and heavy taskers – Use Microsoft Planner

For Large Scale and Organization-Wide Projects – Use a Project Management Tool such as Microsoft Project

My reasoning behind it is this. Planner provides features over and above your basic to-do list (Which is what To-Do is). That said, it lacks many of the more advanced ITIL and PMP project management capabilities found in more advanced tools. Don’t get me wrong, however! Planner is still super a powerful and stunning addition to any Team looking to leverage Microsoft 365 to the fullest.

Multi-Factor Authentication with Conditional Access

The last item I’m going to talk about today is going to be the least visible of them all, and that’s ok! This particular item will wow your customers because of the fact that it DOESN’T make itself visible!

Those of us working in the technology space these last few years all know that multi-factor authentication is an absolute must. It provides an added layer of security in an age where ransomware and other cyber attacks are rampant. However, getting some customers to “deal with the security headache” (yes they are out there) can prove somewhat troublesome. That said, Microsoft has made the experience in Microsoft 365 stupidly easy.

Enabling the feature is quick, and end-users are provided with a prompt to enroll in MFA. Assuming you’ve properly communicated the steps to the end-users they should have little problems with the process. Once done, they’ll get the typical MFA prompt as needed when logging in and will be given the option of remembering a device as a frequently used device for a length of time.

Some organizations wouldn’t even balk at this much work, and that’s where the beauty of conditional access comes in. Conditional access allows administrators and MSPs the ability to define safe locations that don’t require the MFA prompt. This mainly refers to your corporate network, meaning that someone in the office (or connected via VPN) will not be required to authenticate with MFA. This greatly reduces the effort required by end-users but still keeps them protected when they need it most when they’re off-site.

      Image 4 – Conditional Access Policies in Azure AD

Now, conditional access does SO MUCH more than just this one thing. Make sure you review the full list in the Microsoft Docs article on conditional access.

One final thing you may be wondering about before we wrap up is what kind of licensing you need to get MFA with conditional access. See the image below for that information, along with the source in the caption!

Image 5 –  Available versions of Azure Multi-Factor Authentication

Wrap-Up

This article should give you a good list of features you might want to talk about with your customers if you haven’t already. All of these features can take their collaboration and productivity efforts to the next level. So many organizations buy into Microsoft 365 and only enable mail and a few other features. Don’t let your customers waste the value! Help them squeeze every ounce of value out of what they’re paying for. In the end, you’ll continue to be their trusted IT partner, and you’ll share in their success moving forward!

What about you? Have you tried these features? Do you have customers using them? Would you like to see more content about anything we talked about today?

Thanks for reading!

The post 4 Powerful Microsoft 365 Features Every MSP Should be Using appeared first on Altaro DOJO | MSP.

One of the most common types of cyberattacks is one where cybercriminals seek to compromise the victim’s web credentials. Using email-based phishing attacks and increasingly convincing social engineering techniques, victims are tricked into providing their user ID and password for a wide range of cloud-based platforms and applications.

According to our 2023 Cybersecurity Report, phishing remains the most common type of email attack, constituting 39.6% of all detected threats. What makes online credentials so appealing to cybercriminals is the access these credentials provide to online banking, Office 365, Azure apps via Azure Active Directory, financial applications, customer data, and more. Gaining access to these kinds of applications and data can be detrimental to SMBs – potentially even causing them to shut their doors.

So, how can you as an MSP help protect your customers from this kind of cyberattack?

The answer lies in Multi-Factor Authentication (MFA).

Now let’s get onto some MFA basics and then talk about how you can incorporate this security control into your service offerings.

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is a security method that uses multiple identifying “factors” to verify a user’s identity instead of relying on the traditional username and password. MFA requires additional factors to identify and authenticate the user. These factors include:

• Text messages to the user’s smartphone
• Sending codes to an alternate email address
• Asking additional security questions
• Using secondary authentication to trusted 3rd party sources
• Biometrics (such as fingerprint or retina scan)
• Facial recognition
• Security hardware token device
• Security token app on a user’s smartphone
• Certificates

Additionally, depending on the MFA solution being used, details about when and from where the authentication request can come into play, including location, day/time, IP address, requesting device’s MAC address, etc.

All of these factors – in one form or another – fall into one of three generally accepted authentication factors:

1. Something you know – This can be information relevant to authentication that the user themselves knows already, such as passwords, answers to security questions, etc.
2. Something you have – These are generally represented by physical items the user possesses, such as a smartphone, security token, or RFID badge.
3. Something you are – This is where biometrics and facial recognition come into play. This factor uses any part of your personality that can help uniquely identify you.

Office 365 2 Factor Authentication Mobile Sign In

How Does MFA Work?

First off, notice we’re discussing multi-factor authentication. The focus here is for you to use multiple factors with your customers. Why? Because each of these factors on their own can be (and in many cases, have been) hacked or spoofed. Mobile devices have had their SIMs swapped for an attacker-controlled device, passwords can be cracked, and even fingerprints have been shown to be spoofable using 3D printing.

With MFA, the user authenticates by providing a number of factors – how many depend on the level of security needed, the individual’s role within the organization, etc. In general, the user first provides their usual username and password. Once provided, they are then presented with one or more additional challenges where the implemented factors mentioned above need to be satisfied.

Multi-Factor Authentication Steps

Where Do You Find MFA?

There are dozens and dozens of software vendors offering MFA. In many cases, it’s offered as part of a larger Identity and Access Management solution – which may be too complex for simply implementing MFA for your SMB customers. Microsoft offers Azure Multi-Factor Authentication to secure access to Azure Active Directory, Office 365, Azure-based VMs, applications, and data, as well as to be a trusted authority for third-party cloud applications and platforms. This service is simple enough to scale down to an SMB’s needs. And as mentioned, there are a number of vendors offering MFA solutions that are simple and cost-effective enough for an MSP.

Office 365 2 Factor Authentication Desktop Sign In

Why is MFA No Longer an Option for MSPs?

For MSPs, MFA offers the chance to drastically enhance security and protect your customers. To deepen it, here are 5 reasons why MFA is no longer optional but necessary for MSPs.

• Prevent Cyber Threats

As cyberattacks grow in sophistication, no customer is immune to the risks of data breaches, ransomware, or phishing. MFA serves as a critical defense layer, rendering stolen credentials useless without the additional authentication factors, thereby protecting against unauthorized data access and system breaches.

• Compliance and Industry Standards

The regulatory landscape is increasingly stringent, with numerous industries mandating MFA to safeguard sensitive data. For MSPs, non-adherence is not an option; failure to implement MFA can lead to severe penalties, legal ramifications, and reputational harm. It’s essential for meeting both compliance obligations and customer expectations.

• Stringent Access Protocols

With the proliferation of remote work and cloud-based platforms, robust access controls are paramount. MFA ensures that only verified users can access critical applications and data, providing a significant barrier against unauthorized access and potential internal or external breaches.

• Mitigating Fraud and Identity Theft Risks

The threat of identity theft and fraud is ever-present in the digital age. Implementing MFA introduces a formidable challenge for cybercriminals attempting to impersonate users or commit fraud, thus safeguarding business operations and sensitive information from such illicit activities.

• Building Trust and Safeguarding Reputation

In a world increasingly conscious of cybersecurity, customers expect and demand stringent protection of their data. By implementing MFA, MSPs demonstrate a commitment to security, fostering trust, and reinforcing their reputation as a protector of customer interests and data integrity.

How to Go about Offering MFA to Your Customers

MSPs have several options to go about this. The first is to simply absorb the cost of setting up MFA and offer it at no charge. Microsoft Azure MFA has a free version that is a very viable option. If you are offering either Managed Office 365 services or Managed Security services, I’d suggest bundling it in as part of those services. For those SMB customers that are on the larger side and need MFA integration with single-sign-on access to multiple cloud applications, you’ll want to look at vendors like Okta, who focus on integrating their MFA with thousands of existing cloud products and services.

It’s Time to Secure Your Customer With MFA

Multi-Factor Authentication needs to be an embedded part of your service offerings intent on keeping your customer’s applications and data safe from cyberattacks intent on gaining access. By implementing MFA in your customer’s environments, you’ll help to minimize the risk of successful cyberattacks focused on credentialed access.

The post Why MFA is No Longer Optional for MSPs appeared first on Altaro DOJO | MSP.

Some MSPs with in-house dev teams can consider themselves ISVs (Independent Software Vendors). This post talks about the benefits of Azure Lighthouse for ISVs.

Windows Azure lets ISVs publish their cloud software on the Azure Marketplace and monetize from offering services to help their customers operate it. Many companies using cloud services lack the in-house expertise to optimize their specific cloud services’ deployment, configuration, management, and reporting. 

Azure Lighthouse allows ISVs to upsell managed services on top of their software. As the developer of a piece of software, you are likely to be the world’s leading expert in making it run as efficiently as possible. ISVs have been able to offer managed services through Azure for some time, but one of their major challenges was supporting every customer who subscribed to their service efficiently. 

In the past, the ISV’s service administrator would have to log in and manage dozens, perhaps hundreds, or even thousands of individual accounts. The administrative overhead alone added significant costs, which would often be passed down to the end-users. Azure Lighthouse has provided a solution to allow ISV to centrally manage tasks for all of their tenants from a single interface, which will be detailed throughout this blog. 

For more information about Azure Lighthouse, check out the Altaro blog series about the Azure Lighthouse solutions, its foundational technologies using ADRM and AAD, Azure integration, and the go-to-market strategy.

Azure Lighthouse Benefits to Independent Software Developers (ISVs)

Azure Lighthouse brings a multitude of benefits to Independent Software Vendors (ISVs), significantly enhancing their operational capabilities, market reach, and customer service. Here’s a detailed breakdown of the advantages:

Streamlined Onboarding and Access Control 

Previously, the onboarding process for software and managed services was tedious, often involving prolonged email exchanges to secure the correct permissions. Azure Lighthouse revolutionizes this process by allowing ISVs to specify precisely which of the customer’s resource groups contain the software that will need access.  With over 70 different types of roles available, ISVs can use role-based access control (RBAC) to determine the minimum access necessary for their team to perform operations effectively. This streamlined approach not only enhances the efficiency of onboarding new customers but also sets a positive tone for initial interactions, fostering trust and satisfaction from the get-go.

Enhanced Operational Efficiency and Service Standardization

Centralized management provided by Azure Lighthouse enables ISVs to scale their operational efficiency, standardize services, automate operations, and increase security and compliance. This unified management is accessible through the Azure Portal GUI or scripting with Azure PowerShell or Azure APIs.  Such centralization allows for the management of resources across multiple customer accounts, making it easier to handle repetitive tasks and focus on enhancing managed offerings, adding new core competencies, and expanding services. Moreover, these capabilities are provided by Microsoft Azure at no additional cost, though the consumed cloud resources are still billed to the ISV or their customer.

Security and Intellectual Property Protection 

With Azure Lighthouse, ISVs can maintain a secure environment for their and their customers’ intellectual property. Delegated access ensures that ISVs can manage customer resources without exposing any proprietary scripts or templates. This not only protects the ISVs’ intellectual property but also assures customers about the integrity and confidentiality of their resources. Security enhancements from Azure Lighthouse help maintain a robust service offering, retaining customers by ensuring that operations are secure and compliant. Moreover, this added security allows ISVs to focus more on adding value through their services, potentially maximizing profits or offering cost savings to customers.

Operational Efficiency through Automation 

Azure Lighthouse enables ISVs to automate repetitive tasks such as patching software. Through the GUI or scripts, ISVs can programmatically perform tasks against thousands of resources at once if they are managed by Azure Resource Manager (ARM).  This includes reporting, alerting, querying, servicing, security updates, or even deploying new services. For instance, an ISV can run a global query to identify all customer VMs running their software that need updates or repairs. This level of automation and control allows ISVs to efficiently maintain their software across various customer environments, enhancing service quality and customer satisfaction. Azure Lighthouse offers ISVs new operational efficiencies, enhanced security, and streamlined processes, allowing them to focus on innovation and growth while ensuring a secure, efficient, and customer-friendly service delivery. The multitude of benefits provided by Azure Lighthouse positions it as a game-changer in the realm of cloud services, particularly for those involved in providing managed services and software solutions.

Azure Lighthouse Benefits to the Customers of ISVs

Azure Lighthouse offers substantial benefits to the customers of Independent Software Vendors (ISVs), particularly enhancing the ease of integrating third-party software and managing cloud services. Here’s how it impacts the customers:

Simplified Integration and Management 

Many Azure customers, especially developers and those from smaller organizations, find the task of integrating third-party software daunting and potentially risky. Azure Lighthouse alleviates these concerns by simplifying the onboarding process using Azure Delegated Resource Manager (ADRM) technology. It transparently assigns management rights to the ISV, streamlining the process of software deployment and management.  Customers, now tenants of the ISV, can review and tweak permissions as needed, enjoying an easy setup while maintaining control. The Azure Marketplace further simplifies this by allowing customers to acquire cloud software and associated services from trusted providers, much like any app store.

Enhanced Transparency and Control 

Customers gain unparalleled transparency and control over their resources with Azure Lighthouse. Detailed logging and auditing provide insight into every action the ISV takes on their resources, ensuring accountability. Isolation between tenants guarantees that actions an ISV performs on one do not affect others, safeguarding against unauthorized changes.  Despite the delegated management, customers retain full control over their budget and billing, with the freedom to provide their own licenses, be billed directly for services, or purchase services through the Azure Marketplace. All these aspects are managed and visible through ARM, allowing customers to easily navigate to the Service Providers Page and view the subscriptions and services connected to their account.

Streamlined Onboarding and Permissions 

The onboarding process is significantly streamlined with Azure Lighthouse. Customers no longer need to navigate complex permission settings or worry about giving excessive access to their resources. They can simply review the permissions needed for the ISV to operate the new software.  For those with more advanced needs, configuring specific access from the 70+ Azure user roles to each resource is straightforward, allowing for granular control over who has access to what. This ease of managing permissions not only saves time but also ensures that the software is integrated and managed securely and efficiently.

Budget and Billing Autonomy 

Azure Lighthouse empowers customers to maintain autonomy over their budget and billing aspects. They can choose to provide their licenses, directly handle billing for ISV services, or opt for services through the Azure Marketplace. 

This flexibility ensures that they can align the services with their financial and operational strategies. Furthermore, the visibility provided by the Service Providers Page allows customers to monitor connected services and subscriptions effectively, ensuring they are always in control of their expenditures and service arrangements.

Wrap Up

Ultimately, Azure Lighthouse provides a better management experience for ISVs and their customers. Developers can upsell their software by also including deployment and support services. It easily plugs into existing programs and solutions, so now ISVs can spend more time with their customers and less time managing credentials. If you are an ISV that is going to publish its managed services through Azure Lighthouse, make sure that you check out the blog post on the go-to-market strategy so you can learn the best practices to stand out from the crowd.

The post Why ISVs Should Use Azure Lighthouse appeared first on Altaro DOJO | MSP.

This blog post will show you how to onboard your customers’ Azure resources in Azure Lighthouse.

Azure Lighthouse is a new collection of technologies that allows Managed Service Providers (MSPs) and software developers (ISVs) to centrally manage their tenants and monetize hosted services. These providers are able to use the Azure Marketplace as a web portal to post public offerings that are available worldwide, similar to an app store. MSPs can list IT services they can offer to deploy, manage, optimize, secure or make compliant their customers’ cloud infrastructures and ISVs will include their Azure software with additional services. The providers can use Azure Delegated Resource Manager (ADRM) and Azure Active Directory (AAD) to centrally manage all of their tenants from a single interface. For more information, check all from a single interface. Check out the Altaro blog series about the Azure Lighthouse solutions, its foundational technologies using ADRM and AAD, Azure integration, and the go-to-market strategy.

There are three ways that a tenant can subscribe to a service from the MSP, which changes that way that the customer grants the MSP access to their environment.

The most common way is for a provider to publish a service to the Azure Marketplace, and this can be configured to be public or private. A public service is accessible to everyone, but there is not any way to restrict the subscribers by location, size nor any other factor. These customers who purchase a public service will automatically grant access to the MSP automatically during the onboarding process. It is important to realize that there are multiple ways that a tenant can subscribe to a service from the MSP. The most common way is for them to publish a service to the Azure Marketplace, and this can be configured to be public or private. A public service is accessible to everyone, but there is not any way to restrict users by location or size and they are onboarded automatically as described in how to publish a managed service on the Azure Marketplace.

• To make a service private and only accessible to certain predefined users (“private”), a specific list of tenant subscription IDs must be defined when the offering is created in the Azure Marketplace provided. Once the private customer has purchased an Azure Lighthouse service, the service provider must onboard their tenant which requires delegating resources through Azure Active Directory (AAD).
• Alternatively, the entire Azure Marketplace process can skipped and a MSP can onboard a tenant through the same series of steps which are described in this blog using the following steps:
  • Collect Details for the Tenant and their Subscription
  • Either
    • Create Azure AD User Groups and Define Permissions
    • Create Service Principals and Define Permissions
  • Create an Azure Resource Manager (ARM) Template
  • Deploy an Azure Resource Manager (ARM) Template
  • Confirm Successful Onboarding for Both Parties

For either scenario, make sure that you’ve associated the tenant’s subscription ID with your Microsoft Partner Network (MPN) ID so that you get credited for consumption. While this guide is written from the perspective of an MSP, these same best practices are also applicable to ISVs who are offering managed services to deploy their software.

Step 1) Collect Details for the Tenant and their Subscription

When you are onboarding a customer you have to know some of their unique identifier information so that you add the correct user and their subscription information. Make sure that have the following information:

• Your Tenant ID (as an MSP or ISV). This can be found in the Azure Portal by hovering over your account name in the upper-right corner in the Azure Portal.
• The Tenant ID of the customer. This can be found in the Azure Portal by asking the tenant to hover over their account name in the upper-right corner in the Azure Portal.
• The Subscription ID of the customer for the subscription of every resource that you will be managing. If you are managing multiple resources that are in different subscriptions then you will need each of these subscription IDs. This can be found by searching for the subscription(s) in Azure Active Directory. This will also create a new resource provider (Microsoft Managed Services) to be registered for the selected subscription(s).

Next, you need to set up the security framework using either Azure AD user groups, service principals or individual Azure user accounts (not recommended). Whenever you manage tenants’ accounts, especially if you have multiple tenants, you should never assign access to any individual user. This is because your staff may change over time, so as you need to add or remove certain administrators you can do this at the group level, instead of on each individual resource group. Not only does this provide centralized and simplified management at scale, but it also makes you look better to your tenants as they are not seeing your company’s turnover.

Steps for the user groups and service principals are described below. First, you must connect to the Azure subscription which is done using the following PowerShell cmdlet:

PS C:\> Select-AZSubscription <SubscriptionID>

Step 2) Create Azure AD User Groups and Define Permissions

Configuration for AAD user groups is fairly easy. It requires creating a new group for each role or task and then adding the appropriate administrators. You will then assign the type of administrative role that that group has from the 70+ Azure user roles. You should also use a friendly name to help you and your tenants understand what that resource group is used for.

Next, you will get the object ID and role definitions for each Azure AD group, which can be determined through the following PowerShell queries:

PS C:\> (Get-AzADGroup -DisplayName ‘<GroupName>’).id

PS C:\> (Get-AzRoleDefinition -Name ‘<roleName>’).id

Instead of using AD User Groups for user account access you can create an Azure service principal for application access.

Or: Step 2b) Create Service Principals and Define Permissions

An Azure service principal is an alternative type of identity used for tools, services, and applications to provide role-based access control (RBAC) rather than user accounts. It only supports a subset of the Azure roles to restrict a single application from having too much control. 

Also, you should pick the role which provides the minimum access that your staff needs. You want to ensure that you do not request more than is necessary, as potential clients could view this negatively, and you may get the perception of not being trustworthy.

You will also need to know the object ID and role definitions for each Azure service principle which can be determined through the following PowerShell queries:

PS C:\> (Get-AzADApplication -DisplayName '<DisplayName>').objectId

PS C:\> (Get-AzRoleDefinition -Name '<RoleName>').id

Whenever you manage tenants’ accounts, especially if you have multiple tenants, Microsoft recommends:

“using Azure AD user groups for each role, allowing you to add or remove individual users to the group rather than assigning permissions directly to that user. You may also want to assign roles to a service principal. Be sure to follow the principle of least privilege so that users only have the permissions needed to complete their job, helping to reduce the chance of inadvertent errors.”

For more info, see Recommended security practices.

3) Create an Azure Resource Manager (ARM) Template

An ARM template lets administrators deploy an Azure-managed resource or resources group the exact same way every time. The template provides the framework to ensure consistency, which is critical so that you can automate and scale the management of this resource across multiple tenants. Your ARM template should include the following fields:

• MSPName: This is your service provider name
• MSPOfferDescription: This is a short description of your offer
• ManagedByTenantID: This is the ID of your tenant
• Authorizations: This describes the access needed, which can include:
  • RoleDefinitionID: This is the level of access needed for the resource template
  • PrincipalID: This the ID for either your Azure group or Azure service principal
  • PrincipalDisplayName: This is the display name which your tenants see for your Azure group or Azure service principal

Since ARM templates can be tricky to create for inexperienced service providers, Microsoft provides code samples for different scenarios. These include both the template file along with a parameter file which are found here: https://github.com/Azure/Azure-Lighthouse-samples/. Here are the links to onboard:

• Subscription (through the Azure Marketplace)
  • Template: MarketplaceDelegatedResourceManagement.json
  • Parameter file: MarketplaceDelegatedResourceManagement.parameters.json
• Subscription (without the Azure Marketplace)
  • Template: DelegatedResourceManagement.json
  • Parameter file: DelegatedResourceManagement.parameters.json
• Resource Group
  • Template: RGDelegatedResourceManagement.json
  • Parameter file:RGDelegatedResourceManagement.parameters.json
• Multiple Resource Groups in a Subscription
  • Template: MultipleRgDelegatedResourceManagement.json
  • Parameter file:MultipleRgDelegatedResourceManagement.parameters.json

4) Deploy an Azure Resource Manager (ARM) Template

The hardest step is usually deploying the ARM template within the customer’s environment because either the MSP needs to do it on the tenant’s behalf or the tenant must grant the MSP the correct permissions. And since a Guest account cannot be used, it makes it tougher for a novice customer. Every subscription needs a separate deployment. However, you can do this in a single deployment if you have multiple resource groups within a single subscription.

Once the correct permissions are configured, the following PowerShell cmdlets can be used for a remote deployment:

PS C:\> New-AzDeployment -Name <DeploymentName> `

-TemplateUri <TemplateURI> `

-TemplateParameterUri <ParameterURI> `

-Location <AzureRegion> `

-Verbose

5) Confirm Successful Onboarding for Both Parties

Now that the ARM template has been deployed, testing that the MSP can effectively manage it within the tenant’s environment is important. The MSP and the tenant should be able to see the connected subscription and ARM resources. After the template has been initially deployed, it could take a few minutes to appear while the portal refreshes.

The tenant can see the connected service(s) by navigating to the Service Providers Page, selecting Service Providers Offers, and seeing the subscription(s) with the correct offer name.

As the MSP, you can see this by going to the My Customers page, clicking on Customers, and verifying that you can see the tenant’s subscription(s).

Using these steps, you will have successfully onboarded a tenant by knowing the security identifiers, creating the appropriate security groups, creating an ARM template, deploying the template, and verifying that both parties can see it. Remember that when doing this at scale, consistency is critical so that the same ongoing management processes and scripts can be replicated on identical templates. 

Remember that with Azure Lighthouse, one of your greatest assets is the operational efficiency you can achieve through consistent global management. So, if you change your template after deploying it for several tenants, be sure to update their versions so that every template in production is identical to avoid any challenges with version control. With the steps you have learned, you can streamline deployment and management for all of your Azure Lighthouse tenants. 

The post How to Onboard Customers in Azure Lighthouse appeared first on Altaro DOJO | MSP.

Azure Lighthouse provides Managed Service Providers (MSPs) and software developers (ISVs) with a centralized management portal to view their customers’ resources. Additionally, it makes it easy for the MSPs and ISVs to find new customers by https://azuremarketplace.microsoft.com/marketplace/apps/company.servicename publishing their offerings on the Azure Marketplace. 

The Azure Marketplace web portal functions like an app store for Azure applications. It also lets MSPs publish IT services they can offer, and ISVs can publish deployment or management services for their software. These managed services let the publishers maximize their revenue by monetizing from their specialized skills to help Azure users deploy, manage, optimize, and even secure their cloud infrastructure. 

Check out the Altaro blog series about the Azure Lighthouse solutions, its foundational technologies using ADRM and AAD, Azure integration, and the go-to-market strategy. This blog post will walk you through publishing a managed service in the Azure Marketplace, allowing you to use Azure Delegrated Resource Management (ADRM) to access that customer’s cloud resources. While it refers to publication from the perspective of an MSP, these same best practices are also applicable to ISVs.

Prerequisites to Publishing a Managed Service

First, you must have access to publish to the Azure Marketplace, which means that you need to have a Microsoft Partner Account. To set this up, follow these instructions from Microsoft: https://docs.microsoft.com/en-us/azure/marketplace/partner-center-portal/create-account. You will need to have a Microsoft Partner Network (MPN) ID, which means that you have passed the requirements to be a certified partner. 

By linking your MPN account to your Azure Lighthouse offering, you will automatically be credited for consuming any customers who subscribe to your service(s). This is helpful for MSPs trying to move to a high certification tier, which requires proof of higher consumption.

You must also offer a standardized service to all possible customers, which is known as a public offering. In its current release, it is not possible to make a service offering only available to certain classes of customers based on their geography or other factors. Customized services must be provided through a private offering that uses an Azure Resource Manager (ARM) template, which is a topic we’ll be covering in detail in a future blog post.

It is also important to evaluate the marketplace to see what offers are already out there. Being the hundredth organization to offer basic Azure VM management may not be of much value. Take time to think about your team’s unique skill set and any IP that you have developed.  Which scripts have you created that scale up and secure workloads faster? How can you add greater resiliency or faster recovery to a service?  

Do you have expertise within a regulated industry and can ensure that your tenants will be compliant? Can you offer better Tier 1 support or SLAs?  Make sure that you are going to offer something to stand out from the crowd so that customers will select you over your competitors.

Also, consider asking your company’s search engine optimization (SEO) expert to help you build and define compelling keywords to increase your discoverability.  This is known as App Store Optimization (ASO). You can use publicly available tools like Google Keyword Planner or Bing Keyword Research to filter through organic search traffic. 

While these tools are designed for Google and Bing’s respective search engines rather than the Azure Marketplace, they can provide good guidelines for how customers may be searching for your types of services. And since any offer listed on the Azure Marketplace will get propagated to Google and Bing, this will also maximize your chance of getting more hits. Also, request that any of your customers who have subscribed to your offer give you a review. This will increase your visibility on the Azure Marketplace as positive recommendations increase your ranking.

Step 1) Create the Managed Service Offer & Settings

Once you have determined the public service to offer through the Azure Marketplace, you will go into the Cloud Partner Portal and select New Offer > Managed Services. You will then provide the following information:

• Name: This is the friendly name that customers will see when they access the offer details. Make sure to include your company name and a clear description. This is limited to 50 characters.
• Offer ID: This unique identifier for your offer appears in the billing reports and product URLs. Since product URLs are indexed by search engines and increase discoverability, including your company name and keywords here is helpful. This string is also restricted to 50 characters, but only lowercase letters, numbers, underscores, and dashes. Once this is created, it cannot be changed.
• Publisher ID: You will select your publisher ID. This option is only provided since some partners have multiple publishing accounts.

After saving this information, you will create a new plan.

Step 2) Create a Plan

A plan is a variation of your offering, similar to an SKU. Consider using standard terms for the different tiers, like Bronze/Silver/Gold or Basic/Premium/Enterprise. Customers can browse and select the best plan for their requirements and budget. For each plan, you will select New Plan and complete the following information:

• Plan ID: This is a unique identifier for your offer, which has the same uses and restrictions as the Offer ID from Step 1. It also cannot be changed.
• Public / Private: By default, all plans are public and accessible to everyone in the marketplace. You can select a private plan if you want to restrict your plan to specific users. However, this cannot be changed. If you wish to limit the plan to certain users, you can provide a list of unique customer IDs that are whitelisted to subscribe to this plan. You can enter these manually (currently limited to 10 subscriptions) or upload a CSV file (up to 20,000 subscriptions). It is also a good idea to include the subscription ID of your own test accounts to validate that the offering is published and working as expected.
• Title: This is the friendly name that customers will see when they browse the plan’s details. Include your company name, a clear description, and any optimized search keywords. This is limited to 50 characters.
• Summary: This lets you add a short description of the plan. Include your company name, a clear description, and any important keywords. This is limited to 100 characters.
• Description: Here, you can add a long description, which lets you go into details of what you are offering and how to differentiate yourself. Here, you should include the following information:
  • Specific services that are included
  • Onboarding steps
  • Costs and billing process
  • Technical support and SLA
  • Company profile and experience

• Billing Model: This option is a little confusing. As for managed services, you must always select Bring your own license. This is because Microsoft will not bill you for any expenses directly. Rather, you will bill your customers directly for any associated costs.

After you Save, you’ll move on to the manifest details section.

Step 3) Configure the Manifest Details

The manifest defines exactly which of your tenants’ resources you will have access to and what permissions will be assigned. One of the fundamental technologies powering Azure Lighthouse is ADRM, which allows granular role-based access control (RBAC) that is requested by the MSP and approved by the customer. 

Any Azure resource managed by Azure Resource Manager (ARM) can be granted access to any of the 70+ Azure user roles. Remember that with a public plan, all users will be required to assign identical access to the MSP. It is best to minimize what you are requesting to avoid unnecessarily exposing any of your potential customer’s infrastructure or scaring them off since they do not yet know or trust you.

For the manifest, you will provide the following information:

• Version: Provide a version number in the format x.y.z, such as 2.1.1.
• Tenant ID: Enter the GUID which is linked to your organization’s Azure Active Directory account. You can find this identifier for your directory from the upper right-hand corner of the Azure Portal.
• A list of Authorizations: These define each of the resources which your staff can access for every customer who subscribes to the plan. These include:
  • Azure AD Object Display Name: This assigns a friendly name for each Azure resource which will be placed under management by the MSP. Make this clear and descriptive so that your customers understand the usage.
  • Azure Object ID: This provides the Azure AD GUID of the MSP’s admin, an MSP-managed Azure AD group, or the application which will be granted access to the customer’s resource group. If you are providing access to users, a best practice is to assign this to a group, rather than individual admin(s). This simplifies management as it lets you add and remove admins from that group as your staff changes, instead of having to make updates to every tenant’s workload each time someone joins or leaves your organization.
  • Role Definition: You will select which of the 70+ Azure AD built-in roles to assign to this Azure AD Object. This designates the permissions of that role to the specific object.
    • Assignable Roles: This option will only appear if you select the User Access Administrator role definition. In this case, you will define a list of different possible roles that the user can select and designate for their MSP.  This is helpful if you do not require one specific type of access to a resource group, want to build trust, and empower your users to specify the level of access themselves.

Click Save, then you can add more details about your offering in the Marketplace section.

Step 4) Provide Marketplace Details

Next, you will enter the details that get published in the Azure Marketplace. These are publicly displayed and picked up by search engines.  Use your SEO/ASO best practices here with descriptive keywords to maximize your discoverability. Some of these fields are repetitive from details that you have previously entered, so you may wish to go back to earlier menus in a new browser tab so you can copy the previously entered text.

You will need to provide the following information:

• Title: This is the friendly name that customers will see in the Azure Marketplace. Make sure to include your company name, a clear description, and any search optimized keywords. This is limited to 50 characters.
• Marketing Identifier: This lets you add some customized text into URLs, which should include your company name and the name of your service. Including this text in the website link also helps with SEO/ASO. The URL will then follow the format https://azuremarketplace.microsoft.com/marketplace/apps/company.servicename.
• Summary: This lets you add a short description of the plan. Make sure to include your company name, a clear description, and any search optimized keywords. This is limited to 100 characters.
• Long Summary: This section allows you to enter a longer description using search optimized keywords. This has a maximum length of 256 characters.
• Description: Here you can add a long description which lets you go into details of exactly what you are offering and how you can differentiate yourself. This also supports simple HTML and supports to up 3000 characters. You ought to include the string “managed service” or “managed services” so that it gets picked up by internal and external search engines.  Here you should include the following information:
  • Specific services which are included
  • Onboarding steps
  • Costs and billing process
  • Technical support and SLA
  • Company profile and experience
• Useful Links: You can add a list of hyperlinks to your company’s website, product page, contact forms or anything else.
• Categories: Select which categories you would like your managed services to be listed under. You can select a maximum of 5 categories, and it is best to select as many as are applicable so that potential customers who are browsing by category will discover your service.
• Marketing Artifacts: Here you can upload your logos (required), screenshots (optional) or add links to product videos (optional). Adding logo in four sizes is required in 255×115 pixels (wide), 115×115 (large), 90×90 (medium) and 40×40 (small). Microsoft recommends keeping the logo simple with basic colors and with no text so that it looks consistent with the rest of their enterprise business offerings. You can also add a “hero logo” (815×290) which is a large background image that helps your service get visibility in the Azure Marketplace. Text for your company name, title and summary will automatically be added in white. Once published, you cannot remove the hero logo, but you can replace it.
• Lead Management & Lead Destination: This section allows you to specify a CRM system where any customer leads will be automatically imported and stored.
• Legal: Add the URLs for your Privacy Policy and for your Terms of Use.
• Preview Subscription ID: You should always test that your Azure Marketplace offering looks right before you publish it. This is possible through adding a list of up to 100 subscription IDs for accounts that can preview the offer before it goes live. Microsoft’s product and support teams will also be able to view the marketplace preview.

Save your changes then move to the support section.

Step 5) Add Support Information

This section allows you to list contact information for your customer support and engineering teams. This includes a name, email address, and phone number. You will also be required to add URLs for support information. Make sure you keep this information current so that prospective customers can contact you. Microsoft may also use this contact information. Click Save so that you can review the information before it goes live.

Step 6) Publish your Managed Service Offering

You are almost ready to make your service offering go live. Take time to preview the offer from an account you defined using the Preview Subscription ID from Step 4. Once you click the Publish button, the offering will go through an automatic review and shortly afterward will appear in the Azure Marketplace.

Wrapping Up

Congratulations, you have now published your managed service in the Azure Marketplace. From here, you can expect new customers to discover your services and help you bring in new revenue. Make sure that you check out the next post from Altaro about onboarding Azure Lighthouse customers to understand the additional steps to access your tenants’ workloads.

The post How to Publish Managed Services Through Azure Lighthouse appeared first on Altaro DOJO | MSP.

If you are a Managed Service Provider (MSP), I hope you are excited about what Azure Lighthouse can do for your business. And if not, you should be. Not only can you reach more customers, but your operations can be simplified through the centralized view that Azure Delegated Resource Management (ADRM) gives you across all your tenants. 

Microsoft does not even charge a fee to MSPs for using Azure Lighthouse and selling their Managed Services, so the revenue is yours to keep! This is the fourth blog in the series, which will help you define your go-to-market (GTM) strategy for your services using Azure Marketplace, Azure Resource Manager (ARM) templates, or Managed Apps. 

But first, make sure that you check out the earlier posts about the Azure Lighthouse solution, its foundational technologies using ADRM and AAD, and Azure integration. That last blog post describes all the Azure Services that integrate with Azure Lighthouse to help you maximize your customer base and revenue.

Managed Services in the Azure Marketplace

The Azure Marketplace is an incredible resource for anyone who builds or buys cloud software that runs on Azure.  It aggregates every product that third parties can offer to Azure users, like an app store for the Microsoft cloud.  Now, MSPs can offer their services to clients through the Azure Marketplace, opening up their business to millions of new customers around the world. Managed Services are a new type of offering that rely on Azure Lighthouse, ADRM, and Azure Active Directory (AAD), and allows customers to easily purchase and onboard an MSP. 

While Consulting Services are not new to the Azure Marketplace, they have a broad scope and usually a fixed price.  Managed Services are different in that they are an ongoing engagement and use ADRM.

A Managed Service can be either public or private. Public ones are published in the Azure Marketplace and available to all users. At this time, there is no way to limit the consumer by their geography or Azure region, although this will likely be added in the future. 

The way to restrict who can access a plan is by configuring it private. MSPs can then provide a preapproved list (a “whitelist”) of subscription IDs that can access this service. Public plans are recommended for service providers trying to expand their business and find new customers without paying any additional customer acquisition costs. 

However, new customers may be hesitant to grant an unknown service provider broad access to their infrastructure. It can be best to keep the public offering fairly simple but have extended private offerings that you can upsell to these new tenants as you build trust with them. Also, consider offering them important services they may not have realized they could request, such as the Azure Health Service.

Another option is to have a hybrid offering, which allows you to include both private and public plans within the same offer. This gives you the broadest solution, allowing you to discover new customers and upsell them on additional services as you develop a relationship. You should also be aware that once you publish a public plan, you cannot change it to a private plan; you would need to remove it entirely if you want to republish it with any restrictions. Part of the publishing process requires you to provide a title, description, and other searchable terms.  

We’ll provide some best practices for app store optimization (ASO) in a future post, so be sure to keep an eye out for that!

Once a customer has purchased a Managed Service through the Azure Marketplace, they go through an onboarding process. This allows them to identify which subscriptions and resource groups can be managed by the MSP to perform their service. A manifest defined by the service provider will detail which Azure AD services, users, and groups will need access to the customer’s groups, which the tenant can accept, change, or decline. Once these permissions are assigned, the onboarding is complete, and Azure Delegated Resource Management (ADRM) will grant the MSP access to the approved tenant resources.

Azure Lighthouse with ARM Templates

If you are setting up services for a tenant without going through the Azure Marketplace, then you will use Azure Resource Manager (ARM) templates. An ARM template is a JSON file that defines the exact configuration of an Azure group, including all of its resources, settings, dependencies, and permissions. This is essentially a blueprint that is used to streamline deployment and guarantee consistency instead of repeating a series of manual configuration steps. The ARM template can be configured via the GUI-based Azure Portal, Visual Studio, Visual Studio Code or IntelliJ IDEA.

ARM templates are used with Azure Lighthouse as they allow an MSP to deploy a service for a tenant. This can be a fresh deployment for a new tenant or adding additional services to an existing tenant, such as after an upsell opportunity from the Azure Marketplace. Since the template will be created by the MSP, they can guarantee consistency across all of the tenants. This not only simplifies deployment, but also ongoing management and operations. For example, when the service provider needs to make a configuration change, they can do that programmatically across all their tenants. These ARM templates should be considered as valuable intellectual property for the service provider, as they take considerable time to craft and perfect. One advantage of using Azure Lighthouse and ADRM is that these templates remain in the service providers’ infrastructure, so by not exposing them directly to their tenants, they can retain and protect their IP.

Azure Lighthouse with Managed Applications (Apps) and ISVs

These Managed Services offered through Azure Lighthouse are not restricted to just service providers, but ISVs can publish these alongside their software, known as Azure Managed Applications (Apps). Azure Marketplace lets a developer sell their software and upsell the deployment and management services for it. When a customer purchases the software, they will deploy it into a resource group with ADRM access provided to that publisher. 

The ISV can perform ongoing maintenance, troubleshooting, and operational tasks for their customers. Azure Lighthouse has made this easier for ISVs or any MSP with expertise in managing a specific app. Again, we’ll discuss this topic in more detail in an upcoming blog post.

Azure Lighthouse with APIs, Scripts & GitHub

Microsoft invested significant effort in making the Azure Lighthouse management experience consistent between the Azure Portal GUI and its APIs. While service providers new to Azure may start with the Azure Portal, learning Azure PowerShell or Azure CLI is essential to provide automated management for their tenants at scale. When using Azure Lighthouse, scripting your operational tasks becomes necessary so that you can save each step into an ARM template to ensure that it is run the same every time. Fortunately, Microsoft has provided numerous code samples for ARM templates and a GitHub repository for Azure Lighthouse to get you started.

Final Go-To-Market Strategies

To summarize, you should publish your Managed Services with low-touch offerings through the Azure Marketplace to find new customers. As you build trust, offer tenants value-added services that you can deploy through private offerings or your portfolio of ARM templates. Consider targeting specific (regulated) industries or verticals to build expertise in these areas and differentiate yourself. As a service provider, you are likely also part of the Microsoft Partner Network (MPN). When you first sign up or during your annual renewal, you must provide some customer references. 

With Azure Lighthouse, you can simplify this step by associating your MPN ID with the tenant subscriptions you manage. The revenue you create through managing these customers is credited to your organization. If you publish an offer through the Azure Marketplace, this happens automatically. If you are onboarding a customer independently using an ARM template, you can still manually associate their ID so you are given credit. Remember that Microsoft does not take a cut of the revenue generated from these Managed Services, which will encourage broader Azure Lighthouse adoption.

Thanks for reading!

The post An MSP Go-to-Market Strategy for Azure Lighthouse appeared first on Altaro DOJO | MSP.

Azure Lighthouse is changing how Managed Service Providers (MSPs) operate their business through its model of centralized multi-tenant management. Now, MSPs can run multiple businesses more securely without switching accounts, directories, or subscriptions. This means that all operations can be applied across multiple tenants at scale. MSPs can significantly reduce their operational costs and complexity while reaching more customers and maximizing their revenue. 

Check out the first blog post from Altaro, which covers an overview of the Azure Lighthouse solution, and the second post, which explains the underlying Azure Lighthouse technology. This third post will cover key integrations with Azure services in the control plane and give you some ideas to help you scale your service provider business.

Azure Lighthouse with Existing Azure Services

Since Azure Lighthouse is a new solution offering, not every Azure service is supported yet. The key requirement for integration is that the Azure component must support Azure Delegated Resource Management (ADRM), allowing tenants to assign role-based access control (RBAC) to their service provider. The following list of services is fully supported and should be considered by MSPs to include in their service offerings. The order below is a good way to think through your Azure Lighthouse offerings, starting with the most basic services and ending with more advanced options.

1. Azure Policy with Azure Lighthouse

For the MSP and tenant partnerships to be successful, one of the fundamental philosophies is to ensure that there is trust between both groups. Azure Policy ensures that all managed resources stay compliant with corporate standards.  With Azure Lighthouse, this can be an effective tool for both parties.  

If a tenant has strict security standards, Azure Policy can ensure that their service provider adheres to them, and this can be particularly important if the tenant is within a regulated industry.  However, many tenants are inexperienced with configuring Azure, so they have delegated their operations to an MSP.  As a service provider, you may already have high operational standards, or part of your offering may be to guarantee compliance within a regulated industry so you can apply your Azure Policy best practices to your tenants’ infrastructure.  This is also a great use case of how Azure Lighthouse allows MSPs to maintain their technical intellectual property (IP) while extending their services to new tenants.

2. Azure Resource Graph with Azure Lighthouse

Azure Resource Graph is an extension of Azure (Delegated) Resource Manager (ARM/ADRM), which allows service providers to run queries at scale to test for compliance. It provides an Azure PowerShell and Azure CLI interface for MSPs to test against their tenants’ environments across multiple subscriptions. It can verify that Azure Policy rules are enforced correctly and flag any misconfigurations. The results can be sorted with advanced filtering based on resource properties, including by tenant (customer). You can even track changes and configuration drifts across your tenants.

3. Azure Service Health with Azure Lighthouse

Set up Azure Service Health for your managed accounts to get a global view of the health of your tenants’ services and resources. Service Health also lets you view the Azure infrastructure operated by Microsoft, which your tenants are using.  

You can set up different types of alerting for outages, which can be a useful value-added service for an MSP offering Tier 1 support. Many tenants will want to defer critical support to their MSP.  Even if you have a tenant that has not subscribed to your Tier 1 support, if an outage happens and you can use Azure Service Health to show them that you could have more quickly identified the problem for them, they will be more likely to subscribe to your premium services.

4. Azure Monitor with Azure Lighthouse

Now that you have set up access and security policies for your tenants, configure Azure Monitor to begin collecting data about their environment.  Even if you do not know how to leverage this information yet, turning it on immediately is a good best practice, so you have the data when you need it. 

You can now view alerts across numerous subscriptions and view activity logs for managed resources. You can also run a single query across all of your tenants to see if an issue or security threat that impacted one customer has a broader impact. If you are an MSP focusing on a specific regulated industry, then having this visibility across multiple customers can give you valuable insight, operational efficiencies, and competitive advantage.

5. Azure Virtual Network with Azure Lighthouse

Once your tenants’ infrastructure is secure and protected, you may wish to optimize their virtual infrastructure.  Networking is usually one of the more challenging IT management operations, and Azure imposes additional restrictions that may take a specialist to understand. This is another value-added service that MSPs can offer: Azure network administration. Azure Lighthouse allows delegated access to virtual networks and virtual NICs, letting MSPs optimize the traffic, make it resilient to failures, apply security policies, and monitor bandwidth utilization.

6. Azure Virtual Machines with Azure Lighthouse

Probably the most popular delegated management service will be for Azure Virtual Machines. Tenants can permit MSPs full access to their virtual machines (VMs), except for managing their product licenses via Key Vault. This means that the service provider can deploy VMs, configure storage, networking, and memory, and run post-deployment configuration tasks, scripts, diagnostics, and almost every other aspect of operations. 

The MSP can also log into that VM to configure any guest workloads. Since most Azure workloads run inside Azure VMs, the delegated management services offered through Azure Lighthouse will support almost every tenant virtual machine scenario.

7. Azure Kubernetes Service (AKS) with Azure Lighthouse

There are a growing number of organizations using containers instead of VMs to run their virtualized services.  Azure Kubernetes Service (AKS) allows organizations to use Azure to manage a Kubernetes cluster, handling all administrative tasks from deployment to monitoring to maintenance. 

Containerization offers numerous resource optimization and consolidation benefits as compared to traditional VMs, yet they are generally considered more complicated to manage. This presents a great opportunity for MSPs to manage Kubernetes as a service for their tenants using Azure Lighthouse.

8. Azure Security Center with Azure Lighthouse

Perhaps one of the best use cases for MSPs to support their tenants is through the Azure Security Center. This Azure service centrally manages and protects and the Azure resources, bringing together proactive and reactive best practices from Microsoft’s security experts. 

Organizations that need to outsource their IT management usually do not have security experts on their staff, so they are likely to want to offload security management to their MSPs.  The cloud adds additional security challenges since it is changing so rapidly and has a broad attack surface on public infrastructure. Leveraging Azure Security Center is highly recommended for any organization, especially those in regulated industries or protecting sensitive data.

 With Azure Lighthouse, MSPs can monitor all of their tenants from a single interface and apply changes at scale. All of the security data is centrally collected to show industry-wide trends, which MSPs can build into their IP. Some advanced features available to MSPs include the ability to provide just-in-time (JIT) access to VMs, dynamic (adaptive) network hardening, registry change monitoring, and whitelisting only permitted applications or processes.

9. Azure Backup with Azure Lighthouse

Azure Lighthouse gives MSPs the ability to manage backups for the tenants’ infrastructures using Azure Backup.  Although Azure Backup is fairly easy to use, backups are so important to the business that they often make risk-averse Azure users want to hand off this responsibility to experts.  Service providers can centrally manage backup and restore for their tenants’ Azure VMs and storage.  

Since Azure Backup offers different options around the frequency (RPO), recovery time (RTO), storage retention, and storage redundancy, an MSP can offer a simplified plan like “Gold,” “Silver,” and “Bronze.”  Manage tenants who are in a regulated industry. Storage compliance can be especially important as you will often need to retain all data and destroy specific records after a certain period.

10. Azure Site Recovery with Azure Lighthouse

One of the most popular Azure features is Azure Site Recovery (ASR). This lets the organization replicate their on-premises Hyper-V or VMware virtual machines to Microsoft Azure, using the public cloud as a disaster recovery site. For MSPs, offering disaster recovery as a service (DRaaS) is a great way to discover new customers who have not yet embraced the public cloud for their daily operations and drive Azure adoption.  

Since ASR requires some settings to be configured in the tenant’s existing datacenter, and those customers are likely using the legacy Windows Server Active Directory, ADRM may not provide an end-to-end delegated solution. The MSP will likely need to be given remote access (or can provide instructions) so that the on-premises configuration can happen to set up the Hyper-V replica on a host or cluster. Once that is set up, then replication using ASR can run and be managed by the service provider using a replicated virtual hard disk and VM running in Azure.

11. Azure Automation with Azure Lighthouse

Azure Automation may be one of the most valuable services that MSPs can provide through Azure Lighthouse.  This was included last in this list as service providers should set up their service offerings before they start automating them at scale. 

Azure Automation includes process/workflow automation, configuration management, update management, and scheduling for both Windows and Linux. This is where the service provider’s intellectual property (IP) really becomes valuable from custom scripts and processes they’ve created. This could include streamlining deployment, enforcing compliance, dynamically adjusting to infrastructure changes, or simplifying reporting. 

Azure Automation will allow MSPs to differentiate their offerings and create new value for their customers. While Azure Automation supports both public and private management, on-premises management through Azure Lighthouse may still be limited because it requires ADRM and Azure AD.

Wrap-Up

Azure Lighthouse already supports many Azure services, and these will continue to increase in time and with industry adoption.  If there are additional services that you would like to see, post about them in the comments section of this blog and request them through the Microsoft Partner Network (MPN) portal. From this blog series, you should now understand the value of the Azure Lighthouse solution and its foundational technologies using ADRM and AAD, and in the next post, we will review the Azure Marketplace go-to-market strategies.

What are your thoughts so far? Do you see yourself using this within your organization? Do you see it helping you do more Azure business?

The post 11 Rad Ways Azure Lighthouse Integrates with Azure Services appeared first on Altaro DOJO | MSP.

If your organization manages Azure services for others or your cloud resources are operated by a Managed Service Provider (MSP), then you should be excited about Azure Lighthouse. This service for Microsoft Azure has simplified delegated administration for millions of cloud users. Azure Lighthouse gives MSPs a new management layer at the customer level, allowing them to administer every resource centrally for every customer through a single console. 

Check out the first blog in this series for an answer to the question: What is Azure Lighthouse? This post will focus on how the Azure Delegated Resource Management (ASDM) service and Azure Active Directory (Azure AD) technologies power Azure Lighthouse. Although this post discusses using Azure Lighthouse for MSPs to manage tenants, the same functionality can be used for enterprises to centrally manage their different cost centers across different Azure subscriptions.

Azure Lighthouse Access with Azure Delegated Resource Management (ADRM)

If you have used Microsoft Azure, you are probably familiar with Azure Resource Manager (ARM). ARM is the centralized deployment and management component for all of your resources, including VMs, web apps, networks, storage, databases, and almost every other Azure-managed service. 

Most administrators will use its GUI through the Azure Portal, but it is also supported with Azure PowerShell, PowerShell CLI, and REST APIs. It allows you to specify a subscription (for billing), create a resource group, and deploy Azure-based resources. Azure Delegated Resource Management (ADRM) is built on ARM but allows you to add an extra management layer of “customers.” This allows you to centrally manage multiple tenant accounts without having to change your credentials, subscription, or directory.

Trust is still critical with this new management paradigm so that there is transparency between the MSP and their tenant. The tenant must authorize their service provider to access specific subscriptions, resource groups, or resources. They can customize the role-based access control (RBAC), selecting from the 70+ types of Azure-supported roles. During the service provider’s onboarding, a tenant can see a list of inbound access requests that clearly show what permissions are needed. 

All actions performed by any service provider are logged in both the tenant’s and MSP’s accounts so that there is a consistent audit trail for both parties.

Behind the scenes, ADRM works by adding new security identifiers to each Azure resource, which include the service provider’s ID and role. When a tenant is onboarded either through accepting a Managed Service offering in the Azure Marketplace or authorizing access through a direct request, this service provider identifier is added. Now, the MSP can see all the resources they have been granted access to from their own centralized management dashboard.

ADRM is a technology used in the Azure Cloud Solution Provider (CSP) program. CSPs use the Administer on Behalf Of (AOBO) technology to get access to their tenant’s subscriptions. Basically, they are granted complete access to a customer environment at the subscription level. It is harder for tenants to configure as they must also grant their MSP the Admin Agent role. 

From the tenant’s perspective, this lacks the role-based access control feature to specify individual resource groups for each service provider to access. From the MSP’s side, they are not given a multi-customer management interface, so they are constantly context-switching. Azure Lighthouse will likely replace the CSP program over time.

Azure Lighthouse Security with Azure Active Directory (AAD)

Besides ADRM, the other fundamental technology used to enable Azure Lighthouse is Azure Active Directory (AAD). Like traditional Active Directory used for identity and access management in a private cloud, Azure AD protects and secures public cloud services. Each AAD user gets a tenant ID, which is a unique identifier. 

When an MSP is granted access to manage their tenant’s resources, they can perform certain operations against those resources associated with that tenant ID from their own account. Service providers now have a new dashboard, My Customers, which allows them to see each of their customers, subscriptions, offers, delegations, and permissions. Below are 4 use cases or best practices Azure AD enables in this situation:

Principle of Least Privilege

A good best practice for Azure Lighthouse users to follow is the least privilege principle, meaning tenants should minimize access to the service providers. Customers should only grant access to resources that the MSP needs and provide as little access as required to successfully complete their tasks. This protects the tenant and the service provider by minimizing the impact an inexperienced or disgruntled employee could have on a customer’s environment.

Group-Based Membership

Azure Active Directory also allows admins to be pooled together in groups, so, for example, all MSPs that need access to networks can be placed in the ‘Network Admins’ group, and so on. These groups can then be granted access to specific Azure resources. This helps all Azure Lighthouse users because as individual admins move in and out of the service provider’s company, they only need to be added or removed from the appropriate group, and their permissions will be automatically propagated to the correct resource groups. 

This is a more secure method than directly assigning admin access to each resource across all tenants. If an admin leaves the service provider, then they just need to be removed from the AD group instead of having their access revoked from numerous locations. The MSPs themselves can also manage this internal onboarding/offboarding, so the tenant does not need to worry about the service provider’s staff. MSPs should regularly review group access to maintain compliance and minimize the risk of unauthorized access.

Standardized Permissions

If you are a service provider who has published their services through the Azure marketplace, remember that the AAD permissions you request will be identical across all of your tenants. If you need to customize a plan for a specific client, you can take your public plan private by specifying a list of subscription IDs that can access it. Alternatively, you can give a tenant an Azure Resource Manager (ARM) template directly if need be. More details on this point will be provided in a future post in this series.

Multi-Factor Authentication

The final Azure Active Directory best practice you should follow is requiring multi-factor authentication (MFA). This protects the tenant and builds trust in the service provider by requiring them to log with using not just a password but also a phone or biometric device. MFA is a native Azure service that is easy to set up following these instructions.

Wrap-Up

Now, you have a fundamental understanding of the core technologies that power Azure Lighthouse, with Azure Delegated Resource Management and Azure Active Directory. By following the best practices described in this blog, you will develop trust amongst your tenants, incentivizing them to subscribe to more of your service offerings. Check out the next post in this series, which details the integration of Azure services with Azure Lighthouse, so stay tuned!

As always, if you have any questions or concerns, be sure to let us know in the comments section below!

The post Azure Lighthouse Core Services appeared first on Altaro DOJO | MSP.