With today’s availability of Microsoft Azure Lighthouse, Managed Service Providers and ISVs have a solution for managing customers at scale. As an Azure Expert MSP, Intercept had the pleasure and privilege of piloting these new capabilities and we’re happy to share our experiences.
The current landscape for MSPs
Microsoft Azure stands out as an ideal public cloud for managed service providers and enterprises alike. Azure brings a lot of tools to the table when it comes to managing your customers. From provisioning to managing automation and access control, there is always a way you can achieve what you need as a Managed Service Provider. . One of the goals of a Managed Service Provider should be to standardize and automate management as much as possible in order to scale as a business and provide a high quality of service. This is something we see a lot of service providers struggle with. So, what exactly are the challenges and how can you overcome these?
Standardization and Automation
For managed service providers managing many customer tenants and subscriptions, scale is paramount. Managing multiple customers requires automation and granular access control and sometimes a third-party solution to help achieve all of those. Up until now, managing multiple customers was a single-tenant, one by one effort. Configuration was on a per subscription basis and required tenant level access (for configuring service principals).
Security and compliance
Before Azure Lighthouse, managing a customer usually required either an elevated level of access or support from the customer to perform the required tasks.
From a compliance perspective, customers want insights into the activities of their service provider. Many customers strive to obtain or maintain an ISO 27001 or similar certification which also requires them to have insights into the access levels and activities of their managed service providers. This is an element that doesn’t usually come out of the box and again requires either complex automation scripting or a third-party solution.
Monitoring
When Microsoft launched Azure Monitor, MSPs received a single subscription, single tenant Azure native solution for monitoring instead of relying on third party software. This is ideal for customer specific configuration when it comes to alerting and action groups, but left an opportunity for multiple-tenant, cross-customer scenarios.
MSPs at Scale
With today’s availability of Microsoft Azure Lighthouse,” Managed Service Providers and ISVs have new solutions for managing customers at scale Azure Lighthouse provides service providers capabilities for cross customer management from a single control plane with higher efficiency and governance.
Check out Azure.com/lighthouse if you want to learn more
Source
Supporting the customer
Instead of accessing customer environments through the Partner Center, you can now access all customers from the Azure Portal. By either accessing “My Customers” or using the tenant and subscription picker you can now see the customer resources you have access to.
Last but not least, this also goes for Command Line access such as Azure CLI and Azure PowerShell. You no longer require a direct RBAC assigned onto the customer subscription or, as most MSPs do, configure a dedicated account for PowerShell access. When access it activated, your user can simply select the subscription through the command line tooling and perform the tasks at hand.
Monitoring across your customers
As you can now access customer environments more easily and from your own MSP tenant, Azure Monitor becomes an important asset to your MSP business. Instead of configuring monitoring, policy’s and alerts on a per customer basis you can now assign policies to a multitude of customers with a single click and monitor resources across tenants. The same goes for Azure Security Center which can now be used to monitor the compliance levels across customers.
Centralized automation
When it comes to automation, you are usually redeploying the same logic (Azure Automation, Logic Apps, Functions) to multiple customers. With Azure Lighthouse you can assign your service principles with the necessary permissions on the customer subscription. This means you only need to deploy your automation logic once and connect it across tenants.
For example: You’re deploying a self-service portal or specific automation scripting to gather logging for each customer to gather telemetry. With Azure Lighthouse, because you have this level of access straight from your MSP tenant you can simply managed those automation resources in one place, and the best: only deploy them once.
Onboarding made easy
Onboarding is done through very basic Azure Resource Manager Templates. All you need is the User, Group or Principal ID’s from your MSP tenant and add them to the template and use the already pre-defined role definitions to configure the correct permissions. Once onboarded you can identify which tenants are configured with the Azure Lighthouse template by simply querying the Azure API’s which bring even more possibilities from a business perspective. For example: self-service onboarding which without Azure Lighthouse, involves a bit more than just deploying a template.
But, running a template in your customer environment is not the only onboarding experience you can provide. As of now you can also choose to publish your managed services offer in the Azure Marketplace. Providing the ability for your current and potential customers to find you and onboard with Delegated Resource Management through the Azure Marketplace.
What’s Next
Azure Lighthouse will change the way we manage customers at Intercept. The onboarding process is very simple and results in plenty of benefits. If you want to scale your MSP business, you need to standardize and automate. Azure Lighthouse will help you do that. Combined with the security and compliance benefits you can now create complete transparency when it comes to access control and activity logging. There is no longer a “black box” you need to explain to your customers.
Additionally, monitoring on Azure is maturing with features such as Azure Lighthouse. You can monitor across tenants without having to build complex automation solutions to gather the telemetry, you can just directly access them using the Service Principals you configured. Depending on what you’re doing right now, this can have a great financial impact and a definite goodbye to third-party monitoring solutions.
As every feature on Azure, Microsoft is continuously working on building new functionality into Azure Lighthouse which means it’s only getting better and more extensive. At Intercept we’re adopting Azure Lighthouse as a best practice for our MSP services and if you’re an MSP like us or you’re managing multiple tenants and subscriptions; Azure Lighthouse should be at the center of your practice.