How to Manage Multiple Office 365 Tenants with M365 Lighthouse

How to Manage Multiple Office 365 Tenants with M365 Lighthouse

If you’re an MSP, there’s a big change coming in how you manage your client’s Office 365 tenants and Microsoft 365 tenants. Microsoft 365 Lighthouse is a modern way to manage multiple clients’ users and devices in a single pane of glass. This article will show you how to set up the preview, how to make sure your clients appear, and how to manage settings and policies across all of them. 

Note that Microsoft 365 Lighthouse is a different service than Azure Lighthouse, which lets an MSP manage resources in their client’s Azure subscriptions securely. It makes sense to name the services similarly since the concept of a “service provider managing a client’s cloud service” is the same, but it’s bound to cause some confusion. We’ve looked at Azure Lighthouse here:

Just as Azure Lighthouse has been a game-changer for the business model of MSPs, Microsoft 365 Lighthouse will be a turning point for MSPs as well, with the difference that every MSP I know has all their clients on Office / Microsoft 365, while not everyone uses Azure.

Signing up for the preview


Before we get to the requirements to use Microsoft 365 Lighthouse, let’s get it activated in your MSPs M365 tenant. It’s a straightforward process. But it can take up to 24 hours; in my case, it only took a few hours.

Sign into your tenant at admin.microsoft.com, go to Billing > Purchase services > Other services, search for Microsoft 365 Lighthouse public preview, and buy a single license for $0. There’s no cost for Microsoft 365 Lighthouse during the preview or after General Availability, just like Azure Lighthouse.

Purchase Lighthouse public preview

Purchase Lighthouse public preview

After some time, you’ll receive an email to let you know that your tenant has been enabled for the preview.

Microsoft 365 Lighthouse enabled

Microsoft 365 Lighthouse enabled



Microsoft 365 Lighthouse requirements


There are a few things that need to be in place for you to take advantage of Microsoft 365 Lighthouse. First, your MSP must be enrolled in the Cloud Solution Provider (CSP) program as an Indirect Reseller or Direct Bill partner. Secondly, each client must provide Delegated Admin Privileges (DAP) to your MSP. Thirdly, at this time, each client must have at least one Microsoft 365 Business Premium license and fewer than 500 licensed users. I suspect some of these limitations will be lifted after General Availability (GA). I’m sure many businesses larger than 500 users are already using an MSP to manage their Office 365 tenant, just as many smaller businesses rely on the advanced security features in Microsoft 365 E5, for instance. 

Still, their MSP would like to manage them using Lighthouse. With no inside information, I suspect Microsoft is focusing on this market segment to start with because it’s the one many MSPs focus on, and converging on Business Premium only also makes sense as it gives a common set of features to manage using Lighthouse.

Fourth, if you want to manage tenant devices, they must be enrolled in Microsoft Endpoint Manager (MEM).

Fifth, for user account data to appear in reports, the client’s tenants must have Azure Active Directory Premium P1, which is included in Microsoft 365 Business Premium.

Sixth, to see devices on the threat management pages, they must be running Microsoft Defender Antivirus (built into Windows). This one could be a bit tricky; many MSPs rely on their favorite AV tool and may not want to move to the built-in solution, but (if you’re stuck in the past) know that Defender AV is quite capable these days and is also a stepping stone to the excellent Microsoft Defender for Endpoint (MDE).

The last three on the list won’t stop you from using Microsoft 365 Lighthouse but will limit the functionality as mentioned.

In summary:
  1. Enroll in the Cloud Solution Provider program
  2. Invite each client to Delegated Admin Privileges
  3. Ensure the clients have at least one Microsoft 365 Business Premium license
  4. Enroll devices in Microsoft Endpoint Manager
  5. Make sure the clients have Azure Active Directory Premium P1
  6. Enable Defender Antivirus


Enrolling in the Cloud Solutions Provider program


I suspect most Microsoft-based MSPs have already completed this step, and my MSP took this step a few years ago, so I don’t have screenshots to show you the process, but here’s the official documentation.

Your primary choice is between being an indirect reseller, where you buy Azure / Microsoft 365 and on-premises licensing through CSP via a distributor, or being a direct bill partner. The latter requires you to provide the first level of support for your clients, fully manage customer billing and provisioning, and generate at least 300,000 USD revenue in cloud sales in a 12-month period. Here’s the page to get started as an indirect reseller. 

Once enrolled, the CSP area in the Partner Center lights up, and you can manage clients here.

CSP in Partner Center

CSP in Partner Center



Invite a client to Delegated Admin Privileges


I suspect there’s a bit of dirty laundry in most MSPs’ cupboards (including mine) where they don’t have delegated access to their client’s tenants but instead have Global Admin accounts to log in directly to each tenant to do any administration. If that’s the case, please ensure that those Admin accounts have MFA enabled.

To use Microsoft 365 Lighthouse, you need to set up your MSP with delegated admin rights to each tenant. Start by clicking the link “Request a reseller relationship” in the CSP portal. Pick your indirect provider, make sure “Include delegated administration privileges” is selected, and edit the email before sending it to your client. Note that the recipient must be a Global Administrator in the tenant to be able to action it.

Request a reseller relationship in the CSP partner portal

Request a reseller relationship in the CSP partner portal

When a global admin for the tenant clicks the link in the email, they’re greeted with this screen and simply click the Authorize button.

Authorize client for Delegated Admin Privileges

Authorize client for Delegated Admin Privileges

They should now show up under customers in your CSP portal, in my case, this was nearly instantaneous.

Exploring the Microsoft 365 Lighthouse portal



Logging on to the Home page


Go to https://lighthouse.microsoft.com and sign in with an account in your MSP tenant with Global Admin credentials and MFA enabled. If the account doesn’t have MFA enabled, you’ll need to enable it before being able to sign in. 

In case you find this burdensome, understand that you’re effectively accessing all your tenants in one place using Lighthouse, so enforcing MFA is a must. I would also suggest that access to Lighthouse should be limited to approved, locked-down admin workstations, something you can do using Conditional Access in AAD.

According to Microsoft, it can take up to 48 hours before client data starts showing up in the portal. Again, in my experience, it took less than two hours.

Home in the Microsoft 365 Lighthouse Portal

Home in the Microsoft 365 Lighthouse Portal

On the Home page is an overview of my clients, with tiles for threats (Defender Antivirus), devices with it installed, risky users, and device compliance. You can filter this view with the Tenants button in the top left.

User account pages

When I drill into the Risky user’s tile, I’m taken to the Users part of Lighthouse, where four tabs show accounts that have been flagged as risky and their current status (At risk or remediated). Clicking View risk detections for an individual account takes me to the AAD portal for that tenant to investigate the risk.  The Multi-Factor Authentication tab shows the tenant’s status for MFA enablement and users not registered for MFA. In contrast, the Password reset tab shows the tenants’ state and accounts for Self-service password reset (SSPR). I can also search across all usernames, and when I find a particular user, I can reset their password or block sign-in. Particularly, password reset is a very common action for MSP helpdesk staff. Instead of signing into a client’s tenant, finding the user, and then resetting their password, you can do it here for any user.

Risky users bladeRisky users blade



Antivirus and Threats

Clicking either the Threat or Antivirus tile takes me to the Threat management area, where an overview tab shows me threats (active / mitigated / resolved), devices missing Defender AV, and devices overdue for scans. The Threats tab shows a list of active, mitigated, resolved, and allowed threats, whereas the Antivirus protection tab shows me a list of devices, their state, if the AV is up to date, real-time protection state, and if any scheduled quick or full scans are due.

Antivirus status across each device

Antivirus status across each device



The orange warnings in the screenshot show quick scans that are overdue. Clicking on an individual device brings up its details, plus options to run a quick or full scan, update the signatures and reboot the device.

Device details in Antivirus view

Device details in Antivirus view

Note that you can also multi-select several devices and run scans on all of them or even reboot all of them in one fell swoop. You can also filter the view of the devices based on device state, threat protection, update status, and any overdue scans.

Devices & Tenants

The Device area has four tabs: Overview shows devices managed by compliance policies in MEM, whereas the Devices tab shows the compliance status for each device with the ability to filter the view based on whether the device is corporate or personal, the OS it is running, and its status. 

The Policies tab syncs from MEM, whereas the Settings tab shows non-compliant settings across tenants. In this area of Lighthouse, I noticed that the data on some tabs were missing, possibly due to the 48 hours not having passed after adding the tenant. You can also click an individual device to see details and click a link there to see it in the full Endpoint Manager console.

Device compliance with MEM policies view

Device compliance with MEM policies view

The Tenants view shows tenants, including ones ineligible for Lighthouse (missing license for Microsoft 365 Business Premium, for instance) or ones that don’t yet have Delegated Administrative privilege. You can create and assign tags to different tenants as a way to organize them.

Security and Baselines


There are two specific role-based access control (RBAC) roles associated with the Microsoft 365 Lighthouse: Admin Agent and Helpdesk Agent. The former has permission to change most settings, whereas the latter can view everything but only reset passwords, block sign-ins, and update customer contact / website details.  Microsoft recommends using Privileged Identity Management (PIM), a feature in AAD Premium P2 (in the partner tenant) to enforce the principle of least privilege so that a Helpdesk Agent can be eligible to be an Admin Agent but must go through a PIM workflow, which can include entering a service ticket, being approved by a supervisor and perform an MFA to elevate to that permission, for a restricted time of a few hours. Security baselines are a key feature in Microsoft 365 Lighthouse. Today, you can’t edit them; there are six default baselines:
  • Require MFA for admins (CA report only policy)
  • Require MFA for end users (CA report only policy)
  • Block legacy authentication (CA report only policy)
  • Enroll devices in MEM & Azure AD Join
  • Antivirus policy – a Device Configuration profile
  • Windows 10 Compliance policy
In the baseline area, I can see the Default baseline and apply it to groups of clients. Note that the three Conditional Access policies are reported only and thus won’t actually enforce the setting. Just give you reports on where it would have been applied. This is a good way to get a grip on the state of MFA and legacy authentication usage across your tenants but in today’s security-challenged business landscape, it’s vital to move to enforcing MFA and disabling the legacy protocols as soon as possible. There are two other areas in Microsoft 365 Lighthouse: Windows 365 gives a view of any Cloud PCs in your client’s tenants and their network connections to on-premises. I don’t have any clients using Windows 365 yet, but it makes great sense to surface this information in Lighthouse. The final area is Service health, which shows advisories and incidents across Teams / Microsoft 365 / Exchange Online and another 20 services. It’s the same view as in the Microsoft 365 Admin Centre, but having it handy in this portal makes sense.

Conclusion


This is a public preview, and both the functionality and requirements are a bit limited, but I suspect this will change as feedback comes to Microsoft, particularly now that it’s in public preview.

I think Microsoft 365 Lighthouse will be a game-changer for MSPs. It’s a shift in how you manage your clients’ digital estates at scale, and I suspect that it’ll find fans in both large and small MSPs. At this stage, I have questions about the shared MSP model, which works in Azure Lighthouse, where you can have one MSP managing your backups and IaaS VMs and another MSP handling your databases. Today, that’s not supported in Microsoft 365 Lighthouse.

Another concern is the overlap with third-party MSP management tools, and my initial take is that I’m far more likely to trust Microsoft to get security right rather than the RMM software vendors of today (especially given recent news), plus a first-party provided tool is always preferable to me personally. Full disclosure – I don’t use an MSP tool in my business, but I do rely on N-Able Take Control for remote access to devices.

Microsoft 365 Lighthouse isn’t replacing a Remote Monitoring and Management (RMM) tool today. Once the functionality is expanded, I can see this being one of the main tools in your MSP toolbox.
Is it Time you Ditched On-Premises Services Completely?

Is it Time you Ditched On-Premises Services Completely?

In a previous post, I covered the term CSP (Cloud Solution Provider) and the differences between a CSP and an MSP. Since then, the question of continuing to offer on-premises services has come up a few times with readers and others in the community. Many seem to be wondering. I’d like to address this question specifically in today’s blog post

Should You Make the Move to Cloud-Based Solutions?

If you’ve read many of my blog posts on this site and the other Hornetsecurity blogs, you’re likely prepared for one of my favorite answers. That is, “It depends.” On-premises requirements vary based on the organization for which you are providing services. The suitability of cloud solutions is not a one-size-fits-all proposition; it significantly depends on the unique operational needs and technological infrastructure of each organization. Consider, for instance, a small realtor agency with a modest team of 10 users primarily utilizing document-oriented applications. Their technological footprint and demands are substantially different from a large-scale manufacturing entity, which might have 400 users interacting with a diverse suite of applications, including machine controls and intricate engineering software like CAD. These distinct operational scales and complexities inherently dictate the degree and manner of cloud integration that would be beneficial. Cloud-based solutions, with their promise of scalability, flexibility, and cost-efficiency, should be earnestly considered and often preferred in many scenarios. As Cloud Solution Providers (CSPs), it is incumbent upon you to judiciously evaluate and recommend the appropriate level of cloud integration tailored to each client’s specific needs. However, transitioning entirely away from on-premises servers is not always the optimal or feasible route. The current trend leans towards a hybrid cloud model, blending the security and control of on-premises infrastructure with the agility and innovation of cloud computing. This hybrid approach allows organizations to leverage the best of both worlds, accommodating a wide array of workloads and applications. In conclusion, while the momentum is undeniably shifting towards cloud-based solutions, a thorough analysis of each organization’s requirements, coupled with a strategic approach to integrating cloud services, is paramount. CSPs must navigate this transition with a balanced perspective, aiming to harness the cloud’s potential while ensuring alignment with the business’s operational realities and long-term objectives.

Hybrid Cloud and the CSP

The truth is that very few organizations can go 100% cloud. Don’t get me wrong. That percentage is increasing as time goes on. But right now, many use cases still require an on-premises footprint. For example:
  • Highly GPU Intensive Workloads
  • Latency Sensitive Applications
  • Complex Monitoring Needs
  • Poor Connectivity
  • Disconnected (No External Connectivity) Scenarios
  • Recent Large Capital Investment in On-Prem Infrastructure
  • Low Customer Comfort with the Cloud
A good CSP will continue to leverage on-prem (only where it makes sense) and pair that with what works well in the cloud, such as:
  • Backup and DR
  • Email
  • File Storage
  • Web Apps
  • Office Applications
  • Collaboration Software
  • More!
Good CSPs provide exceptional value in knowing where on-prem and the public cloud intersect, and they can apply solutions for both with a high degree of skill to fill all the technology needs of a business. Are there CSPs out there that ONLY do cloud? Sure. However, you’ll likely find that many of those CSPs operate in an industry vertical that organically lends itself well to running cloud-native. Other verticals aren’t so simple. Manufacturing, for example, often employs complex machine control and supply chain software that doesn’t lend itself well to running in the cloud (yet). This is not to mention engineering and parts-design software that doesn’t work well in cloud scenarios in most cases either. Another good example is healthcare. Many functions within a hospital cannot be off-site to the cloud for regulatory reasons, or a given function is so critical to patient care (often life and death) that they can’t risk even the slightest connectivity outage.

Where and How You Can Move to Cloud-Based Solutions

In addressing the critical issue of shifting towards cloud-based services, my directive to both budding and seasoned Cloud Solution Providers (CSPs) is clear and straightforward: Prioritize cloud solutions in all your strategic planning and implementation.  However, it is crucial to tailor these solutions to fit the specific needs and context of each business. Avoid forcing a universal solution onto diverse problems — akin to the futility of forcing a square peg into a round hole. Remember, the hallmark of a proficient solution provider is the ability to discern and deploy the most appropriate technology that aligns with the unique requirements and goals of a business. As CSPs, your objective should be to guide businesses through the cloud transition smoothly and efficiently, ensuring that every technological adoption enhances operational excellence, cost-effectiveness, and competitive edge. This means conducting a thorough analysis of the business’s existing infrastructure, understanding its future goals, and accordingly, recommending cloud solutions that offer scalability, flexibility, and security. It is also imperative to educate business leaders about the benefits and implications of cloud adoption, addressing any misconceptions or reservations they might have. By fostering a collaborative environment, you can work together to identify areas where cloud solutions can bring immediate value and areas where a gradual transition is more appropriate. Ultimately, your role as a CSP is not just to implement technology but to be a strategic partner in your client’s journey towards digital transformation. By leading with cloud solutions yet respecting the unique shape of each business’s needs, you can carve a path to modernization that is both effective and sustainable. Embrace the cloud, but do so with the wisdom and adaptability that ensures every solution is a perfect fit for the business it serves.

Wrap-Up

What are your thoughts? Have you been trying to lead with cloud and struggling? Are your customers hesitant to invest in the cloud? Thanks for reading!

4 Powerful Microsoft 365 Features Every MSP Should be Using

As MSPs, we’re always looking for the next best thing for our customers. It’s a tough market. Budgets are always in flux. Competitors are always chomping at the heels of our clients, and the industry moves so fast that many business owners will scoff at the next wave of updates and features that the industry says are a MUST-have. But what is a budding MSP to do? A proven strategy is to focus on hard-hitting features that are game-changing for their day-to-day work. The Microsoft 365 suite contains many such features, many known well and others not so much. In this blog post, we are going to talk about 4 Microsoft 365 features that will wow your customers. When implemented properly, these features are a surefire way of solidifying your relationship with a customer and ensuring more business through their continued success!

Microsoft Teams

If we’re going to start with any hard-hitting application/feature in the Microsoft 365 suite, it’s got to be Microsoft Teams, right? There is perhaps no collaboration tool as expansive as Teams. And since the COVID-19 pandemic, Teams usage has surpassed 280 million users, according to Microsoft CEO Satya Nadella from a quarterly earnings report: “Teams surpassed 280 million monthly active users this quarter, showing durable momentum since the pandemic. And we continue to take share across every category, from collaboration, to chat, to meetings, to calling.”  Moreover, Mr. Nadella mentioned that There are more than 500,000 active Teams Rooms devices, up 70 percent year-over-year. And the number of customers with more than 1,000 rooms doubled year-over-year.” Teams is supplanting Outlook as the collaboration tool of choice for many organizations. It hadn’t really even dawned on me personally until I was having a conversation with a co-worker a few weeks back. She simply stated that “Teams has become home base” for her day-to-day work. I found that’s true for me as well! Historically, Outlook was the first app I would open when sipping the morning coffee. Today Outlook takes second place to Teams, and it’s easy to see why. If you’re not familiar with teams, it offers a plethora of collaboration features:
  • Individual and Group Chat
  • Voice and Video Chat
  • Conferencing and Webinar capabilities
  • VoIP capabilities
  • Mobile Clients with Softphone Options
  • Integration with the rest of the M365 suite
  • Numerous 3rd party integrations (Some shown below)
Third-Party Application Addons for Microsoft Teams

Image 1 – Third-Party Application Addons for Microsoft Teams

I could go on, but in all seriousness, we could spend a whole series of articles on the benefits of teams and how to roll it out to your customers, and maybe we will! That said, in the context of this article, Teams is listed first because it plays a part in some of the following items, which leads us to our number 2 pick!

Microsoft Stream

Many of us don’t enjoy being stuck in meetings, but I’m sure there have been a few occasions where there was a meeting you wanted to be in but were unable to make, right? What if any scheduled meeting could automatically create a recording and send it to invited attendees afterward? Teams meetings, paired with Microsoft Stream, allow you to do just that and more! The best way I can describe Microsoft Stream for those who aren’t aware of it is simply this: Think of Microsoft Stream as YouTube for your Business. Stream is a video hosting platform that can be used in conjunction with other M365 features and apps. I already mentioned the Teams integration, but there are other features worth mentioning, such as:
  • Public and Private Channels
  • Video Sharing
  • Hashtags and Timecode Links
  • Watchlists
  • Featured Videos
  • Searchable Transcripts
  • Live Events (Shown Below)
  • Screen Capture and Editing
  • Polls, surveys, and quizzes (Coming Soon)
Setting up a Live Event in Microsoft Stream

Image 2 – Setting up a Live Event in Microsoft Stream

All these features are easily glossed over when organizations look at the vast list of applications and features in M365. When employees and business owners truly discover the powerful features Stream provides, it becomes a game-changer. A few more example use cases here:
  1. Live or Recorded company updates from Leadership
  2. Mandated training materials distributed to workers
  3. Project and team briefings recorded for transparency and shelf-life
  4. Onboarding materials for new hires
The list goes on and on. With the integrations to the rest of the M365 platform, Stream will help take your customers’ operations to the next level!

Microsoft Planner

Task management is a bear, especially with distributed teams. You’ve got email, teams, outlook to-dos, sticky notes, napkins, and 100 other places to keep track of ongoing tasks. The true power of the M365 suite is in its integrations. Unlike your sticky notes or a notepad file, Microsoft Planner is plugged into and integrated with your core collaboration tools in a big way. This includes: Need to rope team members in a task or a series of tasks? Need to collaborate with notes and chat in a unified view regarding said task? Need alerts for when the task is updated? How about the ability to attach files, due dates, reminders, categories, and more? If you answered yes to all of these, Planner can do it and more. As mentioned earlier, Teams plays a large role in many of these features, and Planner is no different. In any given Team with the Teams app, you can click the plus sign on the top left and link a Microsoft Planner “plan” as a tab directly within Teams. This puts the Teams project plan right at their fingertips and enhances the overall collaboration experience. Microsoft Planner Embedded in Teams as a Tab

Image 3 – Microsoft Planner Embedded in Teams as a Tab

One other thing I wanted to touch on before moving onto our next item. From an organizational level, when talking with your clients about Planner, I would recommend you have them plug this feature in at the department level. It really shines at that level. I’m often asked where these tools fit in regard to other task management tools, and this is often the advice I provide: For individuals and light taskers – Use Microsoft To-Do For departmental teams and heavy taskers – Use Microsoft Planner For Large Scale and Organization-Wide Projects – Use a Project Management Tool such as Microsoft Project My reasoning behind it is this. Planner provides features over and above your basic to-do list (Which is what To-Do is). That said, it lacks many of the more advanced ITIL and PMP project management capabilities found in more advanced tools. Don’t get me wrong, however! Planner is still super a powerful and stunning addition to any Team looking to leverage Microsoft 365 to the fullest.

Multi-Factor Authentication with Conditional Access

The last item I’m going to talk about today is going to be the least visible of them all, and that’s ok! This particular item will wow your customers because of the fact that it DOESN’T make itself visible! Those of us working in the technology space these last few years all know that multi-factor authentication is an absolute must. It provides an added layer of security in an age where ransomware and other cyber attacks are rampant. However, getting some customers to “deal with the security headache” (yes they are out there) can prove somewhat troublesome. That said, Microsoft has made the experience in Microsoft 365 stupidly easy. Enabling the feature is quick, and end-users are provided with a prompt to enroll in MFA. Assuming you’ve properly communicated the steps to the end-users they should have little problems with the process. Once done, they’ll get the typical MFA prompt as needed when logging in and will be given the option of remembering a device as a frequently used device for a length of time. Some organizations wouldn’t even balk at this much work, and that’s where the beauty of conditional access comes in. Conditional access allows administrators and MSPs the ability to define safe locations that don’t require the MFA prompt. This mainly refers to your corporate network, meaning that someone in the office (or connected via VPN) will not be required to authenticate with MFA. This greatly reduces the effort required by end-users but still keeps them protected when they need it most when they’re off-site. Conditional Access Policies in Azure AD, MFA

      Image 4 – Conditional Access Policies in Azure AD

Now, conditional access does SO MUCH more than just this one thing. Make sure you review the full list in the Microsoft Docs article on conditional access. One final thing you may be wondering about before we wrap up is what kind of licensing you need to get MFA with conditional access. See the image below for that information, along with the source in the caption! Available versions of Azure Multi-Factor Authentication

Image 5 –  Available versions of Azure Multi-Factor Authentication

Wrap-Up

This article should give you a good list of features you might want to talk about with your customers if you haven’t already. All of these features can take their collaboration and productivity efforts to the next level. So many organizations buy into Microsoft 365 and only enable mail and a few other features. Don’t let your customers waste the value! Help them squeeze every ounce of value out of what they’re paying for. In the end, you’ll continue to be their trusted IT partner, and you’ll share in their success moving forward! What about you? Have you tried these features? Do you have customers using them? Would you like to see more content about anything we talked about today? Thanks for reading!
Why MFA is No Longer Optional for MSPs

Why MFA is No Longer Optional for MSPs

One of the most common types of cyberattacks is one where cybercriminals seek to compromise the victim’s web credentials. Using email-based phishing attacks and increasingly convincing social engineering techniques, victims are tricked into providing their user ID and password for a wide range of cloud-based platforms and applications. According to our 2023 Cybersecurity Report, phishing remains the most common type of email attack, constituting 39.6% of all detected threats. What makes online credentials so appealing to cybercriminals is the access these credentials provide to online banking, Office 365, Azure apps via Azure Active Directory, financial applications, customer data, and more. Gaining access to these kinds of applications and data can be detrimental to SMBs – potentially even causing them to shut their doors. So, how can you as an MSP help protect your customers from this kind of cyberattack? The answer lies in Multi-Factor Authentication (MFA). Now let’s get onto some MFA basics and then talk about how you can incorporate this security control into your service offerings.

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is a security method that uses multiple identifying “factors” to verify a user’s identity instead of relying on the traditional username and password. MFA requires additional factors to identify and authenticate the user. These factors include:
  • Text messages to the user’s smartphone
  • Sending codes to an alternate email address
  • Asking additional security questions
  • Using secondary authentication to trusted 3rd party sources
  • Biometrics (such as fingerprint or retina scan)
  • Facial recognition
  • Security hardware token device
  • Security token app on a user’s smartphone
  • Certificates
Additionally, depending on the MFA solution being used, details about when and from where the authentication request can come into play, including location, day/time, IP address, requesting device’s MAC address, etc. All of these factors – in one form or another – fall into one of three generally accepted authentication factors:
  1. Something you know – This can be information relevant to authentication that the user themselves knows already, such as passwords, answers to security questions, etc.
  2. Something you have – These are generally represented by physical items the user possesses, such as a smartphone, security token, or RFID badge.
  3. Something you are – This is where biometrics and facial recognition come into play. This factor uses any part of your personality that can help uniquely identify you.

Office 365 2 Factor Authentication Mobile Sign In

Office 365 2 Factor Authentication Mobile Sign In

How Does MFA Work?

First off, notice we’re discussing multi-factor authentication. The focus here is for you to use multiple factors with your customers. Why? Because each of these factors on their own can be (and in many cases, have been) hacked or spoofed. Mobile devices have had their SIMs swapped for an attacker-controlled device, passwords can be cracked, and even fingerprints have been shown to be spoofable using 3D printing. With MFA, the user authenticates by providing a number of factors – how many depend on the level of security needed, the individual’s role within the organization, etc. In general, the user first provides their usual username and password. Once provided, they are then presented with one or more additional challenges where the implemented factors mentioned above need to be satisfied. MFA, Multi Factor Authentication Steps

Multi-Factor Authentication Steps

Where Do You Find MFA?

There are dozens and dozens of software vendors offering MFA. In many cases, it’s offered as part of a larger Identity and Access Management solution – which may be too complex for simply implementing MFA for your SMB customers. Microsoft offers Azure Multi-Factor Authentication to secure access to Azure Active Directory, Office 365, Azure-based VMs, applications, and data, as well as to be a trusted authority for third-party cloud applications and platforms. This service is simple enough to scale down to an SMB’s needs. And as mentioned, there are a number of vendors offering MFA solutions that are simple and cost-effective enough for an MSP. Office 365 2 Factor Authentication Desktop Sign In

Office 365 2 Factor Authentication Desktop Sign In

Why is MFA No Longer an Option for MSPs?

For MSPs, MFA offers the chance to drastically enhance security and protect your customers. To deepen it, here are 5 reasons why MFA is no longer optional but necessary for MSPs.
  • Prevent Cyber Threats
As cyberattacks grow in sophistication, no customer is immune to the risks of data breaches, ransomware, or phishing. MFA serves as a critical defense layer, rendering stolen credentials useless without the additional authentication factors, thereby protecting against unauthorized data access and system breaches.
  • Compliance and Industry Standards
The regulatory landscape is increasingly stringent, with numerous industries mandating MFA to safeguard sensitive data. For MSPs, non-adherence is not an option; failure to implement MFA can lead to severe penalties, legal ramifications, and reputational harm. It’s essential for meeting both compliance obligations and customer expectations.
  • Stringent Access Protocols
With the proliferation of remote work and cloud-based platforms, robust access controls are paramount. MFA ensures that only verified users can access critical applications and data, providing a significant barrier against unauthorized access and potential internal or external breaches.
  • Mitigating Fraud and Identity Theft Risks
The threat of identity theft and fraud is ever-present in the digital age. Implementing MFA introduces a formidable challenge for cybercriminals attempting to impersonate users or commit fraud, thus safeguarding business operations and sensitive information from such illicit activities.
  • Building Trust and Safeguarding Reputation
In a world increasingly conscious of cybersecurity, customers expect and demand stringent protection of their data. By implementing MFA, MSPs demonstrate a commitment to security, fostering trust, and reinforcing their reputation as a protector of customer interests and data integrity.

How to Go about Offering MFA to Your Customers

MSPs have several options to go about this. The first is to simply absorb the cost of setting up MFA and offer it at no charge. Microsoft Azure MFA has a free version that is a very viable option. If you are offering either Managed Office 365 services or Managed Security services, I’d suggest bundling it in as part of those services. For those SMB customers that are on the larger side and need MFA integration with single-sign-on access to multiple cloud applications, you’ll want to look at vendors like Okta, who focus on integrating their MFA with thousands of existing cloud products and services.

It’s Time to Secure Your Customer With MFA

Multi-Factor Authentication needs to be an embedded part of your service offerings intent on keeping your customer’s applications and data safe from cyberattacks intent on gaining access. By implementing MFA in your customer’s environments, you’ll help to minimize the risk of successful cyberattacks focused on credentialed access.
Why ISVs Should Use Azure Lighthouse

Why ISVs Should Use Azure Lighthouse

Some MSPs with in-house dev teams can consider themselves ISVs (Independent Software Vendors). This post talks about the benefits of Azure Lighthouse for ISVs. Windows Azure lets ISVs publish their cloud software on the Azure Marketplace and monetize from offering services to help their customers operate it. Many companies using cloud services lack the in-house expertise to optimize their specific cloud services’ deployment, configuration, management, and reporting.  Azure Lighthouse allows ISVs to upsell managed services on top of their software. As the developer of a piece of software, you are likely to be the world’s leading expert in making it run as efficiently as possible. ISVs have been able to offer managed services through Azure for some time, but one of their major challenges was supporting every customer who subscribed to their service efficiently.  In the past, the ISV’s service administrator would have to log in and manage dozens, perhaps hundreds, or even thousands of individual accounts. The administrative overhead alone added significant costs, which would often be passed down to the end-users. Azure Lighthouse has provided a solution to allow ISV to centrally manage tasks for all of their tenants from a single interface, which will be detailed throughout this blog.  For more information about Azure Lighthouse, check out the Altaro blog series about the Azure Lighthouse solutions, its foundational technologies using ADRM and AAD, Azure integration, and the go-to-market strategy.

Azure Lighthouse Benefits to Independent Software Developers (ISVs)

Azure Lighthouse brings a multitude of benefits to Independent Software Vendors (ISVs), significantly enhancing their operational capabilities, market reach, and customer service. Here’s a detailed breakdown of the advantages: Streamlined Onboarding and Access Control  Previously, the onboarding process for software and managed services was tedious, often involving prolonged email exchanges to secure the correct permissions. Azure Lighthouse revolutionizes this process by allowing ISVs to specify precisely which of the customer’s resource groups contain the software that will need access.  With over 70 different types of roles available, ISVs can use role-based access control (RBAC) to determine the minimum access necessary for their team to perform operations effectively. This streamlined approach not only enhances the efficiency of onboarding new customers but also sets a positive tone for initial interactions, fostering trust and satisfaction from the get-go. Enhanced Operational Efficiency and Service Standardization Centralized management provided by Azure Lighthouse enables ISVs to scale their operational efficiency, standardize services, automate operations, and increase security and compliance. This unified management is accessible through the Azure Portal GUI or scripting with Azure PowerShell or Azure APIs.  Such centralization allows for the management of resources across multiple customer accounts, making it easier to handle repetitive tasks and focus on enhancing managed offerings, adding new core competencies, and expanding services. Moreover, these capabilities are provided by Microsoft Azure at no additional cost, though the consumed cloud resources are still billed to the ISV or their customer. Security and Intellectual Property Protection  With Azure Lighthouse, ISVs can maintain a secure environment for their and their customers’ intellectual property. Delegated access ensures that ISVs can manage customer resources without exposing any proprietary scripts or templates. This not only protects the ISVs’ intellectual property but also assures customers about the integrity and confidentiality of their resources. Security enhancements from Azure Lighthouse help maintain a robust service offering, retaining customers by ensuring that operations are secure and compliant. Moreover, this added security allows ISVs to focus more on adding value through their services, potentially maximizing profits or offering cost savings to customers. Operational Efficiency through Automation  Azure Lighthouse enables ISVs to automate repetitive tasks such as patching software. Through the GUI or scripts, ISVs can programmatically perform tasks against thousands of resources at once if they are managed by Azure Resource Manager (ARM).  This includes reporting, alerting, querying, servicing, security updates, or even deploying new services. For instance, an ISV can run a global query to identify all customer VMs running their software that need updates or repairs. This level of automation and control allows ISVs to efficiently maintain their software across various customer environments, enhancing service quality and customer satisfaction. Azure Lighthouse offers ISVs new operational efficiencies, enhanced security, and streamlined processes, allowing them to focus on innovation and growth while ensuring a secure, efficient, and customer-friendly service delivery. The multitude of benefits provided by Azure Lighthouse positions it as a game-changer in the realm of cloud services, particularly for those involved in providing managed services and software solutions.

Azure Lighthouse Benefits to the Customers of ISVs

Azure Lighthouse offers substantial benefits to the customers of Independent Software Vendors (ISVs), particularly enhancing the ease of integrating third-party software and managing cloud services. Here’s how it impacts the customers: Simplified Integration and Management  Many Azure customers, especially developers and those from smaller organizations, find the task of integrating third-party software daunting and potentially risky. Azure Lighthouse alleviates these concerns by simplifying the onboarding process using Azure Delegated Resource Manager (ADRM) technology. It transparently assigns management rights to the ISV, streamlining the process of software deployment and management.  Customers, now tenants of the ISV, can review and tweak permissions as needed, enjoying an easy setup while maintaining control. The Azure Marketplace further simplifies this by allowing customers to acquire cloud software and associated services from trusted providers, much like any app store. Enhanced Transparency and Control  Customers gain unparalleled transparency and control over their resources with Azure Lighthouse. Detailed logging and auditing provide insight into every action the ISV takes on their resources, ensuring accountability. Isolation between tenants guarantees that actions an ISV performs on one do not affect others, safeguarding against unauthorized changes.  Despite the delegated management, customers retain full control over their budget and billing, with the freedom to provide their own licenses, be billed directly for services, or purchase services through the Azure Marketplace. All these aspects are managed and visible through ARM, allowing customers to easily navigate to the Service Providers Page and view the subscriptions and services connected to their account. Streamlined Onboarding and Permissions  The onboarding process is significantly streamlined with Azure Lighthouse. Customers no longer need to navigate complex permission settings or worry about giving excessive access to their resources. They can simply review the permissions needed for the ISV to operate the new software.  For those with more advanced needs, configuring specific access from the 70+ Azure user roles to each resource is straightforward, allowing for granular control over who has access to what. This ease of managing permissions not only saves time but also ensures that the software is integrated and managed securely and efficiently. Budget and Billing Autonomy  Azure Lighthouse empowers customers to maintain autonomy over their budget and billing aspects. They can choose to provide their licenses, directly handle billing for ISV services, or opt for services through the Azure Marketplace.  This flexibility ensures that they can align the services with their financial and operational strategies. Furthermore, the visibility provided by the Service Providers Page allows customers to monitor connected services and subscriptions effectively, ensuring they are always in control of their expenditures and service arrangements.

Wrap Up

Ultimately, Azure Lighthouse provides a better management experience for ISVs and their customers. Developers can upsell their software by also including deployment and support services. It easily plugs into existing programs and solutions, so now ISVs can spend more time with their customers and less time managing credentials. If you are an ISV that is going to publish its managed services through Azure Lighthouse, make sure that you check out the blog post on the go-to-market strategy so you can learn the best practices to stand out from the crowd.
How to Onboard Customers in Azure Lighthouse

How to Onboard Customers in Azure Lighthouse

This blog post will show you how to onboard your customers’ Azure resources in Azure Lighthouse.

Azure Lighthouse is a new collection of technologies that allows Managed Service Providers (MSPs) and software developers (ISVs) to centrally manage their tenants and monetize hosted services. These providers are able to use the Azure Marketplace as a web portal to post public offerings that are available worldwide, similar to an app store. MSPs can list IT services they can offer to deploy, manage, optimize, secure or make compliant their customers’ cloud infrastructures and ISVs will include their Azure software with additional services. The providers can use Azure Delegated Resource Manager (ADRM) and Azure Active Directory (AAD) to centrally manage all of their tenants from a single interface. For more information, check all from a single interface. Check out the Altaro blog series about the Azure Lighthouse solutions, its foundational technologies using ADRM and AAD, Azure integration, and the go-to-market strategy.

There are three ways that a tenant can subscribe to a service from the MSP, which changes that way that the customer grants the MSP access to their environment.

The most common way is for a provider to publish a service to the Azure Marketplace, and this can be configured to be public or private. A public service is accessible to everyone, but there is not any way to restrict the subscribers by location, size nor any other factor. These customers who purchase a public service will automatically grant access to the MSP automatically during the onboarding process. It is important to realize that there are multiple ways that a tenant can subscribe to a service from the MSP. The most common way is for them to publish a service to the Azure Marketplace, and this can be configured to be public or private. A public service is accessible to everyone, but there is not any way to restrict users by location or size and they are onboarded automatically as described in how to publish a managed service on the Azure Marketplace.
  • To make a service private and only accessible to certain predefined users (“private”), a specific list of tenant subscription IDs must be defined when the offering is created in the Azure Marketplace provided. Once the private customer has purchased an Azure Lighthouse service, the service provider must onboard their tenant which requires delegating resources through Azure Active Directory (AAD).
  • Alternatively, the entire Azure Marketplace process can skipped and a MSP can onboard a tenant through the same series of steps which are described in this blog using the following steps:
    • Collect Details for the Tenant and their Subscription
    • Either
      • Create Azure AD User Groups and Define Permissions
      • Create Service Principals and Define Permissions
    • Create an Azure Resource Manager (ARM) Template
    • Deploy an Azure Resource Manager (ARM) Template
    • Confirm Successful Onboarding for Both Parties
For either scenario, make sure that you’ve associated the tenant’s subscription ID with your Microsoft Partner Network (MPN) ID so that you get credited for consumption. While this guide is written from the perspective of an MSP, these same best practices are also applicable to ISVs who are offering managed services to deploy their software.

Step 1) Collect Details for the Tenant and their Subscription

When you are onboarding a customer you have to know some of their unique identifier information so that you add the correct user and their subscription information. Make sure that have the following information:
  • Your Tenant ID (as an MSP or ISV). This can be found in the Azure Portal by hovering over your account name in the upper-right corner in the Azure Portal.
  • The Tenant ID of the customer. This can be found in the Azure Portal by asking the tenant to hover over their account name in the upper-right corner in the Azure Portal.
  • The Subscription ID of the customer for the subscription of every resource that you will be managing. If you are managing multiple resources that are in different subscriptions then you will need each of these subscription IDs. This can be found by searching for the subscription(s) in Azure Active Directory. This will also create a new resource provider (Microsoft Managed Services) to be registered for the selected subscription(s).
Next, you need to set up the security framework using either Azure AD user groups, service principals or individual Azure user accounts (not recommended). Whenever you manage tenants’ accounts, especially if you have multiple tenants, you should never assign access to any individual user. This is because your staff may change over time, so as you need to add or remove certain administrators you can do this at the group level, instead of on each individual resource group. Not only does this provide centralized and simplified management at scale, but it also makes you look better to your tenants as they are not seeing your company’s turnover.

Steps for the user groups and service principals are described below. First, you must connect to the Azure subscription which is done using the following PowerShell cmdlet:
PS C:> Select-AZSubscription

Step 2) Create Azure AD User Groups and Define Permissions

Configuration for AAD user groups is fairly easy. It requires creating a new group for each role or task and then adding the appropriate administrators. You will then assign the type of administrative role that that group has from the 70+ Azure user roles. You should also use a friendly name to help you and your tenants understand what that resource group is used for.

Next, you will get the object ID and role definitions for each Azure AD group, which can be determined through the following PowerShell queries:

PS C:> (Get-AzADGroup -DisplayName ”).id
PS C:> (Get-AzRoleDefinition -Name ”).id
Instead of using AD User Groups for user account access you can create an Azure service principal for application access..

Or: Step 2b) Create Service Principals and Define Permissions

An Azure service principal is an alternative type of identity used for tools, services, and applications to provide role-based access control (RBAC) rather than user accounts. It only supports a subset of the Azure roles to restrict a single application from having too much control. 

Also, you should pick the role which provides the minimum access that your staff needs. You want to ensure that you do not request more than is necessary, as potential clients could view this negatively, and you may get the perception of not being trustworthy.


You will also need to know the object ID and role definitions for each Azure service principle which can be determined through the following PowerShell queries:
PS C:> (Get-AzADApplication -DisplayName '').objectId
PS C:> (Get-AzRoleDefinition -Name '').id
Whenever you manage tenants’ accounts, especially if you have multiple tenants, Microsoft recommends:

“using Azure AD user groups for each role, allowing you to add or remove individual users to the group rather than assigning permissions directly to that user. You may also want to assign roles to a service principal. Be sure to follow the principle of least privilege so that users only have the permissions needed to complete their job, helping to reduce the chance of inadvertent errors.”
For more info, see Recommended security practices.

3) Create an Azure Resource Manager (ARM) Template

An ARM template lets administrators deploy an Azure-managed resource or resources group the exact same way every time. The template provides the framework to ensure consistency, which is critical so that you can automate and scale the management of this resource across multiple tenants. Your ARM template should include the following fields:
  • MSPName: This is your service provider name
  • MSPOfferDescription: This is a short description of your offer
  • ManagedByTenantID: This is the ID of your tenant
  • Authorizations: This describes the access needed, which can include:
    • RoleDefinitionID: This is the level of access needed for the resource template
    • PrincipalID: This the ID for either your Azure group or Azure service principal
    • PrincipalDisplayName: This is the display name which your tenants see for your Azure group or Azure service principal
Since ARM templates can be tricky to create for inexperienced service providers, Microsoft provides code samples for different scenarios. These include both the template file along with a parameter file which are found here: https://github.com/Azure/Azure-Lighthouse-samples/. Here are the links to onboard:
  • Subscription (through the Azure Marketplace)
    • Template: MarketplaceDelegatedResourceManagement.json
    • Parameter file: MarketplaceDelegatedResourceManagement.parameters.json
  • Subscription (without the Azure Marketplace)
    • Template: DelegatedResourceManagement.json
    • Parameter file: DelegatedResourceManagement.parameters.json
  • Resource Group
    • Template: RGDelegatedResourceManagement.json
    • Parameter file:RGDelegatedResourceManagement.parameters.json
  • Multiple Resource Groups in a Subscription
    • Template: MultipleRgDelegatedResourceManagement.json
    • Parameter file:MultipleRgDelegatedResourceManagement.parameters.json

4) Deploy an Azure Resource Manager (ARM) Template

The hardest step is usually deploying the ARM template within the customer’s environment because either the MSP needs to do it on the tenant’s behalf or the tenant must grant the MSP the correct permissions. And since a Guest account cannot be used, it makes it tougher for a novice customer. Every subscription needs a separate deployment. However, you can do this in a single deployment if you have multiple resource groups within a single subscription. Once the correct permissions are configured, the following PowerShell cmdlets can be used for a remote deployment:

PS C:> New-AzDeployment -Name `
-TemplateUri `
-TemplateParameterUri `
-Location <AzureRegion> `
-Verbose

5) Confirm Successful Onboarding for Both Parties

Now that the ARM template has been deployed, testing that the MSP can effectively manage it within the tenant’s environment is important. The MSP and the tenant should be able to see the connected subscription and ARM resources. After the template has been initially deployed, it could take a few minutes to appear while the portal refreshes.

The tenant can see the connected service(s) by navigating to the Service Providers Page, selecting Service Providers Offers, and seeing the subscription(s) with the correct offer name.


As the MSP, you can see this by going to the My Customers page, clicking on Customers, and verifying that you can see the tenant’s subscription(s).


Using these steps, you will have successfully onboarded a tenant by knowing the security identifiers, creating the appropriate security groups, creating an ARM template, deploying the template, and verifying that both parties can see it. Remember that when doing this at scale, consistency is critical so that the same ongoing management processes and scripts can be replicated on identical templates. 


Remember that with Azure Lighthouse, one of your greatest assets is the operational efficiency you can achieve through consistent global management. So, if you change your template after deploying it for several tenants, be sure to update their versions so that every template in production is identical to avoid any challenges with version control. With the steps you have learned, you can streamline deployment and management for all of your Azure Lighthouse tenants.