Aldo Zanoni, CEOServiceControl, Inc.

Hybrid Identity Made Simple

aldo@servicecontrol.comwww.servicecontrol.com

Why the Cloud represents the future

The Microsoft Cloud has reached a tipping point. Customers are moving to the cloud at a record pace, resulting in nearly 120,000 MS Azure subscriptions every month.

According to Gartner, 50% of enterprises will use Hybrid Cloud by 2017.

According to a new IDC study, partners with more than half their revenues in the cloud are growing twice as fast, realizing 1.5 times gross profits, and experiencing 1.8 times more recurring revenues than those with less than 50% of their revenues in the cloud.

We’re in the golden era of cloud application services.

- Satya NadellaMicrosoft CEO

Microsoft’s WPC 2016 message summary to partnersPartners must find ways to transition from a break/fix model to delivering scalable, long-term managed services for their cloud and legacy customers.

Agility is the key to survival. Transition or be left behind in the cloud dust and become tomorrow’s dinosaurs!

Secure your position in the digital transformation. Become your customer’s trusted Managed Service Partner by providing innovative solutions to your customer’s new challenges.

The biggest MSP challenge: COMPLEXITY

The tools and scripts we have don’t allow us to create and manage user accounts, application access, self-service and workflow across our customer’s new cloud services and existing systems.

We need to login to different admin apps on different systems with different credentials to manage identities for multiple Azure AD, AD on-premises, HR, CRM, ERP, email systems, and other applications.

Each of these admin apps is complex, require administrator permissions, and extensive training.

My systems administrators are not developers. They can’t create and manage PowerShell scripts.

Customers are looking for:

Lower costs and simplicity: Reduce the amount of training required for users to perform simple tasks across multiple systems.

Better security: Delegate role-based management tasks more securely.

Business Process automation: Improve business processes and efficiency with built-in integrated and advanced workflow.

Single point of management: Create, manage, and audit user accounts across multiple services from a single, easy-to-use portal.

MSPs value ServiceControl for its…

Simplicity

Security

Scalability

Speed of deployment

Savings and immediate return on investment

Cloud based systems

On-premises systems

Directories

Email systems

Line of Business applications

CRM & ERP systems

Service multiple customers, across multiple systems - from a single browser

TM

Why ServiceControl?Highly scalable private cloud or on-premises implementation.

Connects to your customer’s services and infrastructure with minimal changes.

Remote installation and configuration services ensure that your team is up and running quickly.

Securely designate highly technical tasks to non-technical team members.

Remove IT and high-tech applications from being a bottleneck. Allow your customer’s teams to focus on high-priority, revenue-generating projects.

Cloud based systems

On-premises systems

Directories

Email systems

Line of Business applications

CRM & ERP systems

ServiceControl helps us deliver secure, simple, and better delegated management across our customer’s multiple systems and applications.

ServiceControl’s integrated workflow and business workflow automation deliver immediate value to all stakeholders.

011001

011010

0011010101010Hybrid Cloud with ServiceControl

Modern Cloud Services Automation Platform

W O R K F L O W E N G I N E

ServiceControlfor Office 365

ServiceControlPortal

P R E - B U I LT C O N N E C T O R S F O R L E A D I N G C L O U D S E R V I C E S A N D O N - P R E M I S E S

A P P L I C A T I O N S

P O W E R S H E L L , W C F , S O A P , R E S T A N D P R O P R I E T A R Y A P I s

P A R T N E R A N D T H I R D - P A R T Y C L O U D S E R V I C E S , L O B , A N D

O N - P R E M I S E S A P P L I C A T I O N S

011001

011010

0011010101010Hybrid Cloud with ServiceControl

Skype-for-Business Lync 2013Azure AD

Exchange Online

GroupWise 2014 and 8

Exchange 2016, 2013 and 2010

Cloud Services and Applications Connectors: On-Premises Applications Connectors:

Office 365

ActiveDirectoryeDirectoryOpenLDAPOthers

SAP ERPOraclePeopleSoftOthersGoogle Apps

Microsoft Terminal ServicesHome Directory Servers

Virtual Desktop Infrastructure

Site-to-Site VPNand

Express Route

ON-PREMISESVIRTUAL NETWORK (VNET)

Exchange Server 2016/2013/2010

Lync Server 2013

GroupWise 2014/8

Active Directory, eDirectory, OpenLDAP

Office 365

Remote Agents (Connectors)

Exchange Online

Skype for Business

Azure AD

Example of ServiceControl deployment on Azure Cloud

ServiceControl + Workflow Engine

Site-to-Site VPNand

Express Route

ON-PREMISESVIRTUAL NETWORK (VNET)

Exchange Server 2016/2013/2010

Lync Server 2013

GroupWise 2014/8

Active Directory, eDirectory, OpenLDAP

Office 365

Remote Agents (Connectors)

Exchange Online

Skype for Business

Azure AD

Example of ServiceControl deployment on Azure Cloud

ServiceControl + Workflow Engine

Full support for Azure Service Bus for secure, transparent, behind the firewall communication between ServiceControl and on-premises applications.

Demonstration infrastructure

Remote Agent Server - IIS configuration (sample)

GetUserById()

CreateNewUser()

User Principal NameUser License Profile

User Location

SetUserLicense()

correct licenses?

user exist?

0

12). Create user (skip if will be created by DirSync)

3). Assign ‘Usage Location’

4). Set user attributes5). Check licensing profile

1). Try to get user

6). Assign licenses if necessary

CreateUser() method

2). n/a

3). Assign ‘Usage Location’

4). Set user attributes

5). Check licensing profile

1). Try to get user

6). Assign licenses if necessary

EnableUser() method

2). Remove user licenses

3). Delete user object

1). Try to get user

DeleteUser() method

2). Remove user licenses

1). Try to get user

DisableUser() method

wait for DirSync 1

ServiceControl: License-aware user account management

0

01

0

Create Provisioning

De-provisioning

With ServiceControl, you’re in control

Cloud SaaSOn-premises ServiceControl Platform

Manage SaaS and On-premises

Accounts

Licensing

Group Membership

Access Rights

Applications

Self-service Audit Audit Report

Lifecycle Report

Workflows

Azure ADOffice 365

Publiccloud

Partner SaaS Apps

Other Directories

Microsoft AzureLeverage Microsoft Single Sign-on and Azure’s 2400+ Pre-integrated SaaS apps.

Connect and Manage Azure AD and/or on-premises AD.

Manage web apps via Application Proxy and custom apps through a rich standards-based platform. Web Apps

SaaS apps

Leveraging Azure AD and Microsoft Cloud PlatformMultiple directories and SaaS apps in the Cloud

(Azure Active DirectoryApplication Proxy)

Integrated custom apps

Other Directories

Partner LoB Solutions and Services – on-premises, cloud or hybrid solutions.

Cloud Identities - identities that exist solely in the cloud.

Synchronized Identities - identities that exist on-premises and in the cloud.

Federated Identities - identities that exist on-premises and in the cloud.

Integrate your partner solution with Microsoft Azure Cloud hybrid identities

Use ServiceControl to Manage and Integrate

Comprehensive identity and access management console.

Centralized and delegated administration and management for on-premises and cloud-based applications and services.

Centrally manage multiple customers’ accounts and application access

Service Team and Non-Technical Staff

IT professional

Azure and Application Management Portals

Partner SaaS apps

ServiceControl platform modules

ServiceControl: CreateSimplify account creation across multiple systems

Azure Active Directory

Active Directory

eDirectory

Open LDAP

3rd party systems through connectors (SQL, REST, SOAP)

Office 365 Exchange Online, Exchange on premise, GroupWise

ServiceControl: Create

ServiceControl: ManageDelegate tasks across multiple systems

Active DirectoryAzure Active DirectoryOpen LDAP3rd party systems (SQL, REST, SOAP)Account status (enabling/disabling)Lock/unlock accountsSecurity and Distribution Group Membership Account update (demographic attributes)

Task Authority: Defines which service desk users can carry out which tasks.

Search Authority: Defines with which systems, OUs, groups, users, or applications tasks can be carried out.

ServiceControl: Manage

ServiceControl: Self-ServiceEmpower end-users

Forgot password (password reset)

Distribution group membership

Auto-enroll/subscription

Request vacation/time off

ServiceControl: Self-Service

ServiceControl: AuditImprove compliance

Audit reports

Lifecycle reports

Write audit data to SQL for enterprise reporting and billing

ServiceControl: Audit

ServiceControl: WorkflowProcess Automation

Approvals

Notifications

Custom Business Processes

Connectors to cloud services, on-premisesweb services, LOB applications and externalworkflows

ServiceControl: Workflow Designer

ServiceControl: Workflow Engine Administration UI

ServiceControl: Office 365 App Launcher

ServiceControl roadmap (partner- and customer-driven)

Document AccessRights Management

(RMS)

Device Management

Privileged Identity Management

More Connectors:Salesforce, Dynamics,

Marketo

Dynamic and Universal Groups

VDI and Remote Apps

Partner Solutions

In Summary: ServiceControl Differentiators

Workflow Integration across multiple systems

Workflow-enabled user provisioning and manager

Hybrid Cloud user account management

Unified account management interface

Delegated authorization

ServiceControl as a Hybrid Cloud Identity hub

Workflow and Remote Action Framework (Secret Sauce)

How to partner with ServiceControl:

Schedule a demonstration and technical deep dive

Complete a mutual non-disclosure agreement

Submit a partner applicationhttp://www.servicecontrol.com/partnerapplication/

Schedule a needs analysis

Schedule a systems requirements review

Schedule 2-hour initial installation and configuration

ServiceControl Pricing

Contact us for pricing, or visit our website at:http://www.servicecontrol.com/pricing/

Partner programs

Value Added Resellers (VARs)Strategic Alliance PartnersManaged Service Providers

Visit our website at:http://www.servicecontrol.com/partners/

Frequently asked technical questions

Q: What is the unique value of the ServiceControl Business Process Automation Platform in comparison with other workflow and SaaS integration platforms?

• BizTalk• Amazon Simple Workflows, • Nintex workflows• SharePoint workflows• Microsoft App Service Logic Apps• Microsoft Flows• Others: MuleSoft, SnapLogic, IFTTT, Zapier, etc.

A: Indeed, ServiceControl Business Process Automation Platform is, in fact, just another SaaS integration platform.

• Similar to SharePoint and Dynamics CRM workflows, ServiceControl is based on Microsoft Workflow Foundation. • Similar to Microsoft App Service Logic Apps, ServiceControl uses Swagger metadata to connect to REST services.• Similar to BizTalk, ServiceControl uses WSDL metadata to connect to SOAP/WCF services.• Similar to Amazon Simple Workflows and Nintex, ServiceControl can be hosted in the AWS cloud.• Similar to MuleSoft, SnapLogic, IFTTT, Zapier and others, ServiceControl uses pre-built and custom remote agents to connect to many

SaaS services.• Similar to Microsoft Flows, ServiceControl can be hosted on Azure Cloud and leverage Azure Service Bus.

What makes ServiceControl different and unique is that the ServiceControl Automation Platform is designed with a focus on identity and access management. This requires field-specific access and focus which is perhaps not the center of attention of other platforms.

For example:

• ServiceControl has to audit, profile and be able to report on every execution step . It needs to keep a secure record of every service request/response, exception, email or approval action.

• ServiceControl has to connect dissimilar services in a single orchestration. In our practice, we have to deal with PowerShell, SOAP web services, REST services, SQL and other proprietary APIs, sometimes all in the context of a single workflow. We have to work with 64-bit and 32-bit SDKs which cannot be installed on the same box. This is why we have chosen an indirect way to invoke API calls via connectors (remote agents) that run on independent VMs, not directly via coding workflow activities against the API.

• ServiceControl needs to use management APIs, not content APIs. Most connectors on the market today are concern with content • management or content integration. Our connectors are mostly concern with identity and access management. These are typically packaged

in separate API sets. • We have to compensate for the shortcomings of PowerShell APIs. Most management APIs are usually PowerShell-based. This means there

are extra dependencies on other components, multi-threading and scalability issues, incomplete metadata, and other issues.

Frequently asked technical questions

Q: Why not just use PowerShell, which is Microsoft’s de-facto standard for automation and management? After all, PowerShell is used by System Center runbooks and has many attractive features like:

• PowerShell remoting• PowerShell workflows• PowerShell Desirable State Configuration (DSC)• PowerShell Integrated Scripting Environment (ISE)• Ability to write custom modules

A: PowerShell, is a powerful tool for script and batch management of just about everything. But is it a good choice as the base technology for a business process automation platform? We do not think so because:

1. PowerShell is not a scalable server technology. WCF and REST are, but not PowerShell. • PowerShell was designed for desktop client that is run by a single sysadmin in interactive mode.• Typically, only 2-3 simultaneous remote sessions are allowed. • Remote sessions take long time to establish, they are easily become abandoned and blocking

entire channel.

2. PowerShell requires custom coding. • PowerShell assumes that sysadmin will become a programmer. They call it “scripting”, VB-like scripting with embedded

fragments of C# and descriptive language (in case of PS workflows and DSC). • Our goal is opposite, we want to avoid custom coding as much as possible, which minimize the mistake sysadmin can

make and significantly simplifies DevOps maintenance.

3. PowerShell does not provide complete metadata for proxy auto-generation.• In comparison with WSDL and Swagger, which are standard means of proxy auto-generation, PowerShell modules

are lacking this essential feature. Metadata can be partially retrieved for arguments, but not for return values or exceptions.

4. PowerShell development environment is too basic.• PowerShell Integrated Scripting Environment (ISE) is a standard tool on any Windows Server box. It is nice for a quick

and easy jobs, big improvement comparing with good old Command Prompt.• It is dwarf, however, in comparison with Visual Studio IDE, BizTalk orchestrator or SharePoint Designer.• Our approach to design tools is more close to the last two.

Frequently asked technical questions

Q: In some cases, like managing Lync 2013 or Skype for Business, PowerShell is the only management API available. How does ServiceControl help to avoid PowerShell programming in these scenarios?

Lync 2013 - Provides a Silverlight-based management portal with PowerShell support. No SDK or REST management APIs available for Lync.

A: ServiceControl’s connectors to Lync 2013, Skype for Business, Exchange Online, Azure AD and other systems that require PowerShell for management, do, of course, use PowerShell.

• Note that with ServiceControl, all technical complexity and the challenges of programming with PowerShell are hidden from you, encapsulated inside our own code that was created by experienced programmers.

• Each connector is a pluggable component that can be used in your business process orchestration. All complexity related to one or more PowerShell modules and cmdlets is encapsulated inside our connector.

• Connectors encapsulate, aggregate and expose PowerShell functionality in a new way via standard, ready-for-automation WCF and REST interfaces.

• To be used in workflows, these interfaces are turned into proxies that are used as workflows activities, the elementary building blocks of any workflow.

• So, instead of programming complexity with PowerShell, we implement the simple composition of activities into a workflow orchestration.

• At runtime, each workflow step will trigger an activity. The activity calls a proxy. The proxy calls a connector and the connector will invoke the PowerShell cmdlet(s).

Frequently asked technical questions

Q: Why not just use Azure AD, Exchange Online, Skype for Business and the standard web-based management portals provided by Microsoft?

A: There are a number of reasons:

• Not all management operations are available in management portals. Some requirePowerShell programming.

• Typically, IT processes/tasks involve operations on multiple cloud services, each managed from its own management portal. It is not very convenient for a sysadmin to jump from one portal to another just to accomplish one single task. For example, the CreateUser task may involve creating that user account in Azure AD, then in Exchange Online, and then in Skype for Business.This means that the system administration needs to be trained on and use three 3 different portals.

• Microsoft management portals only support operations on a one-at-a-time basis, e.g. single user account, single group, etc. Operations on multiple users, groups, accounts are usually not possible. Bulk importing and management operations are limited and not consistent across portals.

• Working with portals assumes manual interactive processes - no automation possible.

Frequently asked technical questions

Q: How can I manage my LOB applications that run behind a firewallin an on-premises data center?

A: ServiceControl’s Automation Platform has the ability to connect to servicesand LOB applications that are running behind a firewall.

Depending on the environment, various techniques can be used:

• Azure Virtual Network (VNET) and Site-to-Site connection• Azure Virtual Network (VNET) and Point-to-Site connection• Azure Virtual Network (VNET) and Express Route• Azure AD Application Proxy• Azure Service Bus (Relay Messaging)

Or, simply install the Azure custom connector behind your firewall. ServiceControl connectors have built-in support for Azure Service Bus Queues and Relay Messaging.

Frequently asked technical questions

Q: What is required to expose my custom cloud service or an on-premises LOB application to ServiceControl workflows?

A: Similar to SOA (service-oriented-architecture) requirements for web services, ServiceControl requires your service or LOB app to expose its functionality via a SOAP/WCF/REST web service.

To simplify the proxy auto-generation, the service should make its metadata accessible via WSDL or Swagger interfaces. Where this is not possible, the ServiceControl engineering team will help you to build/code the specific proxy.

Other questions?

sales@servicecontrol.comwww.servicecontrol.comhttp://kb.servicecontrol.com

Don’t get left behind in the Cloud dust!Build your MSP future with ServiceControl.

Aldo Zanoni, CEO408.675.5020 ext. 232aldo@servicecontrol.comwww.servicecontrol.com