Charles Joy, Michael Greene

Leveraging Service Management Automation and Windows PowerShell JEA in Service Provider Operations CDP-B313

intro & expectations

Contoso• Provider of online services (PaaS, IaaS)• Operators perform daily tasks across tenant environments• Concerned about someone malicious hijacking an Operator’s account

Story CONTOSO

ProviderContoso, hosting the environment

OperatorContoso employee, accountable for provider SOPs

TenantCustomer of online services

Personas CONTOSO

Service Providers or Enterprises acting like Service Providers have environments they would like to protect

Service environments include applications

JEA provides a method to operate a system without direct admin privilege

JEA uses highly managed machine local accounts

Applications don’t always use machine local accounts

Background and Problem Statement

Goal Enable application Operator tasks without granting user access or administrative privilege.

Scope Service Management Automation (SMA) Multi-Tier Service leveraging contextual wrapper functions in PowerShell Just Enough Administration (JEA) sessions.

Solution Goal / Scope

Experience to create/configure/modify/support these artifacts would need to be 300+ and cover the following:

SMA Runbook creation/modification (PowerShell Workflow)

PowerShell module creation/modification

PowerShell constrained endpoint creation/modification

PowerShell JEA endpoint authoring (Just Enough Administration)

Technology Experience Level Requirements

demo

Performing operator tasks(Create servers within a tenant environment)

the technology

Solution Components

SMA = Automation

JEA = Constrained Admin

SMA currently available (ships on Orchestrator media)

JEA currently experimental and requires WMF5

SMA v.Next is designed to run on Windows Server v.Next (WMF5)

Start testing today:

SMA+WMF4 and PowerShell Constrained Endpoints in No Language Mode

Build modules, test experience

SMA Preview when available on Windows Server Preview

technology timeline

the scenario

tenant automation design flow

PowerShell Web Access

Management Pod(s)

Tenant 1

Tenant 2

Tenant 3

Tenant 1

PowerShell JEA

SMAServers

SMA design

Everything within the solution is “in box”Web Service Endpoints are leveraged heavily for SMA-to-SMA communicationAll Runbook Invocation and Distribution handled Automatically

CENCOM

MGMT2MGMT1

CA01PKI

Certification Authority

CUS1 CUS2 CUS3

CUS1-DC01 CUS1-DC02CUS2-DC01 CUS2-DC02 CUS3-DC01 CUS3-DC02

CUS4

CUS4-DC01 CUS4-DC02

MGMT1-DC01 MGMT2-DC01MGMT2-DC02MGMT1-DC02

CenCom-DC02CenCom-DC01Runbook Server Worker

Web Service

SMA DB

SMA DB

SMA DB

SMA DB

CUS1-SMA01 CUS2-SMA01 CUS3-SMA01 CUS4-SMA01

Operator Console Portal (PSWA)

Operator Console Portal (PSWA)

DW

SMA DB

MGMT1-SQL01

MGMT1-SMA01

SMA DB

MGMT2-SQL01

MGMT2-SMA01

PowerShell module

CONTOSO

the solution

SMA Multi-Tier Architecture

Scale | SMA for automation across a large, complex service provider environment

Deploy | Modular SMA Runbooks to run in the management environment that synchronize a “gold standard” sub-set of tenant specific SMA Runbooks stored in the management environment across all tenant SMA instances, with granularity of distribution per tenant based on tags

Invoke | Management environment utilizes “invoker” SMA Runbook to connect with tenant SMA instances using RunAs accounts and drive tasks within the tenant forest

Manage | Utilize “SMART” solution concept from Building Clouds blog to load SMA Runbooks from TFS

Operate - PowerShell JEA, executed from PSWA

SMA Three-Tier ModelPoint of administration driven by PowerShell

Management pod SMA/WAP for Runbook authoring and central control over range of tenants

Each tenant environment has a dedicated instance of SMA for run space isolation

Operator Experience

Model a PowerShell wrapper for the SMA cmdlets that surfaces SMA Runbooks with easily understood task namesPowerShell wrapper also provides real-time feedback from SMA to display status of runbook executionPowerShell Web Access enabled so that Operators can work from anywhere, on any device

CONTOSO

demo

SMA Multi-tier Runbook Invocation

Customer Feedback

This is the platform we will be on in the future.

“

”

This is a point in time where we need to future-proof our designs.

“

”

Our people are accustomed to traditional administration but if we are to succeed as a service provider at scale, they will learn to leverage PowerShell for daily work effort.

“

”

Breakout SessionsCDP-B336 In-Depth Introduction to Service Management Automation

CDP-B415 JEA: A PowerShell Toolkit to Secure a Post-Snowden World

CDP-B344 Introduction to the New Microsoft Azure Automation Service

CDP-B357 Windows PowerShell Unplugged with Jeffrey Snover

CDP-B360 An Overview of Windows PowerShell Desired State Configuration

Related content

Find Me Later At. . .http://aka.ms/BuildingClouds and @OrchestratorGuy / @Building_Clouds

Building Clouds Blog - http://aka.ms/BuildingClouds

PowerShell.org - http://powershell.org

@jsnover - https://twitter.com/jsnover

Windows PowerShellBlog - http://blogs.msdn.com/b/powershell

Azure Automation - http://azure.microsoft.com/blog/tag/azure-automation

System Center Orchestrator Engineering Blog - http://blogs.technet.com/b/orchestrator

Track resources

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

Developer Network

http://developer.microsoft.com

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Come visit us in the Microsoft Solutions Experience (MSE)!Look for the Cloud and Datacenter Platform area TechExpo Hall 7

For more informationWindows Server Technical Previewhttp://technet.microsoft.com/library/dn765472.aspx

Windows Server

Microsoft Azure

Microsoft Azurehttp://azure.microsoft.com/en-us/

System Center

System Center Technical Previewhttp://technet.microsoft.com/en-us/library/hh546785.aspx

Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack

Azure

Implementing Microsoft Azure Infrastructure Solutions

Classroomtraining

Exams

+

(Coming soon)Microsoft Azure Fundamentals

Developing Microsoft Azure Solutions

MOC

10979

Implementing Microsoft Azure Infrastructure Solutions

Onlinetraining

(Coming soon)Architecting Microsoft Azure Solutions

(Coming soon)Architecting Microsoft Azure Solutions

Developing Microsoft Azure Solutions

(Coming soon)Microsoft Azure Fundamentals

http://bit.ly/Azure-Cert

http://bit.ly/Azure-MVA

http://bit.ly/Azure-Train

Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal

2 5 5MOC

20532

MOC

20533

EXAM

532EXAM

533EXAM

534

MVA MVA

TechEd Mobile app for session evaluations is currently offline

SUBMIT YOUR TECHED EVALUATIONSFill out an evaluation via

CommNet Station/PC: Schedule Builder

LogIn: europe.msteched.com/catalog

We value your feedback!

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.