Atea Public Cloud Operations · Microsoft Azure

One integrated
operating model,
not a menu.

Four interdependent capabilities, two governance perimeters, and consumption-based pricing that scales with the customer's Azure environment — hybrid included.

Interdependent capabilities

Governance perimeters

Team, start to steady state

What is MPC

A structural redefinition, not an update

Managed Public Cloud moves from modular managed-operations to a single, integrated cloud operating model. Sell it as one defined service, not a menu.

Non-separability — the defining constraint

The four capabilities are not individually selectable, excludable, or priced separately. Every engagement includes all four. A customer asking for "just CloudOps" is asking for a service that does not exist in this catalogue.

Dimension	Previous model	Managed Public Cloud
Architecture	Capabilities loosely defined and individually selectable	Four interdependent capabilities, always delivered together; DevOps is now a formal core capability
Governance	Scope set per deal; governance limited to the managed estate	TGP across the whole tenant; MOS for the SLA-backed estate
Commercial	Fixed fee plus a separate tenant governance charge	Consumption-based: Operational Fee with TGP bundled, flat 5% out-of-scope fee, per-node Arc fees
Security	Scope misunderstood; customers expected detection & response	SecOps is the posture baseline only; detection & response are delivered through SOC+
Hybrid	Azure-focused; on-prem treated as an edge case	Hybrid is a core use case via Azure Arc, operated on parity with Azure-native resources

02 — Capability stack

The four capabilities

CloudOps is the operational foundation; SecOps, FinOps, and DevOps build on top of it. Select a capability below.

Cloud Operations

The operational management of the customer's Azure platform — the foundation every other capability builds on. Tooling: Azure Monitor, Log Analytics, Update Manager, Azure Backup, Azure Policy, ServiceNow.

Continuous monitoring and observability of platform and operational health
Incident detection, triage, and resolution against SLA across all managed services
Change and request management on the ITIL framework, anchored by the Standard Change Register
Patch management, backup and recovery, resource lifecycle support within MOS
Tenant and subscription governance; RBAC posture assessment and target-state advisory
Operation of Arc-enabled on-premises resources within MOS on parity with Azure-native resources

Scope boundary. CloudOps operates resources Atea has access to and that sit within MOS. Out-of-scope subscriptions receive TGP visibility only. Underlying on-premises infrastructure (hypervisor, storage, network, site) remains the customer's responsibility.

Security Operations

The security baseline discipline — built entirely on Microsoft Defender for Cloud. It establishes and continuously maintains the security posture against which the environment is measured. It is not a Security Operations Centre.

Cloud Security Posture Management (CSPM) and Secure Score governance
Misconfiguration detection and remediation surfacing; hardening against MCSB
Identity hygiene: privileged access review, Conditional Access review, service-principal hygiene
Policy and compliance posture mapping against MCSB, NIS2, ISO 27001, CIS, DORA-relevant controls
Reporting is observational — certification remains the customer's responsibility

The SOC question — read before every security conversation. SecOps surfaces posture findings; it does not triage them. Threat detection, SIEM analytics, alert triage, automated containment, and incident response are delivered through the separate SOC+ service. Set this boundary before showing the capability list, not after.

Financial Operations

Cost governance and financial control built on Azure Cost Management and Azure Advisor. A governance and advisory function: understand what is spent, where, and whether it is within agreed boundaries.

Cost visibility and monthly cost reporting across the full tenant
Subscription budgets, spending alerts, and anomaly response within MOS
Tagging governance enforced via Azure Policy within MOS; out-of-scope gaps surfaced as unallocated cost lines
Azure Advisor cost advisory plus execution of low-risk, in-catalogue optimisation changes
Commitment planning advisory (Reserved Instances, Savings Plans); showback/chargeback on T&M

Scope boundary. FinOps does not deliver a structured optimisation programme. Right-sizing analysis, workload rearchitecting, or reservation-portfolio management are referred to Atea Cloud Economics (Professional Services).

Development Operations

A platform-team role for the customer's development organisation, delivered by the same engineers as CloudOps. The most maturity-sensitive capability — scope and intensity scale with the customer's cloud maturity level.

IaC governance framework, blessed module catalogue, and drift detection
Pipeline observability for operational impact (not application-level pipeline management)
Release coordination and post-deployment validation for infrastructure and platform changes
Active sparring-partner engagement with development teams on platform architecture and tooling

Shared responsibility. Atea's DevOps scope covers the platform layer. Application code ownership, deployment decisions, and release-approval authority stay with the customer at every maturity level. Maturity is assessed, not negotiated — it cannot be purchased.

03 — Governance architecture

The two-perimeter scope model

Every billing, SLA, and contractual obligation flows from a single automated boundary: a subscription-level tag.

Tenant Governance Perimeter

TGP — whole tenant, always

Covers every subscription in the Azure tenant via management-group hierarchy. Governance controls inherit downward. Non-negotiable, cannot be partially applied. For out-of-scope subscriptions: visibility-only — policy compliance and posture reporting, no active management.

Managed Operational Scope

MOS — the SLA-backed estate

Defined by subscription-level ops-scope: in tags applied at onboarding. Incident response, change execution, and all SLA obligations apply only within MOS. The Operational Fee is calculated against in-scope consumption only. A TGP-only engagement without at least one in-scope subscription is not available.

Tag	Meaning & consequence
ops-scope: in	Within MOS. Full managed operations, SLA commitments, and TGP governance bundled into the Operational Fee. No separate governance charge.
ops-scope: out	Excluded from MOS. Out-of-Scope Governance Fee of 5% applies to that subscription's consumption. SLA obligations released; customer accepts full operational responsibility. Lighthouse delegations and operational runbooks are not extended.

04 — Consumption-based pricing

Commercial model

Two components for cloud-only customers, three for hybrid. Fee scales with the environment so effort and revenue move together.

Component	Applied to	Indicative rate
Operational Fee — Azure	In-scope subscriptions (MOS) — TGP governance bundled	18–25%
Out-of-Scope Governance Fee	Out-of-scope subscriptions only	5% flat
Operational Fee — Arc (hybrid)	Arc-enabled nodes within MOS, by node type	NOK 800–4,200/node/mo

Arc node fee structure

Node type	Rate	Indicative NOK/mo	Key overhead
Arc-enabled server (Windows / Linux)	1.0×	800–1,200	Baseline; ESU lifecycle where applicable
Arc-enabled SQL Server	2.0×	1,600–2,400	SQL monitoring, Defender for SQL, ESU compliance
Arc-enabled Kubernetes cluster	3.5×	2,800–4,200	Escalate to Cloud Sales Specialist + PM before quoting
Arc-projected VMware / SCVMM VM	1.2×	960–1,440	Per projected VM; minimum 5 per resource bridge

Pricing trainer

Monthly fee estimator

INDICATIVE · TRAINING ONLY

In-scope Azure spendMOS · NOK/mo

Out-of-scope Azure spendNOK/mo

Operational rate

20%

Target margin% of total fee

30%

Arc nodes (leave zero for cloud-only)

Servers@1,000

SQL@2,000

Kubernetes@3,500

VMware/SCVMM@1,200

Operational Fee — Azure20% × 250,000—

Out-of-Scope Governance5% × 100,000—

Arc Node Feeby node type—

Total monthly—

Est. cost (excl. margin)at 30% margin—

Est. gross margin30% of total—

Kubernetes in scope — engage Cloud Sales Specialist and Product Manager before finalising price.

Standalone minimum: NOK 200,000/mo in-scope, or 10 Arc nodes for hybrid-only. No minimums inside a sourcing deal. Rates indicative pending internal cost model.

Defending the percentage model

The framing: "This is the same principle as assets under management. We are managing your cloud estate — the fee reflects the scale of what we are responsible for." Larger environments have more resources, higher alert volume, a greater compliance surface, and a larger blast radius on incidents. A fixed fee either overcharges small customers or underresources Atea on large ones. Do not offer a fee cap or flat conversion — both break the model.

05 — Access & tooling

Technical foundation

A least-privilege, fully audited access stack. The same tooling for cloud-native and Arc-projected resources.

Azure Lighthouse

Cross-tenant resource management from Atea's operational tenant — no guest accounts, no standing access. Delegations scoped strictly to MOS subscriptions.

GDAP

Granular Delegated Admin Privileges for Entra ID management, scoped to directory roles required for operations only. Does not extend to M365 unless explicitly agreed.

PIM / JIT

Privileged Identity Management enforces just-in-time, time-bounded, justified, and fully audited access elevation. No standing privileged access held by engineers.

Break Glass

Emergency access account secured by two FIDO devices in two separate secured locations. Established during onboarding. Ownership and recovery process confirmed before contract signature.

Azure Arc

Projects on-prem servers, SQL, Kubernetes, and VMware/SCVMM VMs into Azure as first-class resources, operated within MOS via the same ops-scope tag.

ServiceNow & Cloud Reports

ServiceNow is the ITSM platform for incident, change, and request management. Atea Cloud Reports provides the customer-facing reporting surface.

Licensing gates capability depth

Entra ID P1/P2 is required for full Conditional Access and PIM; Defender workload plans gate SecOps posture depth. Where prerequisites are absent, deliverable scope is limited proportionally. Document all gaps at onboarding — gaps are classified, not used to refuse the engagement.

06 — How the engagement runs

Operating model

ITIL-aligned delivery. One cross-capability governance forum. The same team from discovery to steady state.

From contract signature to steady state

1

DiscoveryStructured assessment of the full tenant — architecture, subscriptions, management groups, identity, and operational requirements. Conducted by the same engineers who will run steady state.
2

Gap classificationEach identified gap is resolved before go-live, scheduled as a CSI backlog item, or formally accepted as a known risk in writing. Atea will not refuse to operate an environment solely on the basis of gaps.
3

OnboardingGovernance baseline, Lighthouse + GDAP, Defender for Cloud, Cost Management, Update Manager, backup, ITSM integration, DevOps maturity assessment. Method: Day-0 Operations or Operational Handover Project.
4

Steady-state operationsThe same engineers operate the environment under SLA. ITIL incident, change, and request processes; Standard Change Register as the execution authority for pre-approved changes.
5

Monthly Operational ReviewWithin the first ten business days of each month. One cross-capability forum: operations, security posture, cost, and platform state. Structured around exceptions, decisions, and forward planning.

Cloud maturity — DevOps engagement scales with it

LEVEL 1

Traditional IT

VM workloads, limited IaC, manual deployment. DevOps is largely advisory; maturity assessment sets a credible target state.

LEVEL 2

Cloud-Enabled

Mixed VM/PaaS, some Terraform/Bicep. Active IaC governance, drift detection, module compliance review.

LEVEL 3

Cloud-Native

Containers, serverless, CI/CD as primary deployment path. Blessed-module management, release coordination, sparring partner engagement.

LEVEL 4

DevOps / SRE

SLOs/SLIs, GitOps, policy-as-code. Full platform-team engagement; Atea as integrated technical peer.

Maturity is assessed, not negotiated. A Traditional IT customer cannot purchase SRE-level engagement.

07 — Go-to-market

Selling MPC

Anchor positioning on one integrated service, set the security boundary before showing the capability list, and qualify hard against the disqualifiers.

Positioning framings

From managed Azure operations to an end-to-end cloud operating model.

From optional, fragmented capabilities to one integrated four-capability platform.

From partial control to full tenant governance with defined operational responsibility (TGP & MOS).

From a blurred security boundary to a clear SecOps baseline, with SOC+ as the detection & response layer.

Prerequisites to confirm in the sales phase

Prerequisite	Why it matters & how to handle
CSP agreement with Atea	Required for Atea to escalate Azure platform issues to Microsoft. EA is supported but degrades support quality — propose CSP transition as part of the deal.
Break Glass — 2 FIDO devices	Two devices in two separate secured locations. Confirm who holds the devices, safe locations, and recovery process before contract signature.
Azure Lighthouse + GDAP	The access model, not an option. Established at onboarding; the customer must agree to grant it.
Microsoft licensing	Entra ID P1/P2 for Conditional Access and PIM; Defender plans per workload for full SecOps depth. Document gaps at onboarding.
Extended Atea security services	Required for 24×7 response to Critical/High security incidents. Without it, out-of-hours response cannot be guaranteed — confirm or establish before go-live.
Hybrid connectivity	ExpressRoute/VPN and Arc-agent connectivity for hybrid customers. Connectivity and its cost are the customer's responsibility.

Scope exclusions — the no-go list

If it's not in the Master Service Description, it's not delivered

MPC does not include: application development, DBA beyond platform, a SOC or detection & response, structured cost-optimisation programmes, or Annual Service Reviews. Anything beyond standard scope must be documented as a deviation and approved by the Service Governance Team.

Sales-to-onboarding checklist

In-scope Azure spend confirmed against threshold (or sourcing context documented)
Hybrid: Arc node count and node-type mix confirmed; resource-bridge topology documented
Governance acceptance, access model, and supported platforms verified
Tenant inventory, subscription map, and identity model captured
MOS classification: every subscription tagged in/out with rationale
Maturity level assessed; DevOps scope reflects the outcome
All prerequisites confirmed: CSP, Break Glass, GDAP, Lighthouse, licensing, security contact
Value-adding services reviewed: SOC+, Cloud Economics, Managed Database, Managed Backup, Managed Network, IRT, CloudTrack
Three-component pricing calculated in Pricing Tool/SPDI; margin reviewed
Onboarding method chosen; estimate requested via OneHub
Full contract pack attached: MSD, four Capability Descriptions, SLA, Pricing Model, Identity Policy, Data Protection Annex
OneHub order submitted with signed contract and complete customer contacts

08 — Sales tool

Proposal builder

Build a customer-ready proposal summary from your deal inputs. Complete each tab, then export to text or copy to clipboard.

Customer name

Opportunity owner

Industry / vertical

Engagement type

Cloud maturity assessment

Onboarding method

Discovery notes / key context

Add each subscription and classify it as in-scope (MOS) or out-of-scope. This drives the fee calculation and the proposal scope narrative.

Microsoft commercial agreement

In-scope Azure consumption (NOK/mo)

Out-of-scope Azure consumption (NOK/mo)

Agreed operational rate (%)

Target margin (% of total fee)

ARC NODES (hybrid — leave zero if cloud-only)

Arc servers (NOK 1,000/mo each)

Arc SQL Servers (NOK 2,000/mo each)

Arc Kubernetes clusters (NOK 3,500/mo)

Arc VMware/SCVMM VMs (NOK 1,200/mo)

Select value-adding services to include in the proposal. Each will appear in the proposal narrative.

SOC+

Detection, SIEM analytics & incident response

IRT — Incident Response Team

Standby response for serious security incidents

Cloud Economics

Structured cost-optimisation programme

Managed Database

Operational assistance for relational databases

Managed Network

Network operational management

Managed Backup

Hybrid or third-party backup coverage

CloudTrack

Landing zone, migration, advisory engagements

Additional notes for proposal

09 — Service levels

SLA reference

Service SLAs measured at 90% attainment. Applies across all four capabilities.

Priority	Description	Response	Resolution	Schedule
P1	Critical — service down, business impact immediate	30 min	4 h	N5 + A7 (24×7)
P2	High — major function impaired, workaround limited	1 h	8 h	N5 + A7 (24×7)
P3	Medium — degraded function, workaround available	4 h	24 h	N5
P4	Low — minor, no immediate operational impact	1 day	40 h	N5
P5	Minimal — informational, no impact	1 day	Best effort	N5

A7 (around-the-clock) coverage on P1/P2 depends on the Extended Atea security services arrangement. Customer-identified P1/P2 incidents must be raised through the service portal for SLAs to trigger.

Worked example — cloud-only

In-scope: 250,000 × 20% = 50,000
Out-of-scope: 100,000 × 5% = 5,000
Total: NOK 55,000/mo

Worked example — hybrid

+ 30 servers + 8 SQL + 20 VMs
Arc fee: 70,000
Total: NOK 125,000/mo

Standalone minimums

NOK 200,000/mo in-scope consumption, or 10 Arc nodes (hybrid). No minimums apply within a sourcing agreement.

10 — Terminology

Glossary

The exact terms used across the document suite. Precision matters in contract and delivery conversations.

TGP — Tenant Governance Perimeter: Governance controls applied across the entire Azure tenant via management-group hierarchy; visibility-only for out-of-scope subscriptions. Non-negotiable.
MOS — Managed Operational Scope: The SLA-backed subscriptions Atea actively operates, defined by the ops-scope: in tag. SLA, incident response, and the Operational Fee are all scoped to MOS.
ops-scope: in / out: The subscription- and Arc-resource-level tag that determines active management, SLA coverage, and which fee component applies.
CSPM: Cloud Security Posture Management — the Defender for Cloud foundation of the SecOps capability.
SOC+: The separate Atea service delivering threat detection, SIEM analytics, alert triage, automated containment, and incident response. Outside core MPC.
GDAP: Granular Delegated Admin Privileges — scoped Entra ID management access used as Atea's directory access model.
PIM / JIT: Privileged Identity Management with just-in-time elevation — time-bounded, justified, and fully audited. No standing privileged access.
Azure Lighthouse: Cross-tenant resource management from Atea's operational tenant — no guest accounts or standing access in the customer's directory.
Azure Arc: Projects on-prem and multi-cloud resources into Azure as first-class Azure resources for management within MOS.
ESU: Extended Security Updates — the customer's commercial obligation. Atea delivers compliance reporting and patch deployment; does not procure ESU licences.
CSI: Continual Service Improvement — the structured backlog of environment gaps scheduled for resolution post-onboarding.
Non-separability: The design constraint that all four capabilities are always delivered together. Individual capabilities cannot be selected, excluded, or priced separately.
Leverage break: The structural effect at the NOK 200,000 in-scope threshold — above it, ~30% reduction in marginal effort makes percentage-based pricing commercially defensible at scale.