Learn how to configure Azure Lighthouse

Azure Lighthouse is an incredibly powerful tool that allows for seamless multi-tenant management of Azure resources in different subscriptions, eliminating the need to constantly switch tenants or juggle multiple sets of credentials. However, information about Azure Lighthouse seems scarce. Let’s dive right in to learn how to configure Azure Lighthouse.

What is Azure Lighthouse?

With Azure Lighthouse, you can manage subscriptions and resource groups in different tenants while maintaining scalability, automation, and governance. As a service provider, you can deliver managed services in customers’ tenants while the customer is still in control of who has access to their tenant.

It works great in combination with other services such as Azure Policy, Microsoft Sentinel, Azure Arc, and more. It allows for deployment and management at scale in multiple Azure tenant.

Pricing

Azure Lighthouse is a management feature that enables service providers to oversee Azure resources for multiple tenants without additional fees. Although there are no direct costs for using Azure Lighthouse, the Azure resources managed through it incur charges based on consumption within the customer’s subscription.

Prerequisites

In this tutorial we are going to simulate a few things:

• Create some Azure AD groups for role based access.
• Prepare an Azure tenant to deploy and configure Azure Lighthouse.
• The deployment of Azure Lighthouse from a customer perspective, using an ARM template.

That’s why you should have:

• Tenants & subscriptions: Two Azure tenants and one subscription in each tenant.
• Azure PowerShell: Install the latest version of the Azure PowerShell module.
• Permissions: At least Group Administrator for Azure AD Groups and Owner on the Azure subscription you wish to configure Azure Lighthouse for.

Configure Azure Lighthouse in the management tenant

When you are acting as a service provider and you want to manage subscriptions in the customer’s tenant, we need to prepare some things first:

• Create Azure AD groups to assign the appropriate RBAC roles for the subscription in the customer’s tenant.
• Add corresponding users to the Azure AD groups created above.
• Extract certain identifiers from the tenant (Tenant ID, Group IDs, and Contributor role ID).

Create Azure AD groups

1. Open a new PowerShell console and import the Az module.
2. Next, run Connect-AzAccount and enter the credentials for your management tenant.
3. While logged in, execute the script below to create new Azure AD groups and add one test user to the Contributor group. Please make sure to change the variables according to your requirements.

These groups will function as access groups for the subscription in the customer’s tenant. They will correspond with the RBAC roles Contributor, Reader, and Security Reader. So, if you add a user to the Contributor group, they will get contributor rights in that subscription.

# The friendly name of the customer
$customerName = 'Contoso'
$userPrincipalName = 'user@contoso.onmicrosoft.com'

# Create Azure AD groups
New-AzADGroup -DisplayName "Lighthouse - $customerName - Contributor" -MailNickname "azlh-$customerName-contributor" -Description
New-AzADGroup -DisplayName "Lighthouse - $customerName - Reader" -MailNickname "azlh-$customerName-reader"
New-AzADGroup -DisplayName "Lighthouse - $customerName - Security Reader" -MailNickname "azlh-$customerName-securityreader"

# Add user to the Azure AD group with the Contributor role
Add-AzADGroupMember -TargetGroupDisplayName "Lighthouse - $customerName - Contributor" -MemberUserPrincipalName $userPrincipalName

There are now three groups with who are designated for three type of rights;

• Reader
• Contributor
• Security Reader

The group with Reader access has permanent rights and will also be used as an approval group for the Contributor and Security Reader roles. Users in this group can approve eligible users when they ask for Contributor rights. Eligible simply means that these users can get temporary access for a few hours after it has been approved by a user.

Note: Depending on your preference, you can also create the Azure AD groups from the portal.

Generate ARM template

Most of the time I prefer PowerShell methods to generate or deploy new configuration. But since Microsoft made it very easy for us to generate a new ARM template for Azure Lighthouse, we will stick with this option.

1. Log in to the Microsoft Azure portal and search for My customers.
2. In the overview, select Create ARM Template.

3. Provide the Name and optional Description.
4. Depending on the service you offer, you set the scope to Subscription or Resource Group. For example, you might only have to manage resources in a delegated Resource Group in the customers tenant. For now, we set the scope to Subscription.

5. In the next step we choose who needs access, what role they get within the customer subscription and whether it’s eligible or permanent authentication. Click on Add authorization.
6. Firstly, we add the Reader role for the Azure AD group Ligthouse – Contoso – Reader and select as Permanent as access type.

7. Secondly, the Contributor role for the Azure AD group Lighthouse – Contoso – Contributor and select Eligible as role.
8. Set the Activation maximum duration to 8 hours and select Azure for Multifactor authentication. Lastly, enable Require approval to activate.

9. Almost done, I promise. Scroll down, click on Add approvers and select Lighthouse – Contoso – Reader as group. When finished, click on Add.

10. As last step, click on View template to view the configuration. Save the template in a text editor of your liking, we need it later.

Configure Azure Lighthouse in the customer tenant

To deploy our generated ARM template, we are connecting with the Azure AD tenant of the customer through PowerShell.

1. Open a new PowerShell console and import the Az module.
2. Next, run Connect-AzAccount and enter the credentials from your customer tenant.

Note: When there is more then one Azure subscription present in the customer tenant, please make sure that you select the subscription you want to delegate first by using Set-AzContext.

3. While logged in, execute the script below to deploy the ARM template. Please make sure to verify the variables used in the script. Pick the deployment location and the path to the template.json file that you’ve downloaded in the previous paragraph.

$location = 'westeurope'
$templateFile = “C:\tmp\template.json”
New-AzDeployment -Name Lighthouse -Location $location -TemplateFile $templateFile -Verbose

Verify deployment in the management tenant

While Azure Lighthouse is deploying you can check for it’s progress by going to the Azure Portal. You browse to Home and in the search bar, search My Customers. Click on Activity log and look for the Register operation. The status should indicate whether the deployment was successful or not.

Add customer subscription to global subscription filter

Help! The deployment was a success, but you are still not seeing any subscriptions appearing. That is correct. Before we can actually see the subscription, it needs to be added to the global subscriptions filter.

1. From the Customers pane in Azure Lighthouse, click on global subscriptions filter.

2. Under Current + delegated directories, select the customer tenant.

3. Also, don’t forget to select the customer subscription in the drop down below.

4. Navigate back to My Customers and click on Customers. That looks a bit more like it should, right?

Verify access and role

Since the subscription is now accessible, you can start managing resources in this subscription simply by clicking on the object.

In the subscription overview, verify the role. If everything went well, you should see that the current role is Reader because we made that a permanent access type, remember?

Elevate users to an eligible role

When the customer was added to Azure Lighthouse, any eligible roles will be available to the members of the groups we specified.

Each user can elevate their access at any time by visiting the My customers page in the Azure portal, selecting a delegation, and then selecting Manage eligible roles. After that, they can follow the steps to activate the role in Azure AD Privileged Identity Management.

Conclusion

Hopefully you have learned a bit more on how you would configure Azure Lighthouse. With Azure Lighthouse you can onboard subscriptions in your management tenant from one or more customers. It’s free, easy to configure and there possibilities to automate the onboarding of new subscriptions.

It is only getting better when using other Azure services such as Azure Arc and Azure Sentinel where you define baselines and deploy them to many different customers in one go.

So are you working for a Managed Services Provider and are you done with general management accounts while working in your customers tenants? Give this a go and I am happy to answer your questions.

Documentation

• What is Azure Lighthouse? – Microsoft Docs
• Create your template in the Azure portal – Microsoft Docs
• Create eligible authorizations – Microsoft Docs
• View and manage customers and delegated resources in the Azure portal – Microsoft Docs