Azure Lighthouse is an incredibly powerful tool that allows for seamless multi-tenant management of Azure resources in different subscriptions, eliminating the need to constantly switch tenants or juggle multiple sets of credentials. However, information about Azure Lighthouse seems scarce.
Feeling inspired by this lack of information, I took it upon myself to write a blog post, compiling all the latest and greatest insights and tips on Azure Lighthouse. Whether you’re a seasoned pro or just getting started, this post will provide you with everything you need to unlock the full potential of Azure Lighthouse. So, without further ado, join me on this exciting journey and discover the wonders of Azure Lighthouse!
What is Azure Lighthouse?
With Azure Lighthouse, you can manage subscriptions and resource groups in different tenants while maintaining scalability, automation, and governance. As a service provider, you can deliver managed services in customers’ tenants while the customer is still in control of who has access to their tenant.
On a higher level, it works great in combination with Azure services such as Azure Policy, Microsoft Sentinel, Azure Arc, and more. It allows for deploying configuration and policies at scale to different customer subscriptions without any hassle.
What do you need to know before you can start?
In this tutorial we will be referring your tenant as management tenant. The tenant of the customer will be referred as customer tenant. Furthermore:
- There are no additional costs for Azure Lighthouse to manage Azure resources. That’s great!
- Azure Lighthouse works across multiple regions, allowing you to manage resources without restrictions.
- You need to have at least one subscription in our management tenant and in your customer tenant.
- The deployment of Azure Lighthouse in the customer tenant is done with an ARM template. This template uses parameters (identifiers) that come from your management tenant. During this tutorial, you will learn how to generate this ARM template.
- For this tutorial, we are using the Az PowerShell module. Please install the module before proceeding. Scripts will be provided in this blog post where needed.
- Ensure that you have appropriate Azure AD roles, such as Global Administrator or User Administrator, to create Azure AD groups and assign members to these groups.
Configure Azure Lighthouse in the management tenant
When you are acting as a service provider and you want to manage subscriptions in the customer’s tenant, we need to prepare some things first:
- Create Azure AD groups to assign the appropriate RBAC roles for the subscription in the customer’s tenant.
- Add corresponding users to the Azure AD groups created above.
- Extract certain identifiers from the tenant (Tenant ID, Group IDs, and Contributor role ID).
Create Azure AD groups
- Open a new PowerShell console and import the Az module.
- Next, run Connect-AzAccount and enter the credentials for your management tenant.
- While logged in, execute the script below to create new Azure AD groups and add one test user to the Contributor group. Please make sure to change the variables according to your requirements.
These groups will function as access groups for the subscription in the customer’s tenant. They will correspond with the RBAC roles Contributor, Reader, and Security Reader. So, if you add a user to the Contributor group, they will get contributor rights in that subscription.
# The friendly name of the customer $customerName = 'Contoso' $userPrincipalName = 'firstname.lastname@example.org' # Create Azure AD groups New-AzADGroup -DisplayName "Lighthouse - $customerName - Contributor" -MailNickname "azlh-$customerName-contributor" -Description New-AzADGroup -DisplayName "Lighthouse - $customerName - Reader" -MailNickname "azlh-$customerName-reader" New-AzADGroup -DisplayName "Lighthouse - $customerName - Security Reader" -MailNickname "azlh-$customerName-securityreader" # Add user to the Azure AD group with the Contributor role Add-AzADGroupMember -TargetGroupDisplayName "Lighthouse - $customerName - Contributor" -MemberUserPrincipalName $userPrincipalName
There are now three groups with who are designated for three type of rights;
- Security Reader
The group with Reader access has permanent rights and will also be used as an approval group for the Contributor and Security Reader roles. Users in this group can approve eligible users when they ask for Contributor rights. Eligible simply means that these users can get temporary access for a few hours after it has been approved by a user.
Note: Depending on your preference, you can also create the Azure AD groups from the portal.
Generate ARM template
Most of the time I prefer PowerShell methods to generate or deploy new configuration. But since Microsoft made it very easy for us to generate a new ARM template for Azure Lighthouse, we will stick with this option.
- Log in to the Microsoft Azure portal and search for My customers.
- In the overview, select Create ARM Template.
- Provide the Name and optional Description.
- Depending on the service you offer, you set the scope to Subscription or Resource Group. For example, you might only have to manage resources in a delegated Resource Group in the customers tenant. For now, we set the scope to Subscription.
- In the next step we choose who needs access, what role they get within the customer subscription and whether it’s eligible or permanent authentication. Click on Add authorization.
- Firstly, we add the Reader role for the Azure AD group Ligthouse – Contoso – Reader and select as Permanent as access type.
- Secondly, the Contributor role for the Azure AD group Lighthouse – Contoso – Contributor and select Eligible as role.
- Set the Activation maximum duration to 8 hours and select Azure for Multifactor authentication. Lastly, enable Require approval to activate.
- Almost done, I promise. Scroll down, click on Add approvers and select Lighthouse – Contoso – Reader as group. When finished, click on Add.
- As last step, click on View template to view the configuration. Save the template in a text editor of your liking, we need it later.
Configure Azure Lighthouse in the customer tenant
To deploy our generated ARM template, we are connecting with the Azure AD tenant of the customer through PowerShell.
- Open a new PowerShell console and import the Az module.
- Next, run Connect-AzAccount and enter the credentials from your customer tenant.
Note: When there is more then one Azure subscription present in the customer tenant, please make sure that you select the subscription you want to delegate first by using Set-AzContext.
- While logged in, execute the script below to deploy the ARM template. Please make sure to verify the variables used in the script. Pick the deployment location and the path to the template.json file that you’ve downloaded in the previous paragraph.
$location = 'westeurope' $templateFile = “C:\tmp\template.json” New-AzDeployment -Name Lighthouse -Location $location -TemplateFile $templateFile -Verbose
Verify deployment in the management tenant
While Azure Lighthouse is deploying you can check for it’s progress by going to the Azure Portal. You browse to Home and in the search bar, search My Customers. Click on Activity log and look for the Register operation. The status should indicate whether the deployment was successful or not.
Add customer subscription to global subscription filter
Help! The deployment was a success, but you are still not seeing any subscriptions appearing. That is correct. Before we can actually see the subscription, it needs to be added to the global subscriptions filter.
- From the Customers pane in Azure Lighthouse, click on global subscriptions filter.
- Under Current + delegated directories, select the customer tenant.
- Also, don’t forget to select the customer subscription in the drop down below.
- Navigate back to My Customers and click on Customers. That looks a bit more like it should, right?
Verify access and role
Since the subscription is now accessible, you can start managing resources in this subscription simply by clicking on the object.
In the subscription overview, verify the role. If everything went well, you should see that the current role is Reader because we made that a permanent access type, remember?
Elevate users to an eligible role
When the customer was added to Azure Lighthouse, any eligible roles will be available to the members of the groups we specified.
Each user can elevate their access at any time by visiting the My customers page in the Azure portal, selecting a delegation, and then selecting Manage eligible roles. After that, they can follow the steps to activate the role in Azure AD Privileged Identity Management.
Hopefully you have learned a bit more on how you would configure Azure Lighthouse. With Azure Lighthouse you can onboard subscriptions in your management tenant from one or more customers. It’s free, easy to configure and there possibilities to automate the onboarding of new subscriptions.
It is only getting better when using other Azure services such as Azure Arc and Azure Sentinel where you define baselines and deploy them to many different customers in one go.
So are you working for a Managed Services Provider and are you done with general management accounts while working in your customers tenants? Give this a go and I am happy to answer your questions.