This week I was surprised that I could not find that much information on how you would configure Azure Lighthouse. Azure Lighthouse enables multi-tenant management of Azure resources in different subscriptions without the need to switch tenants or log in with different credentials.
Therefore I decided to write a post of my own with findings and useful information. Read along to discover the latest and greatest about Azure Lighthouse!
What is Azure Lighthouse?
With Azure Lighthouse you can manage subscriptions and resource groups in different tenants while maintaining scalability, automation and governance. As a service provider, you can deliver managed services in customers tenants whereas the customer is still in control who has access to their tenant.
On a higher level, it works great in combination with Azure services such as Azure Policy, Microsoft Sentinel, Azure Arc and more. It results in deploying configuration and policies at scale to different customer subscriptions without any hassle.
What do you need to know before you can start
In this tutorial we will be referring your tenant as management tenant. The tenant of the customer will be referred as customer tenant. Furthermore:
- There are no additional costs for Azure Lighthouse to manage Azure resources. Nice!
- Azure Lighthouse works across multiple regions. You can manage resources without restrictions.
- You need to have at least one subscription in our management tenant and in your customer tenant.
- The deployment of Azure Lighthouse in the customer tenant goes with an ARM template. This template uses parameters (identifiers) who come from your management tenant. During this tutorial you will learn how to generate this ARM template.
- For this tutorial we are using the Az PowerShell module. Install the module before continuing. Scripts are provided in this blog post where needed.
- Appropriate Azure AD roles (such as Global Administrator or User Administrator) to create Azure AD groups and assign members to these groups.
Configure Azure Lighthouse in the management tenant
When you act as service provider and you want to manage subscriptions in the customer tenant, we need to prepare some things first:
- Create Azure AD groups to assign appropriate RBAC roles for the subscription in the customer tenant.
- Add corresponding users to the Azure AD groups created above.
- Extract some identifiers from the tenant (Tenant ID, Groups IDs and Contributor role ID)
Create Azure AD groups
- Open a new PowerShell console and import the Az module.
- Next, run Connect-AzAccount and enter the credentials from your management tenant.
- While logged in, execute the script below to create new Azure AD groups and add one test user to the Contributor group. Change the variables to your needs.
These groups will function as access groups for the subscription in the customer tenant. It will correspond with the RBAC roles Contributor, Reader and Security Reader. So if you add a user to the Contributor group, it will get contributor rights in that subscription.
# The friendly name of the customer $customerName = 'Contoso' $userPrincipalName = 'firstname.lastname@example.org' # Create Azure AD groups New-AzADGroup -DisplayName "Lighthouse - $customerName - Contributor" -MailNickname "azlh-$customerName-contributor" -Description New-AzADGroup -DisplayName "Lighthouse - $customerName - Reader" -MailNickname "azlh-$customerName-reader" New-AzADGroup -DisplayName "Lighthouse - $customerName - Security Reader" -MailNickname "azlh-$customerName-securityreader" # Add user to the Azure AD group with the Contributor role Add-AzADGroupMember -TargetGroupDisplayName "Lighthouse - $customerName - Contributor" -MemberUserPrincipalName $userPrincipalName
There are now three groups with who are designated for three type of rights;
- Security Reader
The group with Reader access has permanent rights and will also be used as approval group for the Contributor and Security Reader role. Users in this group can approve eligible users when they ask for Contributor rights. Eligible simply means that these users can get temporary access for a few hours after it has been approved by a user.
Note: Depending on your preference, you can also create the Azure AD groups from the portal.
Generate ARM template
Most of the time I prefer PowerShell methods to generate or deploy new configuration. But since Microsoft made it very easy for us to generate a new ARM template for Azure Lighthouse, we will stick with this option.
- Log in to the Microsoft Azure portal and search for My customers.
- In the overview, select Create ARM Template.
- Provide the Name and optional Description.
- Depending on the service you offer, you set the scope to Subscription or Resource Group. For example, you might only have to manage resources in a delegated Resource Group in the customers tenant. For now, we set the scope to Subscription.
- In the next step we choose who needs access, what role they get within the customer subscription and whether it’s eligible or permanent authentication. Click on Add authorization.
- Firstly, we add the Reader role for the Azure AD group Ligthouse – Contoso – Reader and select as Permanent as access type.
- Secondly, the Contributor role for the Azure AD group Lighthouse – Contoso – Contributor and select Eligible as role.
- Set the Activation maximum duration to 8 hours and select Azure for Multifactor authentication. Lastly, enable Require approval to activate.
- Almost done, I promise. Scroll down, click on Add approvers and select Lighthouse – Contoso – Reader as group. When finished, click on Add.
- As last step, click on View template to view the configuration. Save the template in a text editor of your liking, we need it later.
Configure Azure Lighthouse in the customer tenant
To deploy our generated ARM template, we are connecting with the Azure AD tenant of the customer through PowerShell.
- Open a new PowerShell console and import the Az module.
- Next, run Connect-AzAccount and enter the credentials from your customer tenant.
Note: When there is more then one Azure subscription present in the customer tenant, please make sure that you select the subscription you want to delegate first by using Set-AzContext.
- While logged in, execute the script below to deploy the ARM template. Please make sure to verify the variables used in the script. Pick the deployment location and the path to the template.json file that you’ve downloaded in the previous paragraph.
$location = 'westeurope' $templateFile = “C:\tmp\template.json” New-AzDeployment -Name Lighthouse -Location $location -TemplateFile $templateFile -Verbose
Verify deployment in the management tenant
While Azure Lighthouse is deploying you can check for it’s progress by going to the Azure Portal. You browse to Home and in the search bar, search My Customers. Click on Activity log and look for the Register operation. The status should indicate whether the deployment was successful or not.
Add customer subscription to global subscription filter
Help! The deployment was a success, but you are still not seeing any subscriptions appearing. That is correct. Before we can actually see the subscription, it needs to be added to the global subscriptions filter.
- From the Customers pane in Azure Lighthouse, click on global subscriptions filter.
- Under Current + delegated directories, select the customer tenant.
- Also, don’t forget to select the customer subscription in the drop down below.
- Navigate back to My Customers and click on Customers. That looks a bit more like it should, right?
Verify access and role
Since the subscription is now accessible, you can start managing resources in this subscription simply by clicking on the object.
In the subscription overview, verify the role. If everything went well, you should see that the current role is Reader because we made that a permanent access type, remember?
Elevate users to an eligible role
When the customer was added to Azure Lighthouse, any eligible roles will be available to the members of the groups we specified.
Each user can elevate their access at any time by visiting the My customers page in the Azure portal, selecting a delegation, and then selecting Manage eligible roles. After that, they can follow the steps to activate the role in Azure AD Privileged Identity Management.
Hopefully you have learned a bit more on how you would configure Azure Lighthouse. With Azure Lighthouse you can onboard subscriptions in your management tenant from one or more customers. It’s free, easy to configure and there possibilities to automate the onboarding of new subscriptions.
It is only getting better when using other Azure services such as Azure Arc and Azure Sentinel where you define baselines and deploy them to many different customers in one go.
So are you working for a Managed Services Provider and are you done with general management accounts while working in your customers tenants? Give this a go and I am happy to answer your questions. Comment below or check out my contact details.