Azure Lighthouse

Manage multiple tenants from one portal; be it your own or of your customer's.



Service providers now can manage multiple customer accounts/tenants in a single portal without any additional costs, especially managed services using built-in tools within Azure. The beauty of this product is IAM activities will still reside with customers to control access to their resources.


On a lighter note, this can also be utilized by enterprises with multiple tenants.


“Growing business? More cloud tenants to manage? This is for you”

Let's understand its benefits and how to use it.


Benefits


  1. The efficiency with managing Azure Policies, Security Centre, and more.

  2. All service provider activity is tracked in the activity log, which is stored in the customer's tenant (and can be viewed by users in the managing tenant).

How do we streamline these engagements?


We can use lighthouse in multiple ways like listed below:


Who can use these services and any restrictions for regions?


Any Azure customer or partner can use Azure Lighthouse. This service is a non-regional service and partner/customer can manage delegated resources that are in different regions. However, the delegation of subscriptions across a national cloud and the Azure public cloud, or across two separate national clouds, is not supported.


Architecture:


Delegation resources are created in customer tenants during onboarding a tenant with Lighthouse. There will be two resources which will be created:


1. Registration Definition - contains the details of the Azure Lighthouse offer

2. Registration Assignment - assigns the registration definition to a specific scope


Azure Lighthouse creates a logical projection of resources from one tenant onto another tenant. This lets authorized service provider users sign into their own tenant with authorization to work in delegated customer subscriptions and resource groups. Users in the service provider's tenant can then perform management operations on behalf of their customers, without having to sign in to each customer tenant.


The high-level structure of Azure lighthouse process:


How to?



If you are an enterprise/partner/managed service provider, you need to create an ARM Template/GitHub Repo.


https://github.com/Azure/Azure-Lighthouse-samples/ - here you can find the sample repo and select the Deploy to Azure button shown next to the template you want to use. The template will open in the Azure portal.


NOTE: This deployment must be done by a non-guest account in the customer's tenant who has a role with Microsoft.Authorization/roleAssignments/write permission, such as Owner, for the subscription being onboarded (or which contains the resource groups that are being onboarded).


Upon adding customers using GIT or ARM templates, you can manage them in lighthouse space with the azure portal.




Partners can also publish these as services in the marketplace using partner center and request customers to use them while signing a managed/support service.


Detailed documentation: https://docs.microsoft.com/en-us/azure/lighthouse/ (Microsoft Docs)