Azure Lighthouse for Multi-Tenant Management

Author

Reads 241

A modern data center featuring a computer setup with monitor and keyboard, emphasizing technology infrastructure.
Credit: pexels.com, A modern data center featuring a computer setup with monitor and keyboard, emphasizing technology infrastructure.

Azure Lighthouse is a game-changer for multi-tenant management. It allows you to centrally manage and monitor multiple subscriptions and tenants from a single place.

With Azure Lighthouse, you can onboard new tenants and subscriptions in minutes, not hours or days. This is a huge time-saver and reduces the administrative burden.

Azure Lighthouse also enables you to apply consistent policies and governance across all your subscriptions and tenants, ensuring compliance and security.

What is Azure Lighthouse?

Azure Lighthouse is a service that helps service providers manage their customers' Azure resources securely and efficiently. It allows you to manage your customers' resources from within your own tenant, without having to switch context and control planes.

One of the key features of Azure Lighthouse is delegated resource management, which lets you manage your customers' subscriptions and resource groups, while also giving you the ability to remove access as needed.

You can use Azure Resource Manager templates to onboard delegated customer resources and perform cross-tenant management tasks. This feature is particularly useful for automating repetitive tasks and scaling your management processes.

Credit: youtube.com, Azure Lighthouse Deep Dive

Azure Lighthouse also includes new Azure portal experiences, such as the My customers page and the Service providers page, which let you view and manage cross-tenant information and customer access.

There are no additional costs associated with using Azure Lighthouse to manage Azure resources. Any Azure customer or partner can use Azure Lighthouse.

Security Considerations

Azure Lighthouse is designed to help you stay in control of your Azure environment while still providing your service providers with the access they need. This is especially important when it comes to security.

You can delegate a full subscription to Azure Lighthouse or just specific resource groups within a subscription, depending on your needs. It's essential to follow the principle of least privilege when defining which users will have access to delegated resources.

Users in the managing tenant should use multifactor authentication when performing management operations on managed tenant resources. This adds an extra layer of security to prevent unauthorized access.

Credit: youtube.com, MSSPs & Identity with Azure Lighthouse

Azure Lighthouse only provides logical links between a managing tenant and managed tenants, it doesn't physically move data or resources. This means you can still maintain control over your data while giving your service providers the access they need.

Here are some key security considerations to keep in mind:

  • Azure Lighthouse only allows access to go in one direction, from the managing tenant to the managed tenants.
  • Users and groups in the managing tenant should use multifactor authentication when performing management operations on managed tenant resources.
  • Azure Activity logs can be used to meet transparency requirements for enterprises with internal or external governance and compliance guardrails.

By following these security best practices, you can reduce the risk of unauthorized access and ensure that your Azure environment remains secure.

Resources and Support

Azure Lighthouse offers a unified experience for managing multi-cloud and hybrid environments.

You can access Azure Lighthouse through the Azure portal, where you can view and manage your resources across different clouds and on-premises environments.

Azure Lighthouse provides a single pane of glass for managing Azure services, including Azure Kubernetes Service (AKS), Azure Database for PostgreSQL, and Azure Storage.

For support, you can visit the Azure Lighthouse documentation, where you'll find detailed guides and tutorials to help you get started.

Learning Resources

Man with headset typing on laptop in a modern office setting, providing customer support.
Credit: pexels.com, Man with headset typing on laptop in a modern office setting, providing customer support.

MS Learn Labs provides hands-on experience through partner resources, allowing you to get familiar with Azure Lighthouse.

You can access GitHub templates demonstrating Azure Lighthouse usage with various Azure services, such as Azure Security Center and Azure Monitor.

Watch a demo on how to onboard to a service provider with Azure Lighthouse, and take a deeper look with the Azure Lighthouse for customers presentation.

The Azure Lighthouse for customers presentation is a great resource to learn more about how customers are using Azure Lighthouse to take control of their IT estates.

To get started with learning resources, learn how to view and manage service providers and view provider activity.

Azure Lighthouse offers APIs that are specific to performing Azure Lighthouse tasks, which can be found in the Reference section.

You can also use the Azure PowerShell Get-AzSubscription cmdlet to show the TenantId for the managing tenant by default.

Frequently Asked Questions

Azure Lighthouse is designed for both managed service providers (MSPs) and customers. It helps MSPs build and scale a secure managed services practice, while customers benefit from best practice security features.

Azure Lighthouse allows MSPs to manage the life cycle of delegated administrators within their own Azure AD tenant, eliminating the need for administrator accounts in your company's tenants. This is a game-changer for MSPs who want to streamline their management processes.

A Man and Woman Looking at the Computer Screen
Credit: pexels.com, A Man and Woman Looking at the Computer Screen

The EMS E5 or Azure AD Premium P2 license is required on the managing tenant only, which applies to all users who are activating a role in the managing tenant. There are no license requirements for customers.

Azure Lighthouse capabilities apply consistently across all licensing and sales channels, so you can continue to work with CSPs and use valuable new management tools.

With Azure Lighthouse, you can automate the Partner Admin Link (PAL) process, eliminating the need for manual entry on a per-customer basis.

Traditionally, getting recognised for PAL revenue required a consultant to manually enter the MPN ID on the customer's tenant. This is no longer necessary with Azure Lighthouse and PAL.

You'll need to use one of the PEC RBAC eligible roles, such as Support Request Contributor, in your Lighthouse manifest. This role will be used to assign the Service Principal to the Entra security group.

Credit: youtube.com, Partner Admin Link (PAL)

Add the Service Principal to your Entra group with the Support Request Contributor role assigned. This must be a permanent and active assignment for it to work.

It's a good idea to get your admins to link their MPN ID to their accounts, so you're not solely reliant on the service principal.

Architecture and Design

To use Azure Lighthouse in an enterprise, you'll need to designate one tenant as the managing tenant for the other tenants. This is known as the tenant management architecture.

You can onboard subscriptions within other tenants, allowing the same users to perform management tasks across all tenants. For example, if you have a single tenant called Tenant A, you can onboard subscriptions within Tenant B and Tenant C.

By designating Tenant A as the managing tenant, the same users in Tenant A can perform management tasks for all tenants, including Tenant B and Tenant C. This streamlines management and reduces complexity.

Tenant Management Architecture

Credit: youtube.com, Multi-tenant Architecture for SaaS

To manage Azure resources across multiple tenants, you'll need to designate one tenant as the managing tenant for the other tenants.

The managing tenant will include the users who perform management operations on the other tenants.

In an enterprise setting, it's common to have a single tenant that includes users who perform management tasks for other tenants.

For example, if your organization has a single tenant called Tenant A, and you acquire Tenant B and Tenant C, you can onboard subscriptions within Tenant B and Tenant C, allowing the same users in Tenant A to perform management tasks across all tenants.

This way, you can maintain separate tenants while still using the same policy definitions, backup practices, and security processes for all of them.

To onboard subscriptions, you'll need to specify users in the service provider's tenant who are assigned roles to delegated subscriptions and resource groups in the customer's tenant.

Credit: youtube.com, Multi Tenant Architecture - Part 1 | What is Multi Tenant Architecture | TTT | Cuelogic

These users can then sign in to the Azure portal using their own credentials and work on resources belonging to all of the customers to which they have access.

With Azure Lighthouse, you can see all of your customers by visiting the My customers page in the Azure portal, and work on resources directly within the context of that customer's subscription.

This provides flexibility to manage resources for multiple customers without having to sign in to different accounts in different tenants.

Technical Manifest

In the technical manifest, you can iterate and update the offering by specifying the PIM authorisations, display names, and Entra object ID for the security groups you want to include.

From the plan overview page, you can amend the Azure Lighthouse technical configuration and update the service provider offer in the Azure Portal after publishing a new or existing offering.

You can specify the role and access type for the security groups, allowing for precise control over who has access to what.

Once you've made the necessary changes, you'll need to update the service provider offer in the Azure Portal.

Ci/cd

Credit: youtube.com, How to design a modern CI/CD Pipeline

CI/CD is a crucial aspect of modern software development, and Azure Lighthouse offers a robust solution for automating deployments.

You can utilise DevOps pipelines to automate and deploy from the managing tenant, making it easier to manage multiple customer subscriptions.

To get started, create a Service Principal (SPN) per customer, which will be used to authenticate deployments.

You'll also need to set up a process for SPN secret rotation and expiration, as these will need to be updated regularly.

When creating your pipelines, make sure to specify the SPN as the authenticating mechanism, using the `azureSubscription` parameter in your YAML file.

For example, you might use `azureSubscription: ($yourSpnServiceConnectionName)`.

It's also a good idea to set up Azure DevOps or GitHub environments, which will allow you to set approvers, restrictions, and track deployment history for each customer.

Frequently Asked Questions

What is the difference between Azure Arc and Azure Lighthouse?

Azure Lighthouse provides access to customer resources from your own tenant, while Azure Arc enables you to manage servers outside of Azure from your Azure tenant, with a key difference in onboarding requirements.

Is Azure Lighthouse free?

Azure Lighthouse itself is free, but you'll still pay for the underlying Azure services you use with it. No additional charge is applied for accessing Azure Lighthouse capabilities.

Margarita Champlin

Writer

Margarita Champlin is a seasoned writer with a passion for crafting informative and engaging content. With a keen eye for detail and a knack for simplifying complex topics, she has established herself as a go-to expert in the field of technology. Her writing has been featured in various publications, covering a range of topics, including Azure Monitoring.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.