Azure Lighthouse for Multi-Tenant Management

Azure Lighthouse is a game-changer for multi-tenant management. It allows you to centrally manage and monitor multiple subscriptions and tenants from a single place.

With Azure Lighthouse, you can onboard new tenants and subscriptions in minutes, not hours or days. This is a huge time-saver and reduces the administrative burden.

Azure Lighthouse also enables you to apply consistent policies and governance across all your subscriptions and tenants, ensuring compliance and security.

Azure Lighthouse is a service that helps service providers manage their customers' Azure resources securely and efficiently. It allows you to manage your customers' resources from within your own tenant, without having to switch context and control planes.

One of the key features of Azure Lighthouse is delegated resource management, which lets you manage your customers' subscriptions and resource groups, while also giving you the ability to remove access as needed.

You can use Azure Resource Manager templates to onboard delegated customer resources and perform cross-tenant management tasks. This feature is particularly useful for automating repetitive tasks and scaling your management processes.

Azure Lighthouse also includes new Azure portal experiences, such as the My customers page and the Service providers page, which let you view and manage cross-tenant information and customer access.

There are no additional costs associated with using Azure Lighthouse to manage Azure resources. Any Azure customer or partner can use Azure Lighthouse.

Azure Lighthouse is designed to help you stay in control of your Azure environment while still providing your service providers with the access they need. This is especially important when it comes to security.

You can delegate a full subscription to Azure Lighthouse or just specific resource groups within a subscription, depending on your needs. It's essential to follow the principle of least privilege when defining which users will have access to delegated resources.

Users in the managing tenant should use multifactor authentication when performing management operations on managed tenant resources. This adds an extra layer of security to prevent unauthorized access.

Azure Lighthouse only provides logical links between a managing tenant and managed tenants, it doesn't physically move data or resources. This means you can still maintain control over your data while giving your service providers the access they need.

Here are some key security considerations to keep in mind:

By following these security best practices, you can reduce the risk of unauthorized access and ensure that your Azure environment remains secure.

Azure Lighthouse offers a unified experience for managing multi-cloud and hybrid environments.

You can access Azure Lighthouse through the Azure portal, where you can view and manage your resources across different clouds and on-premises environments.

Azure Lighthouse provides a single pane of glass for managing Azure services, including Azure Kubernetes Service (AKS), Azure Database for PostgreSQL, and Azure Storage.

For support, you can visit the Azure Lighthouse documentation, where you'll find detailed guides and tutorials to help you get started.

MS Learn Labs provides hands-on experience through partner resources, allowing you to get familiar with Azure Lighthouse.

You can access GitHub templates demonstrating Azure Lighthouse usage with various Azure services, such as Azure Security Center and Azure Monitor.

Watch a demo on how to onboard to a service provider with Azure Lighthouse, and take a deeper look with the Azure Lighthouse for customers presentation.

The Azure Lighthouse for customers presentation is a great resource to learn more about how customers are using Azure Lighthouse to take control of their IT estates.

To get started with learning resources, learn how to view and manage service providers and view provider activity.

Azure Lighthouse offers APIs that are specific to performing Azure Lighthouse tasks, which can be found in the Reference section.

You can also use the Azure PowerShell Get-AzSubscription cmdlet to show the TenantId for the managing tenant by default.

Azure Lighthouse is designed for both managed service providers (MSPs) and customers. It helps MSPs build and scale a secure managed services practice, while customers benefit from best practice security features.

Azure Lighthouse allows MSPs to manage the life cycle of delegated administrators within their own Azure AD tenant, eliminating the need for administrator accounts in your company's tenants. This is a game-changer for MSPs who want to streamline their management processes.

The EMS E5 or Azure AD Premium P2 license is required on the managing tenant only, which applies to all users who are activating a role in the managing tenant. There are no license requirements for customers.

Azure Lighthouse capabilities apply consistently across all licensing and sales channels, so you can continue to work with CSPs and use valuable new management tools.

With Azure Lighthouse, you can automate the Partner Admin Link (PAL) process, eliminating the need for manual entry on a per-customer basis.

Traditionally, getting recognised for PAL revenue required a consultant to manually enter the MPN ID on the customer's tenant. This is no longer necessary with Azure Lighthouse and PAL.

You'll need to use one of the PEC RBAC eligible roles, such as Support Request Contributor, in your Lighthouse manifest. This role will be used to assign the Service Principal to the Entra security group.

Add the Service Principal to your Entra group with the Support Request Contributor role assigned. This must be a permanent and active assignment for it to work.

It's a good idea to get your admins to link their MPN ID to their accounts, so you're not solely reliant on the service principal.

To use Azure Lighthouse in an enterprise, you'll need to designate one tenant as the managing tenant for the other tenants. This is known as the tenant management architecture.

You can onboard subscriptions within other tenants, allowing the same users to perform management tasks across all tenants. For example, if you have a single tenant called Tenant A, you can onboard subscriptions within Tenant B and Tenant C.

By designating Tenant A as the managing tenant, the same users in Tenant A can perform management tasks for all tenants, including Tenant B and Tenant C. This streamlines management and reduces complexity.

To manage Azure resources across multiple tenants, you'll need to designate one tenant as the managing tenant for the other tenants.

The managing tenant will include the users who perform management operations on the other tenants.

In an enterprise setting, it's common to have a single tenant that includes users who perform management tasks for other tenants.

For example, if your organization has a single tenant called Tenant A, and you acquire Tenant B and Tenant C, you can onboard subscriptions within Tenant B and Tenant C, allowing the same users in Tenant A to perform management tasks across all tenants.

This way, you can maintain separate tenants while still using the same policy definitions, backup practices, and security processes for all of them.

To onboard subscriptions, you'll need to specify users in the service provider's tenant who are assigned roles to delegated subscriptions and resource groups in the customer's tenant.

These users can then sign in to the Azure portal using their own credentials and work on resources belonging to all of the customers to which they have access.

With Azure Lighthouse, you can see all of your customers by visiting the My customers page in the Azure portal, and work on resources directly within the context of that customer's subscription.

This provides flexibility to manage resources for multiple customers without having to sign in to different accounts in different tenants.

In the technical manifest, you can iterate and update the offering by specifying the PIM authorisations, display names, and Entra object ID for the security groups you want to include.

From the plan overview page, you can amend the Azure Lighthouse technical configuration and update the service provider offer in the Azure Portal after publishing a new or existing offering.

You can specify the role and access type for the security groups, allowing for precise control over who has access to what.

Once you've made the necessary changes, you'll need to update the service provider offer in the Azure Portal.

CI/CD is a crucial aspect of modern software development, and Azure Lighthouse offers a robust solution for automating deployments.

You can utilise DevOps pipelines to automate and deploy from the managing tenant, making it easier to manage multiple customer subscriptions.

To get started, create a Service Principal (SPN) per customer, which will be used to authenticate deployments.

You'll also need to set up a process for SPN secret rotation and expiration, as these will need to be updated regularly.

When creating your pipelines, make sure to specify the SPN as the authenticating mechanism, using the `azureSubscription` parameter in your YAML file.

For example, you might use `azureSubscription: ($yourSpnServiceConnectionName)`.

It's also a good idea to set up Azure DevOps or GitHub environments, which will allow you to set approvers, restrictions, and track deployment history for each customer.