Introduction
Azure Lighthouse is a powerful solution designed for multitenant management, offering scalability, enhanced automation, and stronger governance across Azure environments. It allows managed service providers (MSPs) to oversee and maintain their customers’ Azure resources directly from their own tenant. By utilizing a centralized control plane, service providers can efficiently manage resources using predefined policies and templates, simplifying the entire management process. This approach not only improves operational efficiency but also ensures security and compliance, delivering a seamless management experience for customers.
Â
Use Cases for Azure Lighthouse in MSP Scenarios
1. Centralized Management: MSPs can manage multiple customer environments from a single control plane, improving efficiency.
2. Role-based Access Control (RBAC): Assign fine-grained permissions using Azure Entra ID groups and ensure least privilege access for different roles, such as security analysts or contributors.
3. Security and Compliance: By using Azure Lighthouse, MSPs can enforce consistent security policies across customer environments.
4. Scalability: As customers scale, MSPs can easily onboard new subscriptions or resource groups without needing to set up separate management instances for each customer.
How to Setup Lighthouse:
Prerequisites for Setting Up Azure Lighthouse:
- Azure Subscription for Service Provider (MSP)
- Active Azure subscription in the MSP tenant.
- Customer Azure Subscription
- Active customer Azure subscription to manage through Azure Lighthouse.
- Azure AD (Entra ID) Groups
- Pre-created Azure AD security groups for role assignment.
- Role-Based Access Control (RBAC) Roles
- Appropriate RBAC roles defined for users/groups (e.g., Owner, Contributor, Reader).
- ARM Template Knowledge
- Ability to create or modify Azure Resource Manager (ARM) templates for onboarding.
- Customer Permissions
- Customer’s permission to delegate control of their resources to the MSP tenant.
Step by step guide:
Create an Azure Resource Manager (ARM) Template
- In Service provider account, go to Lighthouse service by searching on search bar.
- Click on Manage your customers.
- In My customers page, Click on Create ARM Template offer.
- Name and Description (These will be used for mspOfferName and mspOfferDescription in your template). The managedByTenantId is populated based
on the tenant you’re logged into. - Choose Subscription or Resource Group for the customer scope you want to onboard. If selecting a resource group, provide the name of the specific group.. Here we’re selecting Subscription
- Add authorizations by selecting + Add authorization. Provide the following details:
- Principal type: Choose either User, Group, or Service Principal.
- Use the + Select group link to choose the group.
- Role: Select the appropriate role for the group (e.g., Sentinel Contributor).
- Access type: Select Permanent or Eligible. If you select Eligible, configure the maximum duration, multi-factor authentication, and approval settings.
- After adding Authorization, Click on View template .
- After completing the setup, download the ARM template.
- Share the downloaded JSON file with your customers for onboarding.
Onboard the Customer Using the ARM Template
- Once the ARM template is shared with the customer, they need to deploy it in their tenant.
- Go to Lighthouse service by searching on search bar
- Click on view service provider and next click Add offer in service provider offers.
- Upload the ARM template(JSON file which we downloaded above) provided by the MSP.
- After uploaded, review and create, deploy the ARM template.
Â
Confirm Successful Onboarding
To verify successful onboarding, both the MSP and the customer can check the following:
Â
In the Service Provider’s Tenant (MSP)
1. Navigate to My customers.
2. Select Customers and confirm that the subscriptions are visible with the offer name provided in the ARM template.
3. Use the Activity log to track customer registrations and actions.
In the Customer’s Tenant
1. Navigate to Service provider offers.
2. Confirm that the subscription or resource group you onboarded is visible.
3. Use the Delegations pane to view or manage specific resources.
Managing and Monitoring Customer Resources
Once the onboarding process is complete, you can start managing customer resources. You can:
- View onboarded resources and subscription details.
- Check activity logs for delegation changes.
- Add or modify user access as needed.
Conclusion
Azure Lighthouse streamlines the management of customer resources for MSPs, offering a secure and efficient solution for overseeing multiple tenants. By following the steps outlined in this guide, MSPs can easily onboard customers, define permissions, and manage resources while ensuring compliance and security.
