Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1032864%22%20slang%3D%22en-US%22%3EManaging%20security%20with%20Azure%20Lighthouse%20and%20Azure%20Arc%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1032864%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20previously%20blogged%20about%20Azure%20Lighthouse%2C%20for%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FITOps-Talk-Blog%2FManage-multiple-Azure-tenancies-with-Azure-Lighthouse%2Fba-p%2F833928%3FWT.mc_id%3Ditopstalk-blog-socuff%22%20target%3D%22_self%22%3Emanaging%20multiple%20difference%20Azure%20tenancies%3C%2FA%3E.%20This%20capability%20is%20useful%20for%20both%20Managed%20Service%20Providers%2C%20with%20support%20arrangements%20for%20multiple%20customers%2C%20and%20for%20large%20or%20complex%20Enterprise%20organizations%20(for%20example%2C%20if%20there%20are%20sub-brands%20or%20franchisees).%20Onboarding%20is%20done%20via%20deploying%20an%20Azure%20Resource%20Manager%20template%20or%20publishing%20an%20Azure%20Marketplace%20offer%20(public%20or%20private)%2C%20which%20enables%20delegated%20administration%20into%20the%20other%20tenancies.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20allows%20service%20providers%2C%20from%20the%20account%20in%20their%20own%20primary%20Azure%20tenancy%2C%20to%20have%20visibility%20of%20all%20of%20their%20customer's%20Azure%20resources%20and%20to%20be%20able%20to%20act%20on%20them%2C%20from%20the%20Azure%20Portal%2C%20CLI%20or%20APIs.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20772px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158921iA45A705D8E928742%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22ResourceGroups-AllCustomers.jpg%22%20title%3D%22ResourceGroups-AllCustomers.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EResources%20from%20multiple%20Azure%20tenancies%2C%20visible%20via%20the%20Azure%20Portal.%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThe%20best%20way%20to%20unlock%20the%20power%20of%20this%20tool%20is%20to%20first%20decide%20what%20you're%20going%20to%20manage%3C%2FSTRONG%3E%20-%20and%20security%20is%20always%20a%20good%20place%20to%20start.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirst%2C%20we%20want%20to%20make%20sure%20that%20all%20of%20the%20resources%20across%20our%20customers%20are%20compliance%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsecurity-center%2Fsecurity-center-policy-definitions%3FWT.mc_id%3Ditopstalk-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edefault%20set%20of%20security%20policies%3C%2FA%3E%20that%20the%20Azure%20Security%20Center%20monitors%20by%20default.%20In%20this%20picture%2C%20you%20can%20see%20that%20one%20of%20our%20customer%20subscriptions%20has%204%20non-compliant%20resources%20against%20that%20policy%20initiative%2C%20totally%2021%20policies%20that%20are%20non-compliant.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158922iFF489F98E014166F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22AzurePolicyCompliance-All%20customers.jpg%22%20title%3D%22AzurePolicyCompliance-All%20customers.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFrom%20here%2C%20we%20can%20drill%20down%20into%20those%204%20resources%20and%20see%20what%20needs%20remediation%20in%20each%2C%20without%20having%20to%20switch%20logins%20into%20a%20different%20tenancy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENext%2C%20we'll%20take%20a%20look%20at%20the%20Azure%20Security%20Center%2C%20and%20see%20not%20only%20an%20overall%20secure%20score%20but%20also%20recommended%20security%20hygiene%20measures%2C%20regulatory%20compliance%20and%20security%20alerts%2C%20aggregated%20across%20all%20of%20the%20tenancies%20we%20have%20access%20in%20to.%20For%20partners%20providing%20Security-as-a-Service%20offers%2C%20this%20provides%20you%20with%20a%20great%20task%20list%2C%20and%20large%20Enterprises%20can%20now%20get%20a%20single%20picture%20of%20their%20security%20risk%20across%20their%20multiple%20environments.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158923i2EBD45FCEF944ABD%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22SecurityCenter-Overview.jpg%22%20title%3D%22SecurityCenter-Overview.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20if%20we%20want%20a%20more%20granular%20level%20of%20detail%2C%20we%20can%20bring%20up%20the%20Secure%20Score%20details%20for%20each%20individual%20tenancy%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F158924i65981E3540B38001%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22SecureScore.jpg%22%20title%3D%22SecureScore.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EBut%20wait%2C%20there's%20more!%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20the%20recently%20announced%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fazure-arc%2Fservers%2Foverview%3FWT.mc_id%3Ditopstalk-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Arc%20(preview)%3C%2FA%3E%2C%20non-Azure%20Windows%20and%20Linux%20Servers%20can%20now%20be%20onboarded%20into%20Azure%20as%20connected%20machines%2C%20allowing%20you%20to%20query%20Azure%20Policies%20inside%20the%20VMs%20(guest%20configuration)%20and%20ingest%20log%20data%20into%20Log%20Analytics.%20It's%20early%20days%20for%20Azure%20Arc%2C%20with%20support%20for%20more%20services%20coming%20soon%2C%20but%20now%20those%20connected%20machines%20can%20be%20queried%20for%20their%20operating%20system-level%20security%20settings%20via%20Azure%20Policy.%26nbsp%3B%20You've%20now%20just%20unlocked%20the%20full%20breadth%20of%20your%20customer's%20server%20environment%2C%20whether%20their%20servers%20are%20in%20Azure%2C%20in%20a%20data%20center%2C%20on%20premises%20or%20even%20in%20someone%20else's%20Cloud!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EAs%20the%20capabilities%20of%20both%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Flighthouse%2Fconcepts%2Fcross-tenant-management-experience%3FWT.mc_id%3Ditopstalk-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Lighthouse%3C%2FA%3E%20and%20Azure%20Arc%20grow%2C%20this%20tool%20will%20become%20even%20more%20powerful%20as%20a%20centralized%20management%20capability%20for%20partners%20and%20large%20Enterprises.%20And%20remember%2C%20if%20the%20Azure%20Portal%20isn't%20your%20thing%2C%20you%20can%20automate%20those%20tasks%20through%20the%20CLI%20or%20APIs%20at%20scale%20now%2C%20across%20multiple%20tenancies.%26nbsp%3BI%20just%20wish%20I%20could%20share%20what's%20on%20the%20roadmap%20next!%20%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EFor%20more%20information%20on%20Azure%20Lighthouse%2C%20including%20onboarding%20options%2C%20visit%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Flighthouse%2F%3FWT.mc_id%3Ditopstalk-blog-socuff%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fazure%2Flighthouse%2F%3FWT.mc_id%3Ditopstalk-blog-socuff%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1032864%22%20slang%3D%22en-US%22%3E%3CP%3ELearn%20how%20to%20manage%20the%20security%20footprint%20of%20your%20customer's%20environments%20from%20one%20place%2C%20regardless%20of%20where%20their%20servers%20are.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1032864%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Arc%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Lighthouse%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESonia%20Cuff%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

I've previously blogged about Azure Lighthouse, for managing multiple difference Azure tenancies. This capability is useful for both Managed Service Providers, with support arrangements for multiple customers, and for large or complex Enterprise organizations (for example, if there are sub-brands or franchisees). Onboarding is done via deploying an Azure Resource Manager template or publishing an Azure Marketplace offer (public or private), which enables delegated administration into the other tenancies.

 

This allows service providers, from the account in their own primary Azure tenancy, to have visibility of all of their customer's Azure resources and to be able to act on them, from the Azure Portal, CLI or APIs.  

 

ResourceGroups-AllCustomers.jpg

Resources from multiple Azure tenancies, visible via the Azure Portal. 

 

The best way to unlock the power of this tool is to first decide what you're going to manage - and security is always a good place to start. 

 

First, we want to make sure that all of the resources across our customers are compliance to the default set of security policies that the Azure Security Center monitors by default. In this picture, you can see that one of our customer subscriptions has 4 non-compliant resources against that policy initiative, totally 21 policies that are non-compliant.

AzurePolicyCompliance-All customers.jpg

From here, we can drill down into those 4 resources and see what needs remediation in each, without having to switch logins into a different tenancy.

 

Next, we'll take a look at the Azure Security Center, and see not only an overall secure score but also recommended security hygiene measures, regulatory compliance and security alerts, aggregated across all of the tenancies we have access in to. For partners providing Security-as-a-Service offers, this provides you with a great task list, and large Enterprises can now get a single picture of their security risk across their multiple environments.

SecurityCenter-Overview.jpg

 

And if we want a more granular level of detail, we can bring up the Secure Score details for each individual tenancy:

SecureScore.jpg

 

But wait, there's more!

 

With the recently announced Azure Arc (preview), non-Azure Windows and Linux Servers can now be onboarded into Azure as connected machines, allowing you to query Azure Policies inside the VMs (guest configuration) and ingest log data into Log Analytics. It's early days for Azure Arc, with support for more services coming soon, but now those connected machines can be queried for their operating system-level security settings via Azure Policy.  You've now just unlocked the full breadth of your customer's server environment, whether their servers are in Azure, in a data center, on premises or even in someone else's Cloud! 

 

As the capabilities of both Azure Lighthouse and Azure Arc grow, this tool will become even more powerful as a centralized management capability for partners and large Enterprises. And remember, if the Azure Portal isn't your thing, you can automate those tasks through the CLI or APIs at scale now, across multiple tenancies. I just wish I could share what's on the roadmap next!     

 

For more information on Azure Lighthouse, including onboarding options, visit: https://docs.microsoft.com/azure/lighthouse/?WT.mc_id=itopstalk-blog-socuff