Azure Lighthouse can enable cross and Multi-tenant management, allow for higher automation, scalability, and enhanced governance across resources and tenants.
Service Provider: the one to manage delegated resources.
Customer: the delegated resources (subscription and/or resources group) can be accessed and managed through service provider’s Azure Active Directory tenant.
To onboard the Customer, at first we need to gather Server Provider’s Tenant ID and Principal ID.
Gather Server Provider’s Tenant ID and Principal ID
In Azure portal, search for “Azure Active Directory”, you can find the Tenant ID in Overview.
It also can get Tenant ID through Azure Powershell or Azure CLI in local Poweshell (need to login first) or Cloud shell in Azure Portal.
For example, in Azure Poweshell use command “Select-AzSubscription <subscriptionId>”
This principal Id should be the User or Security AAD group who needs to manage customer’s resources.
In Azure portal you can search for “Azure AD roles “ or Click “Role and administrator” in the first image (marked 3). Then click find the role you want to onboard Azure Lighthouse.
Select “Profile”, you can find the Object ID there. It’s the principal ID need to keep.
Define roles and permission
As a service provider, you may want to perform multiple tasks for a single customer, requiring different access for different scopes. You can define as many authorizations as you need in order to assign the appropriate role-based access control (RBAC) built-in roles to users in your tenant.
Note: This deployment must be done by a non-guest account in the customer's tenant who has the Owner built-in role for the subscription being onboarded (or which contains the resource groups that are being onboarded).
If the subscription was created through the Cloud Solution Provider (CSP) program, any user who has the Admin Agent role in your service provider tenant can perform the deployment.
Click one for the Azure button, it directly goes to the Azure portal custom deployment page.
Then select “Edit parameter”.
Put TenantID, PrincipalID and Role definitions found before. And click “Save”.
The deployment may take several minutes to complete.
After the deployment succeeds, it may take about 15 mins to allow us see it from portal.
In Customer Azure Portal, search for “Service Provider” and click “Service provider offers”.
In Service Provider portal, search for “My customers”, select “Customer”.
As I applied for “Contributor” role, you can find it in directory and subscription in Service Provider side.
What can we do in Azure Lighthouse delegation?
After on board Lighthouse successfully. you can use Server Provider account to manage Customer resources without switch tenant.
If Service Provider has Contributor role, it can update, delete and create resources in Customer’s subscription.
Below image shows Storage account can be created in Customer Resource group from Server provider.
To conclude, Azure Lighthouse provide benefits for managing Customers' Azure resources securely, without having to switch context and control planes.