Azure Lighthouse: Cross Tenant Management

MVP

Azure Lighthouse makes MSP/service provider’s life easier in terms of customer/tenants management and onboarding.

PC: Nikhil Sharma

Azure Lighthouse has changed things in many ways and here we are discussing one of them. As a service provider, earlier, to access the customer’s resources in the process of giving support our engineers must be in customer’s tenants as a guest user for all the customer. From the engineer’s point of view, they need to switch the directory/tenants in order to work with a different customer. Now, we don’t need to be a guest user in each customer tenants and we don’t need to switch directory/tenants in order to work with multiple customers. Once we login into the portal, we can see all the customers under ‘My Customer‘ and we can access their resources from there. As shown in below image ‘janakpur’ is the customer and once we click on the janakpur, we can navigate to the subscription and will get access to the resources as per the permission assigned.

On top of this, it is highly automated and has many ARM template to make the onboarding process easier.

In this post, we are going to demonstrate how to defines roles and permission of support engineers into all the customer’s tenants.

Preresequites

You must have at least two tenants to perform this task, one will be treated as an MSP and another as a customer. The customer’s tenant must have an active Azure subscription.

Scenario

Azure user Group Nepal (AUGN) is a service provider and has multi-levels of support team named ‘ Tier 1 Engineer’, ‘Tier 2 Engineer’, and ‘Tier 3 Engineer’. As a service provider, we want Tier 1 engineer should have Read permission, Tier 2 and Tier 3 engineer should have Contributor permission in all customer’s tenants. To achieve this, we are going to create three groups to assign permission instead of assigning to each individual user. We create the groups as below in the service provider tenants.

Group Name Member of the Group
Tier 1 All the tier 1 engineers
Tier 2 All the tier 2 engineers
Tier 3 All the tier 3 engineers

Prepare MSP Tenants

There is ARM template available on Github by Microsoft. We need to modify the parameters file as per our tenants. Download below both files and modify the parameters file.

File Name Description
delegatedResourceManagement.json Template JSON
delegatedResourceManagement.parameters.json Parameters JSON

Before modifying the file we need to gather certain information from the service provider tenants.

  • mspName: Name of the MSP/service provider. In this case, Azure User Group Nepal.
  • mspOfferDecription: The service we offer to the customer. Here, AUGN Fully Managed Service.
  • managedByTenantid: Tenant ID of the MSP (Azure Active Directory->Properties->Directory ID)
  • principalId: Object Id of the group/user (Get-AzADGroup -DisplayName ‘<yourGroupName>’).id . Here, object ID of Tier1, Tier2, and Tier3.
  • principleIdDisplayName: the display name of the group/user in the customer’s tenant.
  • roleDefinitionID: predefined GUID of the role, like Reader, Contributor, and Owner. We can find it from here. PowerShell command to get it (Get-AzRoleDefinition -Name ‘<roleName>’).id
{
    "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "mspName": {
            "value": "Azure User Group Nepal"
        },
        "mspOfferDescription": {
            "value": "AUGN Fully Managed Service"
        },
        "managedByTenantId": {
            "value": "09fsdsdb677-425a-4d83-aa73-7455477bc7"
        },
        "authorizations": {
            "value": [
                {
                    "principalId": "5ae35555-7c67-4adb-876e-67657hf9ad4c6",
                    "principalIdDisplayName": "Tier 1 Support",
                    "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7"
                },
                {
                    "principalId": "f29f1555-af6d-4555-b32c-6803a943d7d3",
                    "principalIdDisplayName": "Tier 2 Support",
                    "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"                    
                },

                {
                    "principalId": "fe514555-cf72-4agd42-8e55-dbf93d775cdf",
                    "principalIdDisplayName": "Tier 3 Support",
                    "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"                    
                }
                
            ]
        }
    }
}

We are ready with the service provider’s tenant, now we need to work on customer’s tenant.

Deploying the Template in Customer’s Tenant

The customer’s tenant must have registered to the  Microsoft.ManagedServices before onboarding. To register, log in to the Azure portal, Click on the subscription->Navigate to the Resource providers->Search for  Microsoft.ManagedServices->Click on Register.

It will take a moment to get registered. After the registration, it should look like as below.

The ARM template we created earlier need to deploy at subscription level in each customer tenant. Login into customer’s tenant using PowerShell. The user must be non-guest in customer’s tenants. We have to repeat this step for each customer.

Login-AzAccount
Get-AzSubscription
$context = Get-AzSubscription -SubscriptionId xxxxxxx-axxx-xxx4-xxx-xxxxx
Set-AzContext $context
New-azdeployment -Name "AUGN" -Location westeurope -TemplateFile .\delegatedResourceManagement.json -TemplateParameterFile .\delegatedResourceManagement.parameters.json

On MSP Portal

  1. Click All Services and search for My Customers, and click on it. In the new window click on My Customers.

We can see above the Customer (janakpur) is under the customer section and see below under the Delegations, we see the appropriate right has assigned.

We can more dig down and see IAM, resource group, resources, etc. We can access the resources of janakpur (customer) without switching the directory.

On Customer Portal

  1. Click All Services and search for Service Provider, and click on it. In the new window click on Service Provider.

Here, we can see, Azure User Group Nepal is a service provider for janakpur. As a customer, we can see what are the permission service provider has in the tenants as below.

If any new engineer joins the service provider team and once he/she will be in the right group, he/she will automatically get access to the customer’s tenants. We don’t need to invite them manually. And once he/she will leave the service provider and removed from the group, automatically permission will withdraw and we don’t need to delete guest user from the customer’s tenant.

6 Replies
I have a ton of questions about this service. Where would the best place to be to post them?
Hi Lynn, you can post here.

@sakaldeep yadav 

 

I published Azure shared dashboard into my customer tenant resource group using Azure Lighthouse.  However i do not understand how to implement RBAC to access/limit users from accessing this dashboard at a customer tenant.

 

Appreciate any advice.

 

Thanks.

@sakaldeep yadav 

I had a look at the community pages, but can't find a section specific to Lighthouse, so pardon me for posting here. If there is a dedicated space, I would appreciate a link.

 

I have an issue pulling in customer log information with Log Analytics.

 

I have a group that gets assigned Contributor rights to the customer environment at subscription level. I am able to browse all resources, and I  have verified that I can create resources. However, when I access the Log Analytics workspace(s), I am unable to run any queries (or query any VM performance data through Azure Monitor), and it's as if it just hangs there trying to retrieve the log data. Attached is a snip of what I see.

Logging in to the customer tenant directly with Owner permissions I am able to successfully query the logs and view VM performance data.

Please advise if there are any specific considerations in terms of permissions. I assumed Contributor access would have sufficed.

Thanks

Sebastiaan

@sakaldeep yadav 

 

nice short explanation, i have another question , have searched around several blogs and so on the internet. im working on a case, where i want to use PIM for the groups that i have created for the delegated access with azure lighthouse. Any experience with that? Is it even possible? or should i post this on azure active directory

I could not find any on this except some suggestion on the user voice. 

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/38627143-customer-tenant... 

 

@Deleted Keep an eye out.  It was announced at Insight and is in Private Preview.