Azure Lighthouse PIM Enabled Delegations
Published Nov 28 2022 10:30 AM 11.6K Views

We are excited to announce General Availability of PIM Enabled Azure Lighthouse Delegations. This has been a top ask from customers since the product launch in 2019, and we’re thrilled to deliver this powerful capability to our customers! With the addition of PIM eligible authorizations, customers and service providers have another tool to provide further granular level access to customer resources.  


With Azure Lighthouse, service providers can deliver managed services using comprehensive and robust tooling built into the Azure platform. Customers maintain control over who has access to their tenant, which resources they can access, and what actions can be taken. Enterprise organizations managing resources across multiple tenants can also use Azure Lighthouse to streamline management tasks. Cross-tenant management experiences let you work more efficiently with Azure services such as Azure PolicyMicrosoft SentinelAzure Arc, and many more. Users can see what changes were made and by whom in the activity log, which is stored in the customer's tenant and can be viewed by users in the managing tenant.


The addition of PIM enabled delegations takes Azure Lighthouse’s granular access to the next level, by assigning service providers the exact level of access needed, per resource, for the exact amount of time needed to complete a task. Customers can create eligible authorizations that use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to let users in their managing tenant temporarily elevate their role. This lets customers grant additional permissions on a just-in-time basis so that managing tenant users only have those permissions for a set duration. Customers also benefit from added security by enforcing Azure Multi-Factor Authentication before a provider's access is elevated. All activity is auditable, logged, and available for viewing within the managing tenant.


Azure Lighthouse support for Azure AD PIM was designed based on one of the founding principles of the Zero trust security model, the principle of least privilege, which seeks to provide the least amount of privilege access through just-enough and just-in-time (JIT) access model. JIT adds a time-bound dimension to a permanent Azure RBAC role, which requires both that the role be activated before use and expire after a limited period of time. Similar to the permanent Azure RBAC roles  supported by Azure Lighthouse today, these eligible roles do not have an expiration date and are viewable within the Azure Lighthouse blade along with the other role assignments. Eligible roles cannot be used without the presence of at least one permanent role and can be activated in 30-minute increments up to the allowed maximum activation duration.


Configuring ARM templates with Azure AD PIM works the same as before with Azure Lighthouse, but with the addition of eligible authorizations parameter. This allows your customers to configure your just in time access policy, define your maximum activation duration, MFA provider (Azure), and approvers for eligible roles.


Create eligible authorizations

Creating eligible roles is a simple process that can be found in our docs, through Azure portal, as well as through the Partner Center Experience.


Activate eligible roles on a just-in-time basis

Once the ARM template is deployed, which creates the registration definition and the registration assignment on the scope that the template was deployed on, the permanent and eligible roles will appear within the Azure Lighthouse > My Customers > Delegations blade. If the user has an eligible role, they will navigate to the Azure AD PIM blade to activate the role.  


Enforce approval-based workflows

When a user tries to activate an eligible role, Azure AD PIM will enforce the Azure AD PIM approval-based workflow.  All designated approvers will be notified by email when a role activation request comes in and will have 24 hours to approve the request. Once the request is completed, the requestor will also be notified that they now possess the eligible role.


View audit logs

All Azure AD PIM activity will automatically appear within the Azure AD PIM audit logs within the Azure AD PIM blade.


Get started:

Note that users in the managing tenant who want to use PIM must have the Azure AD Premium P2 or EMS E5 license.  Our hope is that this capability will enable you to provide your customers with a greater degree of confidence and allow you to protect their environments with the latest security best practices.



1 Comment
Version history
Last update:
‎Nov 29 2022 09:26 AM
Updated by: