Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

How to Manage multiple Azure tenancies with Azure Lighthouse?

  • May 14, 2020
  • 7 min read
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.


Managed Services Provider

If you work for a Managed Services Provider, you have to switch between multiple browsers in order to manage all the Azure Resources for your customers. Microsoft solved this problematic by releasing Azure Lighthouse. Azure Lighthouse enables you to see and manage Azure resources from different tenancies in a single console, which will save your time! On top of that, your customers can see the delegated permissions in real time from their own console.

How does Azure Lighthouse work?

Microsoft published the following Azure Resource Manager template that will help you to enable Azure Lighthouse in your tenant. First, you have to collect some information:
1. Your tenant ID also called Directory ID, under Azure Active Directory on the Properties blade.
2. The principal ID and the principal ID Display Name of the following groups:

– A “Contributors” group that you must create in your Azure AD

– A “Readers” group that you must create in your Azure AD

To get these information, run the following command:

3. The Role Definition: You need to decide the built-in role regarding your access needs. For instance, I selected the Reader and Contributor roles.

You can also get these ID from this link: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Note that the Owner role can’t be delegated as explained in the documentation: “All built-in roles are currently supported with Azure delegated resource management except for Owner”

4. Azure Resource Manager Template: you can download the following json files https://github.com/Azure/Azure-Lighthouse-samples

Azure Resource Manager Template

5. Edit the parameters file and replace with the collected information:

We can now deploy the ARM template. The deployment must be done by an account that has the built-in Owner role for the subscription being onboarded. So log into the customer subscription using the Connect-AzAccount cmdlet and then run the following command:

Connect-AzAccount cmdlet

Here is the command line:

Here is the output:

New-AzDeployment

The deployment is done. You can check in the customer Azure Portal that your deployment is complete.

The deployment is done

In the customer tenant, search for “Service Providers” in the search bar:

Service Providers

You can confirm that your tenant has been added as a service provider.

Service providers | Delegations

If you click on the delegation, you can see both Azure AD groups that you assigned for this deployment.

Azure AD groups

Now switch to your Azure tenant, and search for “my customers

Azure tenant

In the customers blade, you can see your customer with some basic information.

Customers blade

Click on the customer in order to open a new blade. This blade will display the customer Azure Resources. Depending the role you assigned to your account, you will be able to manage or read the resources from your Azure tenant.

Azure Resources

You can manage all the services from this console, such as Azure Backup, Azure Automation, Azure Compute, Azure Network, …

Conclusion

Thanks to the Azure Lighhouse, we can easily see and manage the customers Azure resources from a single console. You will save a lot of time!

Hey! Found Nicolas’s article helpful? Looking to deploy a new, easy-to-manage, and cost-effective hyperconverged infrastructure?
Alex Bykovskyi
Alex Bykovskyi StarWind Virtual HCI Appliance Product Manager
Well, we can help you with this one! Building a new hyperconverged environment is a breeze with StarWind Virtual HCI Appliance (VHCA). It’s a complete hyperconverged infrastructure solution that combines hypervisor (vSphere, Hyper-V, Proxmox, or our custom version of KVM), software-defined storage (StarWind VSAN), and streamlined management tools. Interested in diving deeper into VHCA’s capabilities and features? Book your StarWind Virtual HCI Appliance demo today!