If you work for a Managed Services Provider, you have to switch between multiple browsers in order to manage all the Azure Resources for your customers. Microsoft solved this problematic by releasing Azure Lighthouse. Azure Lighthouse enables you to see and manage Azure resources from different tenancies in a single console, which will save your time! On top of that, your customers can see the delegated permissions in real time from their own console.
How does Azure Lighthouse work?
Microsoft published the following Azure Resource Manager template that will help you to enable Azure Lighthouse in your tenant. First, you have to collect some information:
1. Your tenant ID also called Directory ID, under Azure Active Directory on the Properties blade.
2. The principal ID and the principal ID Display Name of the following groups:
– A “Contributors” group that you must create in your Azure AD
– A “Readers” group that you must create in your Azure AD
To get these information, run the following command:
1 2 3 |
PS > (Get-AzADGroup -DisplayName ' <GroupName>').id xxxxxxx-xxxxx-xxxxx-xxxxxxxx |
3. The Role Definition: You need to decide the built-in role regarding your access needs. For instance, I selected the Reader and Contributor roles.
1 2 3 4 5 6 7 |
PS > (Get-AzRoleDefinition -Name 'Reader').id acdd72a7-3385-48ef-bd42-f606fba81ae7 PS > (Get-AzRoleDefinition -Name 'Contributor').id b24988ac-6180-42a0-ab88-20f7382dd24c |
You can also get these ID from this link: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Note that the Owner role can’t be delegated as explained in the documentation: “All built-in roles are currently supported with Azure delegated resource management except for Owner”
4. Azure Resource Manager Template: you can download the following json files https://github.com/Azure/Azure-Lighthouse-samples
5. Edit the parameters file and replace with the collected information:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
{ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "mspOfferName": { "value": "<Friendly_Name> " }, "mspOfferDescription": { "value": "<Description> " }, "managedByTenantId": { "value": "<Tenant_ID>" }, "authorizations": { "value": [ { "principalId": "<Principal_ID_Reader>", "principalIdDisplayName": "<Group_name_Reader>", "roleDefinitionId": "<Role_ID_Reader>" }, { "principalId": "<Principal_ID_Contributor>", "principalIdDisplayName": "<Group_name_Contributor>", "roleDefinitionId": "<Role_ID_Contributor>" } ] } } } |
We can now deploy the ARM template. The deployment must be done by an account that has the built-in Owner role for the subscription being onboarded. So log into the customer subscription using the Connect-AzAccount cmdlet and then run the following command:
Here is the command line:
1 2 3 4 5 6 7 8 9 |
New-AzDeployment -Name <friendly_name> ` >> -Location <location> ` >> -TemplateFile <filepath_template> ` >> -TemplateParameterFile <filepath_parameters> ` >> -Verbose |
Here is the output:
The deployment is done. You can check in the customer Azure Portal that your deployment is complete.
In the customer tenant, search for “Service Providers” in the search bar:
You can confirm that your tenant has been added as a service provider.
If you click on the delegation, you can see both Azure AD groups that you assigned for this deployment.
Now switch to your Azure tenant, and search for “my customers”
In the customers blade, you can see your customer with some basic information.
Click on the customer in order to open a new blade. This blade will display the customer Azure Resources. Depending the role you assigned to your account, you will be able to manage or read the resources from your Azure tenant.
You can manage all the services from this console, such as Azure Backup, Azure Automation, Azure Compute, Azure Network, …
Conclusion
Thanks to the Azure Lighhouse, we can easily see and manage the customers Azure resources from a single console. You will save a lot of time!