3 min read
Azure Lighthouse: Multi-Tenant Management
Azure Lighthouse enables service providers to manage customer Azure resources at scale. Single pane of glass for multi-tenant operations.
How Lighthouse Works
Service Provider Tenant Customer Tenants
┌─────────────────────┐ ┌─────────────┐
│ │ ───▶ │ Customer A │
│ Management Portal │ ───▶ │ Customer B │
│ │ ───▶ │ Customer C │
└─────────────────────┘ └─────────────┘
Delegated AccessCreate Lighthouse Offer
// managedServiceOffer.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mspOfferName": {
"type": "string",
"defaultValue": "Managed Services"
},
"mspOfferDescription": {
"type": "string",
"defaultValue": "24/7 infrastructure management"
}
},
"variables": {
"managedByTenantId": "service-provider-tenant-id",
"authorizations": [
{
"principalId": "group-or-user-id",
"roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"principalIdDisplayName": "Tier 1 Support"
},
{
"principalId": "group-or-user-id",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalIdDisplayName": "Tier 2 Engineers"
}
]
},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationDefinitions",
"apiVersion": "2020-02-01-preview",
"name": "[guid(parameters('mspOfferName'))]",
"properties": {
"registrationDefinitionName": "[parameters('mspOfferName')]",
"description": "[parameters('mspOfferDescription')]",
"managedByTenantId": "[variables('managedByTenantId')]",
"authorizations": "[variables('authorizations')]"
}
}
]
}Deploy to Customer
# Customer deploys template
az deployment sub create \
--location eastus \
--template-file managedServiceOffer.json \
--subscription customer-subscription-idView Delegated Resources
# From service provider tenant
Get-AzManagedServicesDefinition
Get-AzManagedServicesAssignment
# List all delegated subscriptions
Get-AzSubscription | Where-Object { $_.HomeTenantId -ne $_.TenantId }Cross-Tenant Operations
# Query across all customers
$customers = Get-AzSubscription | Where-Object { $_.HomeTenantId -ne $_.TenantId }
foreach ($customer in $customers) {
Set-AzContext -Subscription $customer.Id
# Get VMs across all customers
Get-AzVM | Select-Object Name, ResourceGroupName, @{N='Customer';E={$customer.Name}}
# Apply policy
New-AzPolicyAssignment -Name "require-tag" -PolicyDefinition $policy -Scope "/subscriptions/$($customer.Id)"
}Azure Resource Graph
// Query all delegated resources
resources
| where subscriptionId in~ (
resourcecontainers
| where type == 'microsoft.resources/subscriptions'
| where tenantId != 'your-tenant-id'
| project subscriptionId
)
| summarize count() by typeMonitoring Across Tenants
# Create Log Analytics workspace in provider tenant
# Configure customers to send logs there
# Or use Azure Monitor for cross-tenant views
az monitor log-analytics workspace create \
--name multi-tenant-logs \
--resource-group provider-rgSecurity Best Practices
- Use security groups, not individual users
- Apply least-privilege roles
- Use Privileged Identity Management (PIM)
- Enable MFA for all provider users
- Audit cross-tenant operations
Customer Controls
Customers can:
- View delegated access
- Remove provider access anytime
- See all provider activity in logs
# Customer: View delegated access
Get-AzManagedServicesAssignment
# Customer: Remove delegation
Remove-AzManagedServicesAssignment -Id assignment-idEligible Authorizations (PIM)
{
"principalId": "group-id",
"roleDefinitionId": "contributor-role-id",
"principalIdDisplayName": "Elevated Access Group",
"delegatedRoleDefinitionIds": ["contributor-role-id"],
"justInTimeAccessPolicy": {
"multiFactorAuthProvider": "Azure",
"maximumActivationDuration": "PT8H"
}
}Azure Lighthouse: scale your managed services business.