Posted in AZ-500 Azure Security Engineer Associate, Azure Administrator, Azure Security Engineer, Azure Solutions Architect, MS Cyber Security Architect Expert

Azure Lighthouse

   November 1, 2024

Azure Lighthouse is a tool in Azure that allows Managed Service Providers (MSPs) and enterprises to manage and control resources in multiple Azure environments (tenants) with a high level of security and visibility. Azure Lighthouse is particularly useful for organizations that manage multiple clients’ environments, as it enables centralized management across tenants without requiring the need to log in and out of separate accounts.

This beginner’s guide provides an in-depth understanding of Azure Lighthouse, including its concepts, setup, configuration, management, and monitoring, with examples of its usage.

1. Overview of Azure Lighthouse

What is Azure Lighthouse?

Azure Lighthouse is a multi-tenant management solution that allows you to manage Azure resources across different tenants from a single portal. It enables a secure, centralized approach to managing resources for multiple customers or environments without switching between Azure subscriptions or accounts.

Key Benefits of Azure Lighthouse

  • Centralized Management: Access and manage resources across multiple tenants from a single interface.
  • Enhanced Security: Controls access using Role-Based Access Control (RBAC) and prevents direct resource access.
  • Scalability: Ideal for Managed Service Providers (MSPs) who need to manage multiple customer tenants.
  • Delegated Resource Management: Provides management access without transferring ownership.
  • Streamlined Operations: Simplifies monitoring, security, and automation across tenants.

Use Cases

  • Managed Service Providers (MSPs) who manage multiple client environments.
  • Enterprises with multiple Azure tenants needing centralized control.
  • Organizations offering support and consultancy services for Azure environments.

2. Key Concepts and Features in Azure Lighthouse

Azure Lighthouse enables delegated resource management using the following main concepts:

  1. Delegated Resource Management: Allows one Azure tenant (service provider) to manage resources in another Azure tenant (customer) without taking ownership.
  2. Azure Resource Manager (ARM) Templates: Enables deployment of Azure Lighthouse with predefined configurations.
  3. Azure RBAC and Identity Management: Uses roles to control access, ensuring only authorized users can manage resources.
  4. Cross-Tenant Management Experiences: Enables consistent visibility and control across different tenants.

3. Step-by-Step Guide to Setting Up Azure Lighthouse

Prerequisites

  • Service Provider Tenant: The tenant of the organization or person managing resources.
  • Customer Tenant: The tenant containing the resources to be managed.
  • Permissions: Admin-level permissions in both the Service Provider and Customer tenants.

Step 1: Set Up Roles and Permissions in the Service Provider Tenant

  1. Define Roles and Permissions:
  • Determine the level of access needed. For instance, if you’re managing virtual machines, assign the Virtual Machine Contributor role.
  • Use built-in roles, or define custom roles if the built-in roles don’t fit your requirements.
  1. Organize Teams in Azure AD:
  • Group service provider team members based on roles.
  • This organization helps with assigning and managing roles in the future.

Step 2: Define the Delegation in an ARM Template

An Azure Resource Manager (ARM) template defines the delegation settings, specifying which roles, permissions, and resources will be managed by the service provider.

  1. Create an ARM Template:
  • Go to the Azure Lighthouse ARM Template documentation for sample templates.
  • Include details like:
    • Principal ID: The service provider’s Azure AD Object ID.
    • Role Definition ID: Specify the RBAC role to delegate (e.g., Reader, Contributor).
    • Scope: Define the scope of the management (e.g., specific resources or entire subscriptions).
  1. Parameters for ARM Template:
  • mspOfferName: A name for the delegated service offering.
  • mspOfferDescription: A description of the service provided.
  • authorizations: Contains the user and roles information, defining who gets access and their permissions.
  1. Example ARM Template:
    Here’s an example template snippet for delegating Reader and Contributor roles:
   {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "resources": [
       {
         "type": "Microsoft.ManagedServices/registrationDefinitions",
         "apiVersion": "2019-09-01",
         "name": "[parameters('registrationDefinitionName')]",
         "properties": {
           "description": "[parameters('mspOfferDescription')]",
           "authorizations": [
             {
               "principalId": "[parameters('principalId')]",
               "roleDefinitionId": "[parameters('roleDefinitionId')]"
             }
           ],
           "managedByTenantId": "[parameters('serviceProviderTenantId')]"
         }
       }
     ]
   }

Step 3: Deploy the ARM Template in the Customer’s Environment

  1. Send the ARM Template to the customer or, if you have permissions, deploy it yourself.
  2. Deploy the Template:
  • In the Customer’s Azure Portal, go to Deploy a custom template.
  • Upload the ARM template file, configure parameters, and deploy.
  1. Validate the Deployment:
  • After deployment, check the Azure Lighthouse section in the customer tenant.
  • The delegated roles should appear, and the service provider should be able to see and manage assigned resources.

Step 4: Assign Users and Groups to Delegated Roles in the Service Provider Tenant

  1. In the Service Provider’s Azure Portal, go to Azure Lighthouse.
  2. Under My Customers, select the customer you onboarded.
  3. Assign Users and Groups:
  • Choose specific users or groups from the Service Provider’s Azure AD and assign them to the roles defined in the ARM template.

Example: Assigning Service Provider Users to Roles

If you deployed a delegated role for monitoring virtual machines, assign the Reader role to your monitoring team within your tenant. This enables them to access metrics and logs on the customer’s virtual machines.

4. Managing Azure Lighthouse

Once set up, you can manage customer environments efficiently through Azure Lighthouse.

Accessing Customer Resources

  1. In the Azure Portal, go to Azure Lighthouse.
  2. Under My Customers, select a customer’s subscription or resource group.
  3. Access Customer Resources:
  • From here, navigate to specific resources (e.g., Virtual Machines, Databases) and perform management tasks like monitoring, starting, or stopping VMs if your permissions allow.

Updating Delegated Access

To update delegated access (e.g., to add more resources or change permissions):

  1. Modify the ARM template with the updated configuration.
  2. Re-deploy the ARM template to the customer’s environment.

5. Monitoring Azure Lighthouse Activities

Monitoring is essential to ensure that your access and actions within Azure Lighthouse are effective and compliant.

  1. Azure Monitor:
  • Use Azure Monitor to track actions across customer environments.
  • Configure alerts for specific activities (e.g., changes in resource status or security alerts).
  1. Azure Activity Logs:
  • Review activity logs within each customer’s tenant to audit changes and access.
  • Activity logs provide visibility into actions performed by the service provider’s users.
  1. Security Center:
  • Enable Azure Security Center on customer resources for a security overview.
  • Security Center will show recommendations and alerts for vulnerabilities in customer environments.
  1. Cost Management:
  • Use Azure Cost Management to monitor costs associated with managing customer environments.
  • Set up budgets and cost alerts to track expenses and notify you or your customer of budgetary thresholds.

6. Usage Example: Setting Up Azure Lighthouse for a Managed Web Application

Scenario

You are managing a web application environment for a customer, with resources including VMs, storage, and a database. Your team needs Contributor access for day-to-day management and Reader access for monitoring.

Steps

  1. Define an ARM Template:
  • In the ARM template, specify Contributor access to your operations team and Reader access for the monitoring team.
  1. Deploy the Template in the customer’s environment.
  2. Assign Roles:
  • In the Service Provider’s Azure portal, assign your operations team to the Contributor role and the monitoring team to the Reader role.
  1. Access the Customer’s Environment:
  • In Azure Lighthouse, select the customer and view the resources within their tenant.
  • Use the permissions assigned to monitor, manage, and troubleshoot the web application resources.

7. Best Practices for Using Azure Lighthouse

  • Least Privilege Principle: Always assign the minimum permissions necessary to perform the required tasks.
  • Periodic Audits: Regularly review roles, permissions, and access logs to maintain a secure and compliant environment.
  • Automate Onboarding: Use ARM templates or Terraform scripts to streamline customer onboarding to Azure Lighthouse.
  • Monitor Cost: Keep track of costs associated with managing customer resources to ensure efficient usage.

Azure Lighthouse provides a robust solution for managing multiple Azure environments securely and efficiently. By following these steps, you can set up, configure, and manage customer resources with centralized visibility and control. This solution not only enhances security and scalability but also simplifies resource management for managed service providers and enterprises managing complex Azure environments.

Share: XFacebookPinterestLinkedin
Author: tonyhughes