Azure Lighthouse, What is it? How does it work?

17/07/201917/07/2019

Azure

Azure lighthouse, what is it? It’s a new offering fresh off the Microsoft product line aimed at enabling partners to better manage their customer life cycle management at scale. It provides a single control plane to manage Azure resources, with improved levels of automation, scale and governance. It’s designed to help partners to on board customers quicker, essentially allowing them to deliver more services to their customers.

Image Source: https://docs.microsoft.com/en-gb/azure/lighthouse/overview

How does it work?

Azure delegated resource management lets service providers from one Azure AD tenant perform management operations across different Azure AD tenants belonging to their customers. Essentially, it allows providers to perform management tasks on behalf of their customers, without the need to log into each individual additional tenant. This is great news, anyone who has worked with the CSP model knows how painful the authentication and management process was. The CSP program uses the AOBO model (Admin on behalf of), which doesn’t allow you to create individual distinct groups for different customers, or different roles for groups or users. Using delegated resource management means you can subsequently reduce the number of users who have the Admin Agent role and thus, provides greater security options for your customer by limiting the level of access, that you as a partner, have to their subscription.

When on boarding a customer, you need to specify your RBAC permission requirements (groups, service principals etc..) and either deploy a JSON ARM template to the customers subscription or promote your offering through the Azure marketplace. Once the customer has successfully on boarded, you can then sign into your partner tenant and perform tasks on behalf of the customer

What are the costs?

At present, Azure Lighthouse is available at no additional charge. I’m not sure if Microsoft are likely to change this approach as they’re marketing it as an offering which is specifically designed to help partners so I can’t imagine they will change the pricing model anytime soon. In terms of support, Azure Lighthouse doesn’t offer a financially-backed SLA. The availability of Azure Lighthouse relies upon the Azure Resource Manager (ARM) as the interface to manage the service, meaning if an ARM resource provider is down then it will go down also (understandably)

Want to learn more about the Azure Lighthouse service, get started with the Microsoft online docs https://azure.microsoft.com/en-gb/blog/introducing-azure-lighthouse/

Thanks,

Sean

Working with the Azure Resource Graph

Using Azure Key Vault Secrets with PowerShell Tasks in Azure DevOps