Azure Lighthouse – Step by step guidance – Onboard customer to Lighthouse using sample template

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

This blog explains how a Server Provider can onboard Customer to Azure Lighthouse by sample templates in Azure Portal.

Pre-requirements:

Before we start, please read this document about what is Azure Lighthouse.

Azure Lighthouse can enable cross and Multi-tenant management, allow for higher automation, scalability, and enhanced governance across resources and tenants.

Concepts:

Service Provider: the one to manage delegated resources.

Customer: the delegated resources (subscription and/or resources group) can be accessed and managed through service provider’s Azure Active Directory tenant.

 

To onboard the Customer, at first we need to gather Server Provider’s Tenant ID and Principal ID.

 

Gather Server Provider’s Tenant ID and Principal ID

  1. Tenant ID:

In Azure portal, search for “Azure Active Directory”, you can find the Tenant ID in Overview.

It also can get Tenant ID through Azure Powershell or Azure CLI in local Poweshell (need to login first) or Cloud shell in Azure Portal.

lighthotenant_new.png

For example, in Azure Poweshell use command “Select-AzSubscription <subscriptionId>”

lighthosepwoershell.png

 

  1. Principal ID:

This principal Id should be the User or Security AAD group who needs to manage customer’s resources.

In Azure portal you can search for “Azure AD roles “ or Click “Role and administrator” in the first image (marked 3). Then click find the role you want to onboard Azure Lighthouse.

lighthouseroles.PNG

 

Select “Profile”, you can find the Object ID there. It’s the principal ID need to keep.

lighthoseobject.png

Define roles and permission

As a service provider, you may want to perform multiple tasks for a single customer, requiring different access for different scopes. You can define as many authorizations as you need in order to assign the appropriate role-based access control (RBAC) built-in roles to users in your tenant.

You can get all the roles definition ID from role-based access control (RBAC) built-in roles.

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

If you know which role should assign, you also can use Azure Powershell or Azure CLI to get the role definition ID.

For example, use this command “(Get-AzRoleDefinition -Name '<roleName>').id” in Azure Powershell. Here the example in below shows role definition ID for “Contributor”.

Contributor2.PNG

 

Note: Some roles are not supported for Azure Lighthouse(Like Owner role), pls check the details here https://docs.microsoft.com/en-us/azure/lighthouse/concepts/tenants-users-roles#role-support-for-azure-lighthouse

 

Onboard Customer delegation

After these preparation work, now let’s start to onboard the Customer delegation.

You can select one template you want to deploy for subscription or Resource group for Azure Lighthouse samples

Note: This deployment must be done by a non-guest account in the customer's tenant who has the Owner built-in role for the subscription being onboarded (or which contains the resource groups that are being onboarded).

If the subscription was created through the Cloud Solution Provider (CSP) program, any user who has the Admin Agent role in your service provider tenant can perform the deployment.

Click one for the Azure button, it directly goes to the Azure portal custom deployment page.

lighthousedeploy.png

Then select “Edit parameter”.

editprameter.png

Put TenantID, PrincipalID and Role definitions found before. And click “Save”.

lgithousepricle.png

The deployment may take several minutes to complete.

After the deployment succeeds, it may take about 15 mins to allow us see it from portal.

 In Customer Azure Portal, search for “Service Provider” and click “Service provider offers”.

lighthouesserverporvider.png

In Service Provider portal, search for “My customers”, select “Customer”.

lighthouecustomer.png

As I applied for “Contributor” role, you can find it in directory and subscription in  Service Provider side.

lighthoudirect.png

What can we do in Azure Lighthouse delegation?

After on board Lighthouse successfully. you can use Server Provider account to manage Customer resources without switch tenant. 

If Service Provider has  Contributor role, it can update, delete and create resources in Customer’s subscription.

Below image shows Storage account can be created in Customer Resource group from Server provider.

lighthousestoragepng.png

 

To conclude, Azure Lighthouse provide benefits for managing Customers' Azure resources securely, without having to switch context and control planes.

Reference: https://docs.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.