Yesterday, Microsoft released Azure Lighthouse aka “Delegated Resource Management” which is a way to provide deleated access to Customers Azure resources either it be individual services, resource groups or even whole subscriptions.
The official blog announcements can be found here –> https://azure.microsoft.com/nb-no/blog/introducing-azure-lighthouse/
So how does it work? Essentially you have a master subscription where your Azure AD Users and Groups are placed. This users and groups can then be given delegated access to each customer tenant either to a subscrption or resources/resource groups.
Access can also be given to multiple subscriptions and not depending on EA/CSP/Pay-as-you-go model. So how is this different from having Azure AD B2B Accounts? With Azure B2B you are given a guest access to a another directory which means that if you need to make changes to a customer tenant you would need to authenticate to that directly in order go gain permissions. In the portalt that means you need to switch context to get access to that customers portal. With delegated access it means that you can control customer resources from within a single portal.
Great so what kind of resources does this work on?
As it is now it works for
- Azure Automation
- Azure Backup
- Azure Kubernetes Service
- Azure Monitor
- Azure Policy
- Azure Resource Graph
- Azure Security Center
- Azure Service Health
- Azure Site Recovery
- Azure Virtual Machines
- Azure Virtual Network
This means that you can interact and use this services across. Now for instance Azure Web Apps is not supported but will still be a visible resource in the portal view so this should apply for all type of Azure Resource.s
NOTE: There are some limitations when it comes to giving delegated access to customer subscriptions, such as the following roles cannot be delegated: Owner, User Access Administrator, or any built-in roles with DataActionspermission. Custom roles and classic subscription administrator roles are also not supported. This means that you should still have a “break-the-glass” owner role within a customer enviroment besides the delegated access unless you only have certain requirements.
How do we set it up?
There are two options, either using a Marketplace offering or that someone with Owner access in the customer subscription does an ARM deployment of an template containing the delegated access.
The ARM Template example can be found here –> https://github.com/Azure/Azure-Lighthouse-samples/tree/master/Azure-Delegated-Resource-Management/templates/delegated-resource-management
Basically you just need to customize the parameter file and do a deployment in the customer tenant.
{ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "mspName": { "value": "Change value" }, "mspOfferDescription": { "value": "Change value" }, "managedByTenantId": { "value": "xxxxx-xxxxx-xxxx-xxxxx-xxxx" Azure AD tenant of the master account }, "authorizations": { "value": [ { "principalId": "xxxxx-xxxxx-xxxx-xxxxx-xxxx, Azure AD User ID or Group ID of master account "principalIdDisplayName": "Tier 1 Support", "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" Spesifies Contributer Definition } ] } }
Then deploy this within the customer tenant, once you specified those groups and users you want to delegate access to. When it is deployed, you can see the customer enviroment from wthin the portal if you look in the global subscription filter.
So when viewing resources in the Azure portal you can see all resources from all different subscriptions.
You can also view this under the “My Customers” Pane in the Azure Portal as well. And the customer can also view the Service Provider under the “My Service Provider” menu in the portal. Now this is a big step in the right direction in order to provide full support and management of customers services or enviroments. It should however be noted that if you are also working with customer on Intune / Azure AD / Office 365 / EMS, you still need Azure AD B2B accounts or customer specific accounts since Lighthouse is only aimde at Azure Resource Manager level so Azure specific services.
Nice Post!
I’ve set this up for our customers. I am able to browse the customer resources from the “my customers” blade. However, is it also possible to view the virtual machines the customer is running by accessing the “virtual machines” blade directly?
Thnx!
Yes, you just have to change the filter view in the virtual machine blade
Thanks for your reply. But that’s not working. I checked all filters, but they are not showing. I dont even see the subscriptions. When I check security center, I can see the subsciptions, just not from the virtual machine blade..
Any idea?