Azure Lighthouse Introduction
Azure Lighthouse is a powerful tool that enables enhanced cross-tenant capabilities. It is targeted at Managed Service Providers (MSPs) who need to support multiple Azure customers. There is also no reason why it cannot be leveraged by internal IT departments, that need to administer multiple Azure subscriptions across different tenants.
This article shares a high level overview of Azure Lighthouse, some of the reasons why it might be a good fit for your organisation, and the current limitations to consider.
Azure Lighthouse Architecture
Below is an Azure Lighthouse architecture diagram:
Key Components
- Managed By Tenant: Lighthouse is issued by what’s known as an offer via the managed by tenant. The managed by tenant is the one that is requesting access to the customer tenant, referred to as the Service Provider.
- Lighthouse Offer: The offer can either be shared with the customer using a .json template, or it can be issued via Azure marketplace (which is known as a public offer). The customer then accepts the offer.
- Azure AD Security Groups: The service provider will need to associate Azure AD security groups to Azure Roles in the Lighthouse offer.
Positives
Azure Lighthouse ultimately improves the support and administration experience. Below are a list of positives for the product:
- Azure RBAC Delegated Roles – When you need to administer sprawling Azure subscriptions across various tenants, it can soon become difficult to efficiently manage access. A common method to deal with this issue, is to take advantage of the profile feature in browsers such as Microsoft Edge and Google Chrome. This does however introduce an administration overhead as profiles need to be constantly switched and managed. Azure Lighthouse can be used to onboard multiple Azure subscriptions, and all tenants can be accessed using a single Azure AD identity, without switching browser profiles and Azure AD identities.
- Azure Deployments – MSPs can deploy resources to customer subscriptions via the service provider tenant.
- Azure Policy – Azure Lighthouse can be used as a centralized tool to deploy policy assignments across multiple Azure AD tenants.
- Cost – Azure Lighthouse is offered at no additional cost.
- Azure Privileged Identity Management (PIM) – PIM has recently been incorporated into Azure Lighthouse. An Azure AD premium 2 licence needs to be held by the service provider’s tenant. PIM roles (known as eligible authorizations in Lighthouse) can be defined, which allows service providers to accommodate customer security processes and elevate roles only when necessary.
- Monitoring – Log Analytics can be configured in customer environments. Service providers are then able to use log queries to view data and alerts from multiple tenants.
Drawbacks
While Azure Lighthouse does solve many challenges faced by service providers, there are still a number of drawbacks as outlined below:
- Visibility of permissions – Once a service provider onboards Azure subscriptions to Lighthouse, customers cannot view and verify which roles have been assigned using the Access Control (IAM) blade. The assigned roles simply do not appear. This can be misleading on first inspection, however it is by design and all roles assignments can be identified using the Service Providers section in Azure.
- PIM approvers – If PIM is configured, the PIM approvers can also be defined during the onboarding process. The approvers can only be selected from the service provider’s Azure AD. This seems counterproductive and goes against security principals. Approvers should ideally be located in the customer’s Azure AD.
- Azure AD & Management Groups – Azure Lighthouse does not allow you to assign Azure AD roles or make changes to management groups. This can be problematic when it comes to wider support and visibility, e.g., amending Azure policy assignments and assigning policies at management group level.
- Accidental changes – While Azure Lighthouse tackles the issue of profile switching, the chances of deploying workloads and making changes in the wrong subscription is slightly higher as a result. If the correct filters are not used, in theory, it is quite simple to modify resources in an undesired subscription.
Conclusion
Azure Lighthouse empowers MSPs by providing centralized management, monitoring, administration, deployment, and governance capabilities. It enables MSPs to provide a high quality driven service to customers. As highlighted, Azure Lighthouse can also be easily adopted by organisations that administer more than one tenant. In this scenario, Lighthouse can simplify and reduce administration overheads for IT departments. There are no hard and fast rules for limiting usage to MSPs.
If Microsoft are able to address the PIM approvers mechanism and management group access in the future, then Azure Lighthouse can be a flawless option. Dependent on requirements, the illustrated positives can easily outweigh the drawbacks. The product is continually being improved, and keeping an eye on the official learn documentation is a good way to stay up to date on feature releases.