{"id":21557,"date":"2019-07-12T10:23:28","date_gmt":"2019-07-12T09:23:28","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=21557"},"modified":"2019-07-13T07:53:22","modified_gmt":"2019-07-13T06:53:22","slug":"azure-lighthouse-enabling-centralized-management-of-many-azure-tenants","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=21557","title":{"rendered":"Azure Lighthouse\u2013Enabling Centralized Management of Many Azure Tenants"},"content":{"rendered":"<div class=\"post\">\n<div class=\"body\">\n<div id=\"2134b0cc-a90f-4002-824d-e66252346b18\" class=\"postBody\" contenteditable=\"true\">\n<p>In this post, I will discuss a new feature to Azure called Lighthouse. With this service, you can delegate permissions to \u201ccustomer\u201d Azure deployments across many Azure tenants to staff in a central organization such as corporate IT or a managed service provider (Microsoft partner).<\/p>\n<p><em>The wonderful picture of the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Hook_Lighthouse\">Hook Head Lighthouse<\/a> from my home county of Wexford (Ireland) is by <a href=\"https:\/\/www.flickr.com\/photos\/michalo\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ana &amp; Michal<\/a>. The building dates back to just after the Norman invasion of Ireland and is the second oldest operating lighthouse in the world.<\/em><\/p>\n<p>Here are some useful web links:<\/p>\n<ul>\n<li>Erin Chapple, Corporate Vice President, Microsoft Azure Compute: <a href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/introducing-azure-lighthouse\/\" target=\"_blank\" rel=\"noopener noreferrer\">Introducing Azure Lighthouse<\/a><\/li>\n<li>Mark Russinovich Chief Technology Officer, Microsoft Azure: <a href=\"https:\/\/azure.microsoft.com\/en-us\/blog\/how-azure-lighthouse-enables-management-at-scale-for-service-providers\/\" target=\"_blank\" rel=\"noopener noreferrer\">How Azure Lighthouse enables management at scale for service providers<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/fr-fr\/azure\/lighthouse\/\" target=\"_blank\" rel=\"noopener noreferrer\">Documentation<\/a><\/li>\n<\/ul>\n<p>In short what you get with Lighthouse is a way to see\/manage, within the scope of the permissions of your assigned role, deployments across many tenants. This solves a major problem with Azure. Microsoft is a partner-driven engine. Without partners, Microsoft is nothing. There\u2019s a myth that Microsoft offers managed services in the cloud: that\u2019s a fiction created by those that don\u2019t know much about the actual delivery of Microsoft services. Partners deliver, managed, and provide the primary forms of support for Microsoft services for Microsoft\u2019s customers. However, Azure had a major problem \u2013 each customer is a tenant and until last night, there was no good way to bring those customers under the umbrella of a single management system. You had hacks such as guest user access which didn\u2019t unify management \u2013 native management tools were restricted to the boundaries of the single customer tenant. And third-party tools \u2013 sorry but they\u2019ll not keep up with the pace of Azure.<\/p>\n<p>Last night, Microsoft made Lighthouse available to everyone (not just partners which the headlines will suggest!). With a little up-front work, you can quickly and easily grant\/request access to deployments or subscriptions in other tenants (internal or external customers) and have easy\/quick\/secure single-sign-on access from your own tenant. What does that look like? You sign in once, with your work account, ideally using MFA (a requirement now for CSP partners). And then you can see everything \u2013 every tenant, every subscription, every resource group that you have been granted access to. You can use Activity Log, Log Analytics Workspace, Security Center, Azure Monitor across every single resource that you can see.<\/p>\n<p>The mechanics of this are pretty flexible. An \u201coffer\u201d can be made in one of two ways to a customer:<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/docs.microsoft.com\/fr-fr\/azure\/lighthouse\/how-to\/onboard-customer\" target=\"_blank\" rel=\"noopener noreferrer\">JSON<\/a><\/strong>: You describe your organization and who will have what access. The JSON is deployed in the customer subscription and access is granted after a few moments\u00a0\u2013 it took a couple of minutes for my first run to work.<\/li>\n<li><strong><a href=\"https:\/\/docs.microsoft.com\/fr-fr\/azure\/lighthouse\/how-to\/publish-managed-services-offers\" target=\"_blank\" rel=\"noopener noreferrer\">Azure Marketplace<\/a><\/strong>: You can advertise an offer in the Azure Marketplace. Note that a Marketplace offer can be private.<\/li>\n<\/ul>\n<p>An offer is made up of a description of:<\/p>\n<ul>\n<li>The service you are offering: the name, your tenant (service provider)<\/li>\n<li>The authorizations: who or what will have access, and what roles (from your tenant) can be used. Owner is explicitly blocked by Microsoft.<\/li>\n<\/ul>\n<p>Here\u2019s a simple example of a JSON deployment where a group from the service provider-tenant will be granted Contributor Access to the customer subscription.<\/p>\n<p>I need to gather a bit of information:<\/p>\n<ul>\n<li>mspName: The name of the managed services provider. Note that this is a label.<\/li>\n<li>mspOfferDescription: The name of the service being offered.<\/li>\n<li>managedByTenantId: The Directory ID of the managed services provider (Azure Portal &gt; Azure Active Directory &gt; Properties &gt; Directory ID)<\/li>\n<li>Authorizations:\u00a0A description of each entity (user\/group\/service principal) from the MSP tenant being granted access to the customer deployment\n<ul>\n<li>principalId: The ID of the user, group, or service principal. Remember\u00a0\u2013 groups are best!<\/li>\n<li>principalIdDisplayName: A label for the current principal\u00a0\u2013 what you want to describe this principal as for your customer to see<\/li>\n<li>roleDefinitionId: The GUID of the role that will grant permissions to the principal, e.g. Contributor. PowerShell &gt; (Get-AzRoleDefinition -Name &#8216;&lt;roleName&gt;&#8217;).id<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Armed with that information you can populate the fields in a <a href=\"https:\/\/github.com\/Azure\/Azure-Lighthouse-samples\/blob\/master\/Azure-Delegated-Resource-Management\/templates\/delegated-resource-management\/delegatedResourceManagement.parameters.json\" target=\"_blank\" rel=\"noopener noreferrer\">JSON parameters file<\/a> for delegating access to a subscription. Here\u2019s a simple\u00a0example:<\/p>\n<pre class=\"lang:default decode:true\">{\r\n    \"$schema\": \"https:\/\/schema.management.azure.com\/schemas\/2018-05-01\/subscriptionDeploymentParameters.json#\",\r\n    \"contentVersion\": \"1.0.0.0\",\r\n    \"parameters\": {\r\n        \"mspName\": {\r\n            \"value\": \"Cloud Mechanix\"\r\n        },\r\n        \"mspOfferDescription\": {\r\n            \"value\": \"An amazing service\"\r\n        },\r\n        \"managedByTenantId\": {\r\n            \"value\": \"12345678-1234-1234-abcd-efghijklmnop\"\r\n        },\r\n        \"authorizations\": {\r\n            \"value\": [\r\n                {\r\n                    \"principalId\": \"abcdefgh-ijkl-mnop-1234-56789012345\",\r\n                    \"principalIdDisplayName\": \"Tier 1+ Support By Cloud Mechanix\",\r\n                    \"roleDefinitionId\": \"1a2b3c4d-1234-a1b2-c3d4-asdfghjkjlqwert\"\r\n                }               \r\n            ]\r\n        }\r\n    }\r\n}<\/pre>\n<p>And then you can deploy the above with the <a href=\"https:\/\/github.com\/Azure\/Azure-Lighthouse-samples\/blob\/master\/Azure-Delegated-Resource-Management\/templates\/delegated-resource-management\/delegatedResourceManagement.json\" target=\"_blank\" rel=\"noopener noreferrer\">JSON file for delegating access to a subscription<\/a>:<\/p>\n<ol>\n<li>Sign into the customer tenant using PowerShell<\/li>\n<li>Run the following:<\/li>\n<\/ol>\n<pre class=\"lang:default decode:true\">New-azdeployment -Name \"CloudMechanixDelegation\" -Location westeurope -TemplateFile .\\delegatedResourceManagement.json -TemplateParameterFile .\\delegatedResourceManagement.parameters.json<\/pre>\n<p>Give it a few minutes and things will be in place:<\/p>\n<ul>\n<li>The service provider will appear in Service Providers in the Azure Portal for the customer.<\/li>\n<li>The customer will appear in My Customers in the Azure Portal for the service provider.<\/li>\n<li>Anyone from the subscriber\u2019s tenant in the scope of the authorization (.e.g. a member of a listed group) will have access to the customer\u2019s subscription described by the role (roleDefintionId)<\/li>\n<li>Any delegated admins from the service provider can see, operate. manage the customers\u2019 resources in the Azure Portal, Azure tools, CLI\/PowerShell, etc, as if they were in the same tenant as the service provider.<\/li>\n<\/ul>\n<p>Once deployed, things appear to be pretty seamless\u00a0\u2013 but it is early days and I am sure that we will see weirdness over time.<\/p>\n<p>The customer can fire the service provider by deleting the delegation from Service Providers. I have not found a way for the service provider to fire the customer yet.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In this post, I will discuss a new feature to Azure called Lighthouse. With this service, you can delegate permissions to \u201ccustomer\u201d Azure deployments across many Azure tenants to staff in a central organization such as corporate IT or a managed service provider (Microsoft partner). The wonderful picture of the Hook Head Lighthouse from my &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=21557\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Azure Lighthouse\u2013Enabling Centralized Management of Many Azure Tenants&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":21558,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[5],"tags":[170,362,367,366,363,365,272,364],"class_list":["post-21557","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-azure","tag-azure-lighthouse","tag-delegated-resource-management","tag-delegation","tag-lighthouse","tag-managed-service-prover","tag-rbac","tag-service-provider"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/aidanfinn.com\/wp-content\/uploads\/2019\/07\/HookHeadLighthouse.jpg","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21557","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=21557"}],"version-history":[{"count":5,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21557\/revisions"}],"predecessor-version":[{"id":21565,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21557\/revisions\/21565"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/media\/21558"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=21557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=21557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=21557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}