Recently one of Microsoft's strategic partner I work with was looking for a solution to deploy and manage their solution for 1000's of their customers (all in different tenancy). Azure Lighthouse, seemed like a match made in heaven - a single plane of glass to view and manage Azure across all their customers!.
Here is a great video that explains how it works:
Okay, so I like what I am seeing how do I get started. You don't have to be a partner to take advantage of this technology. You can start managing your customer's subscription by asking them to run a simple ARM script that will essentially provide you a deligated access.
Few simple things to set up as a Partner
- It's a good idea to create an Azure Active Directory group and add users that will be responsible to manage customer subscriptions e.g. "Customer Admins" see steps here
- Then capture Object ID of Group you created
- Finally, capture your AD Tenant ID see here
We will fill this on the template below:
- ManagedByTenantId - <replace with your Tenant ID>
- Principle ID and Principle of Display Name of the Group - <replace with Group ID you create above and group name>
- RoleDefinitionId - you can specify the ID of one of the built-in roles - I am using Contributor, you can use any other built-in role that you seem fit. ( here is a command to get Id Get-AzRoleDefinition -Name 'Contributor').id)
For your Customer
You can get a delegation at Subscription Level or at a specific resource group level the template below requests Subscription level delegation.
Finally, run the ARM Template above on customer subscription.
Once it runs successfully
- As a partner, you can navigate to the lighthouse withing Azure Portal -> Click on Manage your Customer Button -> Customers Tab (or click here)
- As a Customer, you can navigate to Azure Lighthouse within Azure Portal -> Click on Manage Service Provider Offers -> View deligations (or click here). You have full control as a customer and can remove delegation at any time, also any changes partner makes to your Azure resources is all tracked in activity logs.
There is lot more Lighthouse offers than just deligated access, see details here https://docs.microsoft.com/en-us/azure/lighthouse/overview