Azure Lighthouse is a newly announced service by Microsoft Azure. It makes MSP/service provider’s life easier in terms of customer/tenants management and onboarding.
Azure Lighthouse has changed things in many ways and here we are discussing one of them. As a service provider, earlier, to access the customer’s resources in the order to give support, the engineers identify must be in customer’s tenants as a guest user. Even the engineer’s identity is in each customer tenant, they need to switch the directory/tenants in order to work with a different customer. Now, we don’t need to be a guest user in each customer tenants and we don’t need to switch directory/tenants in order to work with multiple customers. Once we login into the portal, we can see all the customers under ‘My Customer‘ and we can access their resources from there. As shown in below image ‘janakpur’ is the customer and once we click on the customer, we can navigate to the subscription and will get access to the resources as per the permission assigned.
On top of this, it is highly automated and has many ARM template to make the onboarding process easier.
In this post, we are going to demonstrate how to defines roles and permission of support engineers into all the customer’s tenants.
You must have at least two tenants to perform this task, one will be treated as an MSP and another as a customer. The customer’s tenant must have an active Azure subscription.
Azure user Group Nepal (AUGN) is a service provider and has multi-levels of support team named ‘ Tier 1 Engineer’, ‘Tier 2 Engineer’, and ‘Tier 3 Engineer’. As a service provider, we want Tier 1 engineer should have Read permission, Tier 2 and Tier 3 engineer should have Contributor permission in all customer’s tenants. To achieve this, we are going to create three groups to assign permission instead of assigning to each individual user. We create the groups as below in the service provider tenants.
Member of the Group
All the tier 1 engineers
All the tier 2 engineers
All the tier 3 engineers
Prepare MSP Tenants
There is ARM template available on Github by Microsoft. We need to modify the parameters file as per our tenants. Download below both files and modify the parameters file.
We are ready with the service provider’s tenant, now we need to work on customer’s tenant.
Deploying the Template in Customer’s Tenant
The customer’s tenant must have registered to the Microsoft.ManagedServices before onboarding. To register, log in to the Azure portal, Click on the subscription->Navigate to the Resource providers->Search for Microsoft.ManagedServices->Click on Register.
It will take a moment to get registered. After the registration, it should look like as below.
The ARM template we created earlier need to deploy at subscription level in each customer tenant. Login into customer’s tenant using PowerShell. The user must be non-guest in customer’s tenants. We have to repeat this step for each customer.
Click All Services and search for My Customers, and click on it. In the new window click on My Customers.
We can see above the Customer (janakpur) is under the customer section and see below under the Delegations, we see the appropriate right has assigned.
We can more dig down and see IAM, resource group, resources, etc. We can access the resources of janakpur (customer) without switching the directory.
On Customer Portal
Click All Services and search for Service Provider, and click on it. In the new window click on Service Provider.
Here, we can see, Azure User Group Nepal is a service provider for janakpur. As a customer, we can see what are the permission service provider has in the tenants as below.
If any new engineer joins the service provider team and once he/she will be in the right group, he/she will automatically get access to the customer’s tenants. We don’t need to invite them manually. And once he/she will leave the service provider and removed from the group, automatically permission will withdraw and we don’t need to delete guest user from the customer’s tenant.