What is Azure Lighthouse?

The multi-tenant management with increased scalability, automation, and resource governance is done with the help of Azure Lighthouse.

Service providers can utilize Azure Lighthouse to deliver managed services leveraging the Azure platform's broad and robust capabilities.

With the help of this service, the customers can have the complete control on who has access to what resources and what their tenants have access to, and what actions they can take. Enterprise IT firms that manage resources across different tenants may profit from this service.

Benefits

Azure Lighthouse makes it easier for service providers to create and provide managed services. The following are some of the advantages:

• Management at scale: Now it is simpler and more scalable to do the Customer engagement and life-cycle operations for managing customer resources. Delegated resources, including computers hosted outside of Azure, can be used using existing APIs, management tools, and workflows, regardless of the regions in which they're situated.
• Greater visibility and control for customers: Customers have complete control over the scopes of management they assign and the permissions that are granted. They have the ability to examine service provider, behaviour and, if necessary, they can fully remove access.
• Comprehensive and unified platform tooling: This adaptability supports a variety of service provider scenarios, including EA, CSP, and pay-as-you-go licensing models.

Capabilities

Azure Lighthouse has a number of features that can aid with engagement and management:

• Azure delegated resource management: In the controlling tenant, customer subscriptions and resource groups can be assigned to certain users and responsibilities, with the flexibility to withdraw access as needed.
• New Azure portal experiences: Customers can monitor and manage their service provider access on the related Service providers page.
• Azure Resource Manager templates: Customers can check and adjust their service provider access on a dedicated website for them.
• Managed Service offers in Azure Marketplace: Customers can sign up for the services through private or public offers, and they'll be automatically added to Azure Lighthouse.

Tip

Microsoft 365 Lighthouse, a comparable offering, assists service providers in onboarding, monitoring, and managing their Microsoft 365 users at scale. The preview version of Microsoft 365 Lighthouse is presently available.

Pricing and availability

There are no additional fees involved with managing Azure resources using Azure Lighthouse. Azure Lighthouse is available to any Azure client or partner.

Cross-region and cloud considerations

Azure Lighthouse is a service that is not limited to a specific region. We can handle resources that are delegated to us and are located in different regions.

Azure Lighthouse Support

If we need any kind of assistance then we can Open a support ticket. Select Technical as the issue type. Choose a subscription, then Lighthouse (under Monitoring & Management).

Azure Lighthouse architecture

While managing delegated resources at scale with agility and precision the service providers may use Azure Lighthouse to streamline client engagement and onboarding.

Without having an account in the customer's Azure Active Directory (Azure AD) tenant or being a co-owner of the customer's tenant, authorized users, groups, and service principals can work directly in the context of a customer subscription. Azure delegated resource management is the technique that enables this access.

Delegation resources created in the customer tenant

The registration definition and the registration assignment resources can be accessed via APIs and administrative tools, or we can deal with them directly in the Azure site and they are created when the customer's resource group is onboarded into the Azure Lighthouse.

Registration assignment

Each registration assignment must relate to a valid subscription-level registration definition, which ties the service provider's authorizations to the delegated scope and therefore grants access.

The Resource Manager can grants access based on the information defined by the resources in certain cases.

The activity log, which is saved in the customer's tenancy, tracks activity from users in the service provider's tenant. This allows the client to see who made the modifications and when they were done.

How Azure Lighthouse works

Working of the Lighthouse at the higher end:

1. Determine the responsibilities of groups, service principals, or users.
2. After the client has been onboarded, authorized users log in to our controlling tenant and do tasks inside the customer scope (subscription or resource group) according to the permissions we set. Customers have the ability to examine all actions made and delete access at any moment.
3. While most customers will have only one service provider managing specific resources, the client can create numerous delegations for the same subscription or resource group, enabling multiple service provider's access.

Cross-tenant management experiences

Using Azure delegated resource management, a variety of tasks and services may be shared among managed tenants.

To ease cross-tenant management, Azure Lighthouse can be utilized within a business that has numerous Azure AD tenants of its own.

Understanding tenants and delegation

Each Azure AD tenant has its own tenant ID and is distinct from other Azure AD tenants (a GUID).

These users can then use their own credentials to log into the Azure site. They can manage resources for all customers to whom they have access through the Azure interface. One can do it with the help of Azure portal's My customers page, or by working directly within the context of that customer's subscription, or one can do it with the help of Azure portal or via APIs.

Without having to sign in to various accounts in separate tenants, Azure Lighthouse gives us more freedom when managing resources for multiple clients. Authorized users can access these resources by signing in to the service provider's tenant with Azure Lighthouse.

APIs and management tool support

We can perform the Management tasks on delegated resources directly in the portal or via APIs and management tools. The tools can be Azure CLI and Azure PowerShell. Any existing API can be utilized as long as the capability is supported for cross-tenant administration and the user has the necessary permissions when working with delegated resources.

By default, the TenantId for the managing tenant is displayed by the Azure PowerShell Get-AzSubscription cmdlet.

The homeTenantId and managedByTenants characteristics are also visible in Azure CLI operations like az account list.

We also have APIs dedicated to completing Azure Lighthouse duties.

Enhanced services and scenarios

The majority of actions and services can be done across managed tenants using delegated resources. The following are some of the most common circumstances in which cross-tenant management can be very beneficial.

The Azure Arc:

• All the servers that are used are the azure arc enabled servers.

• It has Manage Linux machines or Windows server.
• Use Azure elements like Azure Policy and tagging to manage connected computers.
• Must always Ensure that clients' hybrid environments have the same set of policies.

Azure Backup:

As of now, the Backup Explorer option is only available for Azure VM data.

• Track historical trends, assess backup storage utilization, and audit backups and restorations using Backup Reports across assigned subscriptions.

Cost Management + Billing in the Azure:

• CSP partners can access, manage, and analyze pre-tax consumption expenditures (not including purchases) for Azure plan customers via the managing tenant. The price will be determined by retail rates and the partner's Azure role-based access control (Azure RBAC) access for the customer's subscription.

Azure Kubernetes Service (AKS):

Manage Kubernetes environments hosted by others, as well as the deployment and management of containerized apps within customer tenants.