Azure Lighthouse setup

Azure Lighthouse is a service that enables you to do multitenant management with scalability, high automation and enhanced governance. Azure Lighthouse makes it possible to manage tenants in a provider/customer relationship without having to log in every time you want to modify your customer tenant.
One of the best part of Azure Lighthouse is that the service is free to use, you will not be charged for it!

How does Azure Lighthouse work?

Azure Lighthouse will connect one provider tenant to multiple customer tenants. Each of the connections can be configured as you want to fit the principle of least privilege by giving rights over subscriptions or resource groups.
For Azure Lighthouse to work all you need are:
– User, groups or service principals in the provider tenant
– RBAC roles to apply in the customer tenant
And that’s all! These two elements will be combined in a template created in the provider tenant and then integrated in the customer tenant.

Prerequisites

Before setting up Azure lighthouse we need to verify that we have:
– Two Azure tenants (one will be the provider, the other one the customer)
– Admin rights in the provider tenant
– a valid subscription and to be its Owner in the customer tenant.

In my example the provider tenant will have black banners as Azure menu and the customer one blue banners.

Provider tenant configuration

Let’s start with the provider setup.

First, go to your Azure Entra ID and create a new group. We will use this group to assign users to our lighthouse solution so all of your users do not have permissions over your customer tenant.

Once the group is created, we can navigate to a specific part of Azure Lighthouse. In your search bar please look for “Customers” and select the following:

We then want to create a template to give us some rights over the customer tenants we will link later.

In the template fill the form with the name that suits you then click on “Add Authorization”

In the “Add Authorization” window we want to set the permission we will have over our customer tenants. For this example I’ll use the contributor rights. Do not forget to select the principal type as “Group” and then to select the group we created earlier.

We select “Permanent” rights here, the “Eligible” access type requires Azure Lighthouse to be configured with Entra ID Privileged Identity Management. This is only accessible in with Premium 2 Entra license.

Once your template is ready, click on “View template”

Then download it with the corresponding button.

With this last step, the provider configuration is done.
The JSON template that we just created can be used as many times as we want to as long as you want to have the same accesses to your customer resources.
We can now jump to the customer tenant and do its configuration as well.

Customer tenant configuration

Before jumping in the Azure Lighthouse configuration, we must check if the subscription has the required providers registered.

In your subscription in details, go into “Resource providers” and search for “ManagedServices”

If the provider is not registered, please do the registration and continue with the configuration afterwards.

Search for “lighthouse” to access the service

In the Lighthouse page, click on “View service provider offers”

Then select “Service providers offers” and “Add via template”

Upload the template we created earlier

Select the subscription you want to link with the provider tenant then click on “Review + create”

And then click on “Create”

Wait for the deployment to finish, it should take no more than a few minutes

We are done with the customer configuration. Now it is time to check the link between the two tenants

Configuration control

In the customer tenant, go back to the lighthouse panel, click again on “View service provider offers” and look for delegations. You should see the newly created delegations details.

Now in the provider tenant, under “Customers” you should also see the new link between the two tenants.

Still in the provider tenant, under the subscriptions you should now see the customer subscription details.

As we are only contributor and not owner of the customer subscription, we can not manage user rights on it. We can check by clicking on the customer subscription in the same panel and navigating to “Access control”.

This concludes our Azure lighthouse setup.