WHAT IS AZURE LIGHTHOUSE?
Azure Lighthouse is completely free service that allows service providers access to customer resources in their azure environments. We no longer need B2B collaboration with this functionality which means that we don’t have to worry about guest accounts anymore.
Managing customer environments becomes easier with this service. Service providers can manage different customer resources (subscriptions, resource groups etc.) Access is based on IAM (Azure Identity and Access Management).
We need to configure Azure Lighthouse on service provider and customer tenant.
HOW TO SET UP AZURE LIGHTHOUSE – SERVICE PROVIDER TENANT
First we need to look for Tenant ID because we will need that parameter in deployment script.
Secondly we create security group and add members which will have permissions to manage Customer resources. We need to save Object Id for that security group.
In Azure there are different roles which have different permission. We need to choose which permission members will be assigned to. We need to save ID’s of that roles. In our case we will use Contributor and Managed Service Registration roles. Roles ID are the same in all tenants (ID’s are not unique.)
This is example for Contributor ID. We need to do the same for Managed Service Registration.
There is Contributor ID.
Contributor – Have permission for creating and deleting resources.
Managed Service Registration – Have permission to delete assigned role from himself (user can remove roles/permissions that are assigned to himself).
Preparing JSON parameter script
The quickest way is to navigate to GitHub repository which have already included different templates for deployment package – LINK
There is a lot of different options. In our case we will choose to manage entire customer subscription however organization can choose different option.
On service provider side we prepare script with parameters that are mandatory. In the above steps we already prepared required parameters.
After this process we send that script to our customer.
HOW TO SET UP AZURE LIGHTHOUSE – CUSTOMER TENANT
Customer must go to this link: GitHub – Azure/Azure-Lighthouse-samples: Provide samples for understanding managed service solutions and choose deploy to Azure.
We are redirected to Azure portal – custom deployment. Here we need to upload script that we receive from our service provider
Load the file
Parameters in GUI are automatically pre-filled based on JSON parameter script. We just need to choose for which subscription we will grant access.
Click create – script is automatically checked for an errors.
If everything is correct we will get notifications about successful deployment.
CUSTOMER EXPERIENCE
Customer can check for service provider offers and delegations.
SERVICE PROVIDER EXPERIENCE
GOOD TO KNOW
- We have different option to deploy JSON parameter file to our customer
- Manually (we send script to our customer). Sometimes we need to add or change parameters in our script so we always need send updated script to our customer which can be frustrating.
- Automatic (Azure marketplace). Big advantage in this option is that service provider can change parameters script and changes are added immediately. Customer just need to deploy from Azure Marketplace.
- Activity Control is supported, costumer can track what service provider is doing.
- We cannot use custom or owner roles. The most privileged roles is Contributor
- Its completely free
Learn More about: