Azure Lighthouse: Not just for MSPs?

Azure Lighthouse: Not just for MSPs?

I had an interesting talk with a customer the other week about Azure management and the predicament they had found themselves in. Having acquired several businesses, they are now stuck administrating a whole bunch of different Azure tenants, each with their own subscriptions.

This problem is amplified when they want to use Privileged Access Management (PIM) in Azure, which requires an expensive Microsoft Entra ID P2 license for each user. Imagine a team of IT Admins, each requiring duplicate accounts and associated P2 licence (one in each tenant, per admin). Surely there is a better way?

Now we could migrate all these Azure Subscriptions into a single tenant, however, that takes significant time and resource, great if you are a consultant, but not so great if you are a customer looking for a relatively quick fix. This is where Azure Lighthouse comes in, which typically is what MSPs use to manage their own Azure customers subscriptions outside of the Partner portal. BUT it is not limited to just Service Providers (unlike M365 Lighthouse), as any organisation can deploy Azure lighthouse and leverage it's multi-tenant capabilities. You can read more about those capabilities here: https://learn.microsoft.com/en-us/azure/lighthouse/overview

What is really exciting about Lighthouse is the fact it allows you to see all of your Azure subscriptions, across all of your tenants as if the subscriptions existed in a single 'Service provider' or simply management tenant. Microsoft refer to this as a logical projection of resources from one tenant to another. That means you can use a single admin account to manage these, and the best part, P2 licenses are only needed in the management tenant per user, regardless of how many subscriptions from different tenants that user can access via PIM.

The graphic below helps to explain this, where Tenant A is the 'Service Provider' or management tenant and Tenant B/C are what Lighthouse refers to as 'Customer' tenants, in an Enterprise scenario 'customer' tenants can just be other acquired businesses rather than the typical Service Provider / Customer model.

Lighthouse allows for granular delegation of resources, so if you have a more complex scenario and don't want to delegate permissions for an entire subscription, you could actually delegate just a specific resource group for management.

Tenants are 'onboarded' into Lighthouse, in a typical MSP scenario this might be done through an offer in the Azure marketplace. For enterprises, you can onboard tenants using an ARM template with all the required information. In this template is where you can define the following:

  • Management tenant ID
  • Permanent role authorisations (such as Reader)
  • Eligible Role authorisations (Such as Contributor)

Microsoft have a sample of templates for deployments depending on your scenario: https://github.com/Azure/Azure-Lighthouse-samples/tree/master

Azure Lighthouse is also completely free, so no reason not to leverage it for these kind of scenarios. However, it goes without saying that security is a big concern in this scenario, as previously if an admin account was compromised in one tenant, it would only affect resources in that tenant. But now, if an admin account is compromised in the management tenant, they have access to ALL tenancies onboarded into Azure lighthouse for management. For this reason, I think it would be safest to always utilise PIM in Azure Lighthouse, even with approvers. Along with the obvious MFA and Conditional Access for said admin accounts.