Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • User IDs & PAL
    • Service Principals & PAL
    • CI/CD Pipelines & PAL
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Azure Lighthouse

Azure Lighthouse

Azure Lighthouse can be very useful, but also comes with some limitations that you should be aware of. Here are some useful

Introduction

This some example Azure Lighthouse templates that you can use as a reference point for your own configuration. The examples all use the Support Request Contributor role which is eligible for partner earned credit and therefore for PAL recognition. See the Azure Lighthouse & Partner Admin Link section for more info.

What is Azure Lighthouse?

Azure Lighthouse enables service providers and enterprises to manage resources across multiple tenants securely and at scale, using delegated resource management.

Benefits

  • Centralised management across multiple customers or tenants without context switching
  • Support Privileged Identity Management for least privilege access
  • Managed service provider side Azure Policy can be used across multiple customer tenants via management groups
  • Very useful in certain scenarios e.g. centralised Security Operations Centres (SOCs)
  • Cleanly separate from normal Identity & Access Management
  • The customer can alway view the authorisations, the activity logs, and revoke and delegations or services

Limitations

  • Only supports standard Azure resources, i.e. those within the subscription hierarchy
  • Restricted Azure Policy compliancy reporting
    • only shows customer side policies assigned at subscription scope
    • any policies assigned at management group level on the customer tenant are not visible via Azure Lighthouse
  • No support for RBAC role definitions with dataActions
  • Limited support (by design) for highly privileged role (i.e. no Owner, limited User Access Administrator)

Recommendations

  • Use Privileged Identity Management

    Include an Azure built-in role that is eligible for partner earned credit as one of the permanent roles, e.g. Support Request Contributor

  • Use Entra security groups and service principals in the authorisations

    Avoid using individual user principals in the service offer’s authorisations.

    Updating a local security group for joiners and leavers is far easier than updating the service provider offer definition and version and then asking the customer to accept the change.

  • Create Partner Admin Links for all of the user and service principals in the home tenant.

    Perform this as a one off task and then all security principals will automatically recognise the partner’s influence in the customer accounts using those Azure Lighthouse service provider offers.

Resources

  • Azure Lighthouse documentation
  • Azure Lighthouse best practice for roles
  • Azure Lighthouse role support and limitations
  • Azure Lighthouse limitations for the cross tenant management experience

Templates

Below are a set of template that will help you to get started with Azure Lighthouse.

Minimal Lighthouse definition

An example Lighthouse definition with a minimal set of managed service roles that are also valid for ACR recognition via PAL.

Using service principals

Add a service principal to the authorizations. Learn how to configure Partner Admin Link for service principals.

Privileged Identity Management

An example Lighthouse definition with a mix of permanent and PIM eligible roles. Maintain ACR recognition whilst meeting least privilege requirements. Enable just in time access to elevated permissions with approvals.