Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • User IDs & PAL
    • Service Principals & PAL
    • CI/CD Pipelines & PAL
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Partner Admin Link
  3. Azure Lighthouse & PAL

Table of Contents

  • In brief
  • Partner Admin Link with Azure Lighthouse
  • Managed Service offers published to the Marketplace
  • References
  • Next

Azure Lighthouse & PAL

Combining Partner Admin Link with Azure Lighthouse reduces some of the administrative overhead. How does it differ compared to more traditional PAL configurations?

Table of Contents

  • In brief
  • Partner Admin Link with Azure Lighthouse
  • Managed Service offers published to the Marketplace
  • References
  • Next

In brief

There are two main options for customers to allows partners access to provide managed services on their Azure resources.

  1. Creating traditional RBAC role assignments in the customer tenant

    Historically, managed service providers have accessed customer environments one at a time, using identities that resides in the customer tenant. The managed service consultants need to switch to each customer directory in turn and create the Partner Admin Link whilst in that customer context.

  2. Delegating access with an Azure Lighthouse service provider offer

    Azure Lighthouse is a service designed to provide a true multi-tenant management experience. Azure Lighthouse projects customer resources into the managed service provider’s tenancy when the customer creates a delegation based on an Azure Lighthouse service provider offer. The delegations are made against the subscription and resource group scopes only.

    The permissions granted are defined in the Azure Lighthouse service provider offer’s list of authorisations, which specifies the security principals (including groups) and RBAC roles. Privileged Identity Management is supported (and recommended) so that the standaing access is least privilege and approval processes can be followed when elevating to roles with greater access.

    In effect the direction of travel is changed with Azure Lighthouse. Instead of MSP operator going to the customer’s tenant and accessing their resources, the customer has allowed the services to come to the MSP operator. When a managed service operator uses the Azure Portal with Azure Lighthouse then they log into their home tenant and then have a multi-tenanted view of all of the delegated resources. The subscription filter in the portal’s settings allows the operator to filter on both tenant and subscription.

    From a customer perspective they have full visibility on the service provider offers, the associated permissions specified in the authorisations, and the scope points which have been delegated. Their Identity and Access Management (Azure IAM) no longer includes a high number of security principals from partners, complicating RBAC administration and access reviews. Any control plane access beyond read is logged in the Activity Log, as are PIM elevations. The customer always has the ability to revoke access, removing individual delegations or deleting whole service provider offers.

    There are also a number of limitations with Azure Lighthouse. See the Azure Lighthouse section on this site for more information and example service provider offer templates.

Partner Admin Link with Azure Lighthouse

The objectIds in the authorisation’s list belong to the provider’s tenancy, so PAL linking is done in the home tenant rather than in a customer tenant. As a result the Partner Admin Link only needs to be done once for each security principal. Any new customers using the same service provider offer would be linked automatically.

Recommendations:

  • The authorisations in the service provider offer templates should ideally use only objectIds for Entra security groups and service principals.
  • Create Partner Admin Links for all of the user principals that belong to the security groups included in the authorisations
  • Create Partner Admin Links for any service principals used in the authorisations
  • Create the Partner Admin Links in the service provider’s home tenant, not in the customer tenants

Managed Service offers published to the Marketplace

If the Managed Service offers are published into the Azure Marketplace then the customer influence is recognised via the Marketplace mechanism rather than using Partner Admin Link.

See the dedicated Azure Lighthouse area for more information.

References

  • Azure Lighthouse best practice
  • Azure Lighthouse role limitations
  • Roles eligible for partner earned credit (PEC)
  • Linking service principals for PEC
  • Partner Admin Link FAQ

Next

In the next section we will look at a minimal Lighthouse definition, walk through the creation of the definition and assignment resources via the portal, and then how to PAL link the security principals.

Source: https://www.azurecitadel.com/pal/lighthouse/
Published: 10 Oct 2025
Printed:
CI/CD Pipelines & PAL Azure Lighthouse & PAL PAL FAQ