We are delighted to have a guest blog from Microsoft MVP Martin Ehrnst! Read on for Martin's expert advice on how best to use Azure Lighthouse. Afterwards, head over here to see how you can get a true single pane of glass for all your Azure tenants using SquaredUp's new Lighthouse features.
Azure Lighthouse provides a unified management experience across all your customers (and internal) Azure resources. Depending on your background, you might not know why this is so big.
But picture this; A service provider being able to monitor hundreds of virtual machines across multiple customers. While protecting their intellectual property (IP), run automation across multiple customers without switching context, or logging into tenant after tenant.
I could write a whole article about what type of challenges this service solves. But I’m not going to bother you with that here. Instead, I want to highlight Azure Lighthouse's key functionality, how you can get started, what to avoid, and what to consider before jumping in.
When should I use Azure Lighthouse?
I would like to address this question early. Azure Lighthouse is not for everyone, but it is useful in many situations.
The first thing that strikes your mind (and I apologize for that) is probably the Managed Service Provider scenario. The service is indeed created for the MSPs but if you think about it, many enterprise organizations function similarly, where core infrastructure and workplace are separated. Global companies might have multiple tenants from acquisitions, etc.
Individual consultants can also benefit from Azure Lighthouse. Today many live with (god forbid) users in customer tenants, or Azure B2b invited users. With Lighthouse, consultants can implement solutions from their tenants at the scope set by the customer.
Azure delegated resource management
Azure delegated resource management is Azure Lighthouse’s key piece. It is a new resource provider sitting on top of Azure Resource Manager (ARM).
The new resource provider allows for the “projection” of the customer (or internal) subscription and resource groups to the managing tenant.
How do I enable delegation?
Since Azure Lighthouse is built on top of Azure Resource Manager. Delegating access is as easy as deploying resources. However, if you want to offer managed services to a customer or use Azure Lighthouse for internal purposes there are a few things you should pay attention to.
- Do you use your existing tenant or do you create a separate one dedicated for management purposes?
- What roles do you need to perform management to a customer, and can it be the same scope for everyone?
- Do you need to deploy resources or Azure policies
- How should your customer onboard your management? Do you use Azure Marketplace or do you provide an ARM template?
- Do you offer services at a subscription level, resource group, or both?
The first two are in my opinion the most important, as changing the delegation might not be as easy as the onboard process. The deployment requires owner access at the subscription level. Chances are that you need to involve a few other people if you want to change your default authorization down the road.
After you have put some thought into the above you are ready to onboard your first customer. In the ARM template modify mspOfferName and mspOfferDescription.
These fields along with your directory name are visible to your customer.
The parameter file needs information on which tenant is the managing tenant, and the authorization required.
Even though you can specify individual users in the authorizations, using groups will make your life a whole lot easier.
The screenshot above is what your customer will see in their “Service provider” blade. I have highlighted four properties that are critical to get right.
- Offer name, defined in your template/parameter file.
- Service provider, this is your managing tenant directory name.
- Offer description, defined in your template/parameter file.
- Role assignments, defined in the parameter file.
Managing resources with Azure Lighthouse
Once your customer has delegated their resources to you. You can manage them almost as it was your own without data leaving your customer's domain.
Browsing subscriptions form the managing tenant will be a familiar process, but if you look more closely, you can see that the subscription belongs to a different tenant and that I have delegated access to it. Customer information could be improved, but I have found that extensively using the built-in filter in the portal helps when helping out single customers.
Azure CLI and Azure PowerShell
This is the beauty of it all. When this service first was released, I was told it was developed by the portal team. Immediately, I thought it would only be a portal experience, but luckily, I was wrong. PowerShell, Azure CLI, and the Azure Management REST APIs function just as you would expect.
Below I am listing all subscriptions using Azure CLI. As you can with the portal, you can identify which subscriptions are internal or if they belong to a delegated tenant.
From here, it is up to you to manage your customer resources familiarly. But remember to check and set your filter and scope, as this will directly affect what data is returned.
Creating services for Azure Lighthouse
Whether you are using Azure Lighthouse to support an internal multi-tenant scenario or creating services as a managed service provider. The needs are often quite similar. Below I have listed a few ideas.
- Cost management – cost in Azure is difficult. Can you provide extra services here?
- Azure monitoring – using log analytics and Azure monitor to create a monitoring service
- Governance – provide consultancy on governance models. Develop policies, etc
- Security services – Managed Azure Sentinel, 24/7 security operations
Azure Lighthouse has improved a lot since it was launched. But the product does have a few limitations.
Azure Lighthouse uses Azure Management APIs, https://management.azure.com. Most Azure resources are part of this API, but a few commonly used resource types are managed “outside” of ARM.
This includes storage accounts and Azure Key Vault. While you can deploy storage accounts and Key Vault, you will not be able to manage all aspects of the service.
Depending on services you plan to deliver internally or to customers through Azure Lighthouse you might also be affected by ARM vs Azure AD. Azure AD is not a part of Azure Lighthouse management space. But some services can be configured to use Azure AD.
For example, if a customer wants to use Azure AD accounts for their SQL databases, you will not be able to configure this through Lighthouse, nor can you log in to that DB using your account.
Azure Lighthouse is a fantastic service. Enabling MSPs management at scale without relying heavily on internally developed management tooling. Instead, focus on creating services for their Azure customers on top of Azure own management service (ARM).
Some limitations do apply, and some of them might be fundamental for your business. But looking at how the service has developed since its launch, I suspect a lot of this will be ironed out at some point.
Where to learn more
Most aspects of Azure Lighthouse is very well documented. The team also recently released two learning modules;
- Use Azure Lighthouse with your managed service business
- Use Azure Lighthouse to govern, monitor, and secure customer resources
For community resources I recommend you check;
Wesley Haakmans blog. He works for a Dutch service provider and has some great examples.
My own Azure Lighthouse video from Azure Advent calendar, and Alan Kinanes contribution to Azure Back to school.
Now that you've learnt all about what Azure Lighthouse can do, come see how you can get a true single pane of glass for all your Azure tenants using SquaredUp's new Lighthouse features!