Last year, Microsoft came out with Azure Lighthouse, a service that allows a customer to delegate rights to another party to manage their resources. This service is aimed at service providers, but large companies with multiple Azure AD tenants can benefit from this too.
How Azure Delegated Resource Management Works
Previously, when managing multiple Azure Active Directory (AD) tenants, you would invite the accounts of your Azure AD into the customer’s Azure AD. For a few tenants, this is doable. However, it is a bit of a challenge with hundreds of tenants, multiplied by the number of accounts in the managing tenant.
The next step is having to make sure all the accounts in all tenant subscriptions have the correct rights. Obviously you will need some additional scripting magic to keep this all in sync, but for customers where you don’t have access to their Azure AD, this now becomes a manual process. Very tedious indeed!
Once that is all done, to manage each subscription requires that you switch to the context of that subscription— basically logging in again. Done managing customer A? Great, now switch to the next one, and so on.
Azure Delegated Resource Management is one of the key components of Azure Lighthouse. According to Microsoft, “With Azure delegated resource management, service providers can simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision.” 1
Effectively Manage Access for Customers’ Azure Resources
The advantage of Azure Lighthouse is that we only need to do an initial onboarding of the customer, which will give groups in the managing Azure AD tenant the rights to manage the customer’s Azure subscription. Any users in, say, a readers group in our own Azure AD tenant, will be able to view the customer’s subscription, and users in a contributors group will get the rights to actually deploy and manage resources. All the resources will be available from our own Azure Portal as well, so no more subscription switching, and managing user accounts who access customer subscriptions now happens from a single place. Happy days!