What is Azure Lighthouse?
The multi-tenant management with increased scalability, automation, and resource governance is done with the help of Azure Lighthouse.
Service providers can utilize Azure Lighthouse to deliver managed services leveraging the Azure platform's broad and robust capabilities.
With the help of this service, the customers can have the complete control on who has access to what resources and what their tenants have access to, and what actions they can take. Enterprise IT firms that manage resources across different tenants may profit from this service.
Azure Lighthouse makes it easier for service providers to create and provide managed services. The following are some of the advantages:
Azure Lighthouse has a number of features that can aid with engagement and management:
Microsoft 365 Lighthouse, a comparable offering, assists service providers in onboarding, monitoring, and managing their Microsoft 365 users at scale. The preview version of Microsoft 365 Lighthouse is presently available.
Pricing and availability
There are no additional fees involved with managing Azure resources using Azure Lighthouse. Azure Lighthouse is available to any Azure client or partner.
Cross-region and cloud considerations
Azure Lighthouse is a service that is not limited to a specific region. We can handle resources that are delegated to us and are located in different regions.
Azure Lighthouse Support
If we need any kind of assistance then we can Open a support ticket. Select Technical as the issue type. Choose a subscription, then Lighthouse (under Monitoring & Management).
Azure Lighthouse architecture
While managing delegated resources at scale with agility and precision the service providers may use Azure Lighthouse to streamline client engagement and onboarding.
Without having an account in the customer's Azure Active Directory (Azure AD) tenant or being a co-owner of the customer's tenant, authorized users, groups, and service principals can work directly in the context of a customer subscription. Azure delegated resource management is the technique that enables this access.
Delegation resources created in the customer tenant
The registration definition and the registration assignment resources can be accessed via APIs and administrative tools, or we can deal with them directly in the Azure site and they are created when the customer's resource group is onboarded into the Azure Lighthouse.
Each registration assignment must relate to a valid subscription-level registration definition, which ties the service provider's authorizations to the delegated scope and therefore grants access.
The Resource Manager can grants access based on the information defined by the resources in certain cases.
The activity log, which is saved in the customer's tenancy, tracks activity from users in the service provider's tenant. This allows the client to see who made the modifications and when they were done.
How Azure Lighthouse works
Working of the Lighthouse at the higher end:
Cross-tenant management experiences
Using Azure delegated resource management, a variety of tasks and services may be shared among managed tenants.
To ease cross-tenant management, Azure Lighthouse can be utilized within a business that has numerous Azure AD tenants of its own.
Understanding tenants and delegation
Each Azure AD tenant has its own tenant ID and is distinct from other Azure AD tenants (a GUID).
These users can then use their own credentials to log into the Azure site. They can manage resources for all customers to whom they have access through the Azure interface. One can do it with the help of Azure portal's My customers page, or by working directly within the context of that customer's subscription, or one can do it with the help of Azure portal or via APIs.
Without having to sign in to various accounts in separate tenants, Azure Lighthouse gives us more freedom when managing resources for multiple clients. Authorized users can access these resources by signing in to the service provider's tenant with Azure Lighthouse.
APIs and management tool support
We can perform the Management tasks on delegated resources directly in the portal or via APIs and management tools. The tools can be Azure CLI and Azure PowerShell. Any existing API can be utilized as long as the capability is supported for cross-tenant administration and the user has the necessary permissions when working with delegated resources.
By default, the TenantId for the managing tenant is displayed by the Azure PowerShell Get-AzSubscription cmdlet.
The homeTenantId and managedByTenants characteristics are also visible in Azure CLI operations like az account list.
We also have APIs dedicated to completing Azure Lighthouse duties.
Enhanced services and scenarios
The majority of actions and services can be done across managed tenants using delegated resources. The following are some of the most common circumstances in which cross-tenant management can be very beneficial.
The Azure Arc:
As of now, the Backup Explorer option is only available for Azure VM data.
Cost Management + Billing in the Azure:
Azure Kubernetes Service (AKS):
Manage Kubernetes environments hosted by others, as well as the deployment and management of containerized apps within customer tenants.