Azure Lighthouse is a service designed by Microsoft that provides advanced automation on Azure Cloud Services. It assures you to manage Azure estates of several customers and protects your IP management.
We will dig much deeper into Azure Lighthouse in this article, and the following are the pointers we will cover:
- What is Azure Lighthouse?
- Benefits of Azure Lighthouse
- Capabilities in Azure Lighthouse
- Azure Delegated Resource Management
- Cross-Tenant Management Experiences
- What are Tenants?
- Managed Service Offers
- Enterprise Scenarios
- Comparison of Azure Lighthouse and Azure Managed Applications
You can also become a certified professional in Microsoft Azure and other cloud services like Amazon Web Services (AWS) and Google Cloud Platform (GCP) by enrolling in our cloud computing online course. It offers a post-graduate program in cloud computing.
Without any further delay, let’s begin with the Azure Lighthouse tutorial.
What is Azure Lighthouse?
Azure Lighthouse allows you to enable cross-tenant management and multi-tenant management, which helps for higher automation, scalability, and enhanced governance throughout the resources and tenants.
In simple terms, Azure Lighthouse is a control panel, which incorporates portals, IT service management tools, and monitoring tools that enable service providers to monitor and manage deployments across tenants.
Using Azure Lighthouse, service providers can deliver secure managed services with the help of extensive and robust management tools, which are built into the Azure platform. The customers or clients could control who can access their tenants, resources, and actions to undertake. Azure Lighthouse also benefits enterprise IT organizations that manage resources across numerous tenants with access control for customers.
Let’s see some scenarios where this could be helpful:
- Service Providers: A scenario where the customer pays the bill and wants control of the resources, but the customer pays a third party to manage and support the resources.
- Application Providers: Some companies provide applications in Azure and come up with a management part, where they can package these services on the marketplace and allow clients to deploy them in their subscription. Later, they retain management of a few or all the resources.
- Multi-Tenant: Several Azure clients have multiple tenants throughout their organization for numerous tasks. Azure Lighthouse helps to manage the resources of these tenants in one place without having to switch tenants.
Benefits of Azure Lighthouse
Service providers can build and deliver managed services efficiently using Azure Lighthouse. Let’s discuss some benefits of using this service:
- Scalable Management: It enhances customer engagement and life cycle management and operations, making it easier and more scalable to manage customer resources. You can use existing APIs, management tools, and workflows with assigned resources, including machines hosted outside of Azure, despite these resources’ locations.
- Greater Visibility and Control of Azure Environment for Customers: Customers have definite control over the scopes they assign for management and permissions. They can inspect service provider actions with complete transparency and manage and remove access altogether without compromising security.
- Comprehensive and Unified Platform Tooling: Azure Lighthouse provides an extensive and unified platform tooling experience, addressing vital service provider scenarios, such as multiple licensing modes like EA (Enterprise Agreement), CSP (Cloud Service Provider Program), and pay-as-you-go. It helps to track your impact on customers engagements by linking your partner ID.
- Risk Reduction with Just-In-Time Access: It provides time-based role activation and approval-based role activation using PIM (Privileged Identity Management), which is a service by Azure AD (Azure Active Directory). PIM helps reduce risk by allocating service providers the exact amount of access required per resource and time needed to complete the task.
Capabilities in Azure Lighthouse
Using Azure Lighthouse, there are numerous ways to streamline engagement and management:
- Azure Delegated Resource Management: You can securely manage the Azure resources of your customers within your own tenant without the need to switch context and control planes. Customer subscriptions and resource groups can be allocated to specific users and roles in tenant management, gaining the ability to remove access when necessary.
- New Azure Portal Experiences: You can view cross-tenant management information inside the “My Customers” page in the Azure portal. The Azure portal has a “Service Providers” page that allows customers to view and manage their service provider access.
- Azure Resource Manager (ARM) Templates: You can utilize ARM templates to onboard allocated customer resources and perform cross-tenant management tasks.
- Managed Service offers in Azure Marketplace: You can provide services to customers by public or private offers and onboard them to Azure Lighthouse automatically.
Now, let’s move forward and learn few concepts involved in Azure Lighthouse.
Azure Delegated Resource Management
Azure Delegated Resource Management is an essential component of Azure Lighthouse, which allows logical projection of resources from one tenant to another. It enables service providers to ease customer engagement and onboarding experiences during the management of delegated resources at scale with agility and precision.
Using Azure Delegated Resource Management, authorized users can work plainly in the context of a customer subscription without having a customer’s tenant account or being a co-owner of the customer’s tenant.
Cross-Tenant Management Experiences
The Cross-Tenant Management Experiences enable you to work more efficiently with Azure management services, such as Azure Policy, Azure Security Center, etc. All service provider activities are tracked in the activity log and stored in the customer’s tenant, which can be viewed and monitored by users in the managing tenant. Users in both the managing and the managed tenant could quickly identify the user associated with any adjustments.
What are Tenants?
Each Azure AD tenant is a representation of an organization. Tenants are dedicated and trusted instances of Azure AD, which an organization receives when creating a relationship or agreement with Microsoft by signing up for Azure, Microsoft 365, or other Microsoft services. There is no relationship between each tenant, and they are distinct and separate entities. Each tenant has its own tenant ID.
Managed Service Offers
Managed Service Offers smoothen and simplify the process of enlisting or onboarding customers to Azure Lighthouse. It provides customers with resource management services through Azure Lighthouse. When a customer buys an offer in Azure Marketplace, they can determine which subscriptions or resource groups must be enlisted.
Later, users in the organization can work on these resource groups within your managing tenants with the help of Azure Delegated Resource Management, as per the access you defined when the offer is created.
Enterprise Scenarios
Azure Lighthouse plays a vital role in enterprise scenarios. Let’s discuss some situations associated with Azure Lighthouse and Enterprise.
- Single and Multiple Tenants: The management is quite simple with a single Azure AD tenant in any organization. Some organizations need multiple tenants for management operations. Azure Lighthouse can help in centralizing and streamlining management operations.
- Tenant Management Architecture: Azure Lighthouse helps specify which tenant will involve users in performing management operations on other tenants.
- Security and Access Considerations: With Azure Lighthouse, organizations can determine which users can have authorized access to delegated resources. This ensures that users only have the permissions required for performing the necessary tasks, subsequently reducing the chance of accidental errors.
Comparison of Azure Lighthouse and Azure Managed Applications
Using Azure Lighthouse, service providers can deliver secure managed services and perform numerous management tasks directly on a customer’s subscription or a resource group.
Using Azure Managed Applications, service providers or ISVs (Independent Software Vendors) can provide cloud solutions, which becomes easier and simpler for customers to deploy and use in their own subscriptions.
Let’s compare these two approaches using a table:
| Consideration | Azure Lighthouse | Azure Managed Applications |
| Typical User | Service providers or enterprises manage multiple tenants | ISVs (Independent Software Vendors) |
| Scope of cross-tenant access | Subscription or resource groups | Resource groups (scoped to a single application) |
| Purchase options in Azure Marketplace | No (Managed Service offers can be published to Azure Marketplace, but customers are charged and billed separately) | Yes |
| IP Protection | Yes (IP can remain in the tenant of a service provider) | Yes (By design, the resource group is secured to customers) |
| Deny Assignments | No | Yes |
With this, we have come to an end with the Azure Lighthouse blog. I hope you are satisfied with my article on Azure Lighthouse. If you have any questions or concerns, feel free to provide us with your feedback in the comments section below, and we will revert to you.
