Ivelin Andreev presented on managing Azure resources at scale using Azure Lighthouse. Azure Lighthouse allows a managed service provider (MSP) to manage customer Azure subscriptions across tenants through delegated access. There are two options for an MSP to use Lighthouse - through the Azure Marketplace or by deploying an ARM template. The presentation demonstrated the delegation process and limitations of Lighthouse. Key benefits of Lighthouse include centralized monitoring and management of customer subscriptions without requiring direct access.
7. #GlobalAzure
Upkip - a Real-Life Use Case
Manufacturing SME digitalization IIoT platform
• Successful business model = Scalable business model
• 1 Customer = 1 Azure Subscription
Pros
• Complete control over access to own data
• Fair distribution of cost
• Customer has sense of ownership
Cons
• Environment update, installation, setup
• Monitoring and problem resolution
8. #GlobalAzure
The Cloud Dilemma
Def: Use the latest and greatest at low cost while keeping control.
Customer challenges Provider / ISV challenges
• Use state of the art technology
• x100 resources in multiple subscriptions
• Admin consent, no automation
• Develop scalable business
• Solve individual problems
9. #GlobalAzure
External User to Manage Resources
• Subscriptions belong to AAD tenant
• User identity belongs to AAD tenant
• Option 1:
• Add a new user
• Unmanageable at scale
• Option 2:
• External user invitation (B2B)
• Users switch the context
• Option 3:
• (this is what the session topic is)
10. #GlobalAzure
Delegated Resource Concept
“I am placing you in charge
of the entire land of Egypt.”
Pharaoh to Joseph (1700 BC)
“I am placing you in charge
of my entire Azure subscription”
Customer to Provider (3700y later)
Def: A logical projection of resource
from one tenant to another
11. #GlobalAzure
The Managed Service Provider (MSP)
Def: A company that manages remotely a
customer's IT infrastructure and/or systems.
• Management pains
• Manage resource at scale (i.e. 50 tenants)
• Focus on application not resources
• Context switching
• Different security policies/MFA
• No central management place to monitor
• No aggregated view
• What if the administrator quit…?!
• Recreate 50+ B2B users.
12. #GlobalAzure
MSP can Benefit from Lighthouse if…
• Backup and Recovery
• Policy Management
• Monitoring and Security management
• Azure Infrastructure (VMs, Storage, Services)
• Automation
• Run under the corporate account
• Act on customer protecting IPR
• Provider of managed apps
• Cross-tenant management in Azure services
• Azure Monitor, Security Center, Sentinel
14. #GlobalAzure
What is Azure Lighthouse?
• Foundation is Azure delegated resources
• Customer resources appear as own resources
• Permissions – granted as in delegated access
Benefits:
• Full tracking of management activities
• Authorized users work directly in
customer context
• No customer account necessary
• No account switching
15. #GlobalAzure
The Lighthouse Way
• Opt1: Azure Marketplace Managed Service Offer
• Available to multiple customers
• Opt2: Manual ARM Template Deployment
• Customer runs deployment script in his subscription
Azure Marketplace AppSource
Target Azure solutions for IT Professionals & Dev Line of Business Decision-Makers
Extends Azure Azure, Dynamics 365, Office 365, PowerBI
Types of
Solutions
Infrastructure Solutions and Professional
Services
Line of business and consultancy services
Publishing
Options
Contact Me, Consulting Services, Trial,
VM, Solution Templates, Managed Apps
Contact Me, Consulting Services Offer, or Trial
17. #GlobalAzure
Option 1: Provider Side
1. Be a Microsoft Partner (Gold or Silver)
• Commercial marketplace program member
2. Publish offer in MS Partner Center
• Managed Service Offer (*NOT AZ Managed Application)
• https://docs.microsoft.com/en-us/azure/lighthouse/concepts/managed-applications
3. Select MSP plan
• Title, Description
• Billing Model – License or Azure Consumption %
• Public or Private(specific Sub IDs) offer
• Authorizations – list permissions necessary
4. Publish
• Takes few days to appear in marketplace
18. #GlobalAzure
Option 1: Customer Side
2. Accept terms
• Declaration of trusted relationship
• Acknowledge MS has no responsibility
3. Select resources for delegation
• Subscription
• Resource Group(s)
• No individual resources support
1. Marketplace
• Browse and add offer
• Provide contact details
• Review requested permissions
19. #GlobalAzure
Option 2: Manual Template
• Triggered from
• URL
• Portal “Deploy custom template”
• Deployment definition
• Not bound to Marketplace offer
• Data is similar to MSP offer
• Resource types
• registrationDefinitions
• registrationAssignments
• Can reference any tenant (by ID)
• Permissions granting
21. #GlobalAzure
How does Delegation Work?
• Process Overview
1. User access definition
2. Onboard customer (Opt.1 or Opt.2)
3. Customer can review provider actions
• Two resources created behind the scenes
• registrationDefinitions
• Created when purchasing MSP offer
• Name, description, TenantID, Authorizations
• registrationAssignments
• Created when delegating subscription or RG
• References registrationDefinitions resource
• Free, Free, Free
• Free usage
• Free implementation
• Free onboarding customers
22. #GlobalAzure
Access Rights
• Customer
• Subscription Owner required to delegate
• Provider
• Adding
• registrationDefitions - groups or principals mapped to roles
• i.e. provider needs “Reader” role to view “My Customers”
• Removing
• !!!No action to accept customer request!!!
• For MSP to remove a customer, they need to remove the resources from customer
subscription
• Ask permissions for role “Managed Services Registration Assignment Delete” (91c1777a-
f3dc-4fae-b103-61d183457e46)
23. #GlobalAzure
Limitations
• Roles
• Delegation works with built-in RBAC roles
• No classic admin and custom roles
• No “Owner” role assignment
• UserAccessAdministrator predefined roles
• Operation actions
• Only Control Plane (Manage through ARM)
• No Data Plane actions (Manage via endpoints)
• Subscription resource locks
• Prevent user actions(i.e. delete) but not MSP
• AZ Blueprint locks are preserved
24. #GlobalAzure
It is all About Management
• Browse subscriptions from “My Customers”
• View subscriptions with delegated access
• Management
• PowerShell, CLI, AZ Management REST API
Note: Set appropriate subscription filter and scope
25. #GlobalAzure
Takeaways & Credits
• Stanislav Zhelyazkov (Cloud and Datacenter Management MVP)
• For supporting my enthusiasm on the topic ☺
• Publish to AZ Marketplace overview
https://docs.microsoft.com/en-us/azure/marketplace/overview
https://docs.microsoft.com/en-us/azure/marketplace/create-account
https://docs.microsoft.com/en-us/azure/marketplace/plan-managed-service-offer
https://docs.microsoft.com/en-us/azure/marketplace/publisher-guide-by-offer-type
• Lighthouse samples and templates
https://github.com/Azure/Azure-Lighthouse-samples
• Delegated resource management template
https://github.com/Azure/Azure-Lighthouse-samples/tree/master/templates/marketplace-delegated-resource-management
https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-azure-button
• Azure Lighthouse jumpstart
https://squaredup.com/blog/azure-lighthouse-jumpstart/
• Azure Lighthouse and Azure Monitor
• https://www.youtube.com/watch?v=LOveBk7Bbi4