Azure Lighthouse - Management at scale - Considerations and use cases

Besides Azure Lighthouse being an amazing technology that builds on top of Azure Resource Manager. How and when do you use it? Some considerations and thoughts. If you're in the business of managing multiple subscriptions across tenants, pay attention :)

It’s only been a few weeks since Microsoft launched Azure Lighthouse but it has already grabbed everyone's interest. Over the past few months I was privileged to test drive Azure Lighthouse and provide feedback and share my experience at Microsoft Inspire. This was by far one of the smoothest and well guided previews I’ve ever done.

So... Azure Lighthouse is it only something you can use as a Managed Service Provider? No. If you’re managing subscriptions across tenants then Lighthouse is for you. But apart from the technology, how does it help your business?

Table of Contents
Introduction to Lighthouse
The Business Challenges
The Solution through Azure Lighthouse - The Technology
Scenarios and Business Models
Business Opportunities
Considerations - Think before you go full scale

Introduction Lighthouse

It's unlikely but you might have missed the launch of Azure Lighthouse. So what does it do? Azure Lighthouse brings you the capabilities of managing multiple subscriptions across multiple tenants (or as we call it cross-tenant management), improves security, provides transparency for anyone on boarded and brings you the possibility of publishing your managed services offer to the Azure Marketplace. To some it might sound like a small feature but Azure Lighthouse has a huge impact and will help you solve some challenges you might face today, whether you’re a Managed Service Provider, a large Enterprise or a Software Vendor that manages multiple customer environments.

The business challenges

Most of the challenges that companies are facing right now are in the field of governance and I’m not talking about the frameworks, processes and documents that come with that (do check out the Cloud Adoption Framework on governance: (https://docs.microsoft.com/en-us/azure/architecture/cloud-adoption/governance/index). Governing environments from a technical perspective can be quite the task and requires some preparation. You’ve got your framework(s) in place and now you need the technology to go with that.

Access Control - Right level of access and transparency
For long this has been a challenge for Cloud Service Providers and Enterprises alike. If you’re a CSP and you deliver Managed Services, chances are that you manage a multitude of tenants and subscriptions. Accessing those subscriptions to manage requires either a role assignment on the target (customer) subscription or access through the Microsoft Partner Center. When using Partner Center, being able to do something useful as an employee then often required using the Administer on Behalf Of technology (AOBO) by assigning them the  the Admin Agent role. And, this is a role you don’t always want to assign to your employees. The Admin Agent role provides them with the same privileges as the global admin for the customer. You probably want to limit the amount of people who are assigned that level of access. And assigning is just one, what about changes or when someone needs their access revoked? Or what if just one of your customers doesn't want that level on access being provided to your employees? The Admin Agent role is not tenant or subscription specific, it works across Partner Center. Yes, there are workarounds to break that "link" with the customer but that results in different challenges if you have to manage that customer environment as well.

In terms of compliance you will have a hard time explaining to the customer who has access to what (and when). I’ve seen many conversations where the partner had to answer that question with “Every support engineer” or “All employees with a technical role”.

Single pane of glass
Even though I think this term is greatly overused it does describe what we’re trying to achieve. One interface, one portal and one point of access to manage multiple tenants. Keep in mind that a single pane of glass is not the end goal for all your employees. It’s simply not possible or maintainable to keep up with an ever-changing platform such as Microsoft Azure. But providing the necessary functionalities for 80% of your users is a good way to start. I would even say that if you’re at 80%, you’re doing well. But in most cases, we’re using different portals to achieve our goals. The more we can focus on using this single portal the more efficient your users will be. If you’re managing customers or just your own tenants at scale, changing identity or logging in through partner center works but it’s not ideal.

Standardization & Automation
If you want to scale your business, you need to standardize and automate. When it comes to automation on Azure you already have a variety of options, but they all require a per subscription and per tenant configuration (or a third party solution that will do that for you). You’re either running the automation in the target subscription or you’re providing access control through credentials / App Registrations that reside in the target tenant. Either way, you’re bound to configure something within the target subscription(s). Eventually you want to monitor resource state, service health and compliance over multiple environments and when applicable perform actions to re-mediate whatever is not according to your standard.

Up until now the solution was to build workarounds or go with what’s available by default, creating unnecessary overhead. You’re requiring your employees to do stuff manually which as some downfalls:

-          Where people do stuff manually, you risk configuration drift
-          People make mistakes
-          Will eventually have a negative financial impact

Things you usually want to avoid.

The solutions through Azure Lighthouse technology

How does the Azure Lighthouse Technology help you solve this? There are many ways you can solve this but lets highlight a few.

Security and Access Control
Azure Lighthouse is a feature that leverages two technologies: Azure Resource Manager and Azure Active Directory. We can pretty much say that Azure Lighthouse taps into the fundamentals of Azure as we know it to this day. What we’re talking about here is delegated resource management. Objects (Users, Groups or Principal IDs) originating from your own tenant are being provided access to the target subscription which residing in a different tenant. As a result, this will provide you with cross-tenant management without you having to configure your users on each subscription one by one or using that CSP Principal User to gain access to the subscription. And I cannot stress this enough: this is a big improvement for CSPs.

The Azure Portal
Then the Azure Portal. With the new and improved subscription filter (which has been available for a while now) we can select which tenants and subscription we want to add to our scope. If your user has access through Delegated Resource management then those subscriptions and tenants will show up here. Once you have filtered on the subscription applicable to you, they will become available throughout the Azure Portal in different services such as: All Resources view, VM views, Activity Log, Azure Monitor, etc. A word of caution here, if you have access to too many subscription then this might get a bit messy, so think ahead.

Personally, I like the little detail that shows what scope/tenant the resource is in when you’re actively navigating to that specific resource:

Supported Services
This does not mean that all current Azure services already support this cross-tenant management experience as it requires all resource providers to be capable of providing access through delegated resource management.

But the list is growing and the popular services for management already support this and will help you build that single pane of glass. At this time, the following services are supported:

-          Azure Automation
-          Azure Backup
-          Azure Site Recovery
-          Azure Monitor
-          Azure Service Health (now useful for MSPs!)
-          Azure Policy
-          Resource Graph
-          Security Center
-          Virtual machines
-          Networking

Microsoft Docs - Cross Tenant Management Experience

Personally, I think that one of the biggest use cases that help you with governance across multiple environments are Azure Policy, Azure Monitor and Resource Graph.

Governance
As you can tell from the list of already supported services, there’s a lot of stuff we can now manage for our customers from our own management tenant. My personal favorites here are Azure Policy and Azure Monitor as these were usually pretty single-tenant solutions but with Delegated Resource management you now have the capabilities to deploy and manage them at scale, across tenants.

For instance: with the right level of access you can now manage those Azure Policy’s across tenants and even re-mediate noncompliance without having to go to that customer tenant. From a transparency and auditing perspective, the activity log is now view-able across tenants. Both you and your customers can see what each party is doing. Complete transparency.

And if you suspect something fishy is happening, just investigate the changes to see what’s happening. These are all features you can already use without the Delegated Resource Management but it required either a direct assignment on the customer subscription/resources or a dedicated account. You can now build automation based on Delegated Resource management and implement automation from your own managing tenant.

Onboarding
On-boarding can be done in two ways: through the Azure Marketplace or through an Azure Resource Manager template. On-boarding your solution to the marketplace takes a bit of work but barely any technical skills. What you need is some good marketing material and a good story to tell your potential customers.

From a technical perspective you need to create a plan and add your managing Tenant ID (preferably the one which your employees that will perform management reside in), the Azure AD Object ID which can be a user, group or Service Principal and the Role Definition you want to apply to that Object ID (which has to be a built-in role: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles). Note that you can add multiple authorization entries per plan.

For testing, adding a single user is sufficient but for production I’d recommend to use groups as this lets you add and remove users without having to republish the plan.

Additionally, you can add multiple plans for different service levels.

Deployment through ARM Templates is probably the best fit for Enterprise organizations as your focus is not in selling managed services but on managing your own tenants and subscriptions. If you’re going the ARM Template route, just use the predefined templates as published on GitHub and modify them to your liking. As for the technical information required, this is identical to the marketplace offer but now you need to copy/paste them into the parameter file (https://github.com/Azure/Azure-Lighthouse-samples/tree/master/Azure-Delegated-Resource-Management/templates/rg-delegated-resource-management).

Scenarios / Business models

So, what exactly is the use case of Azure Lighthouse? I briefly explained some technologies that can be leveraged but would they even fit your business model? There are multiple scenario’s / business models where Azure Lighthouse will be beneficial, and it’s not just for Managed Service Provides.

ISV (Software Vendor)
If you’re a software company and you’re hosting your own solutions across customer tenants then Lighthouse will take away that burden. But you also might want to look into Managed Apps and resource projection if your business is selling solutions on the Azure Platform. But, for a lot of companies that is not the case right now. You started with Azure and then your business took off. Azure Lighthouse will help you manage at scale (but still look into managed apps please 😊).

Enterprise (multiple tenants)
As a large Enterprise it’s likely that your different business units started using Azure and they’re all running in different tenants. From a governance perspective this is an absolute nightmare. How are you going to manage your governance across your company? You have to either gather credentials, request them to create service principals for you to access to the environments or you just provide them with a template containing your managed services configuration and tell them to on-board. It sounds easy but… it really is.

Managed Service Providers
Last but, not least; the managed service provider. As a managed service provider, Azure Lighthouse is pretty much a requirement if you want to efficiently manage your customers and scale your business.

If you’re a Managed Service Provider, it’s likely that you’re also a Cloud Service Provider (CSP) and you’re now either building workarounds to manage your customers or you’re jumping from one to another using Partner Center. From a Security perspective you want transparent access control and least privilege (people can only perform the actions they need to service the customer) and the customer has full insights into what they are doing. Azure Lighthouse brings you those possibilities and it definitely makes the whole compliance discussion you have with your customers a lot easier.

Business opportunities

Managed Services offer in the Azure Marketplace
If you’re an MSP then it’s likely that you have some kind of consultancy offer listed in AppSource to attract the attention of business decision makers. But right now you have the option to list your managed services offer in the Azure Marketplace and customers can on-board right onto your MSP practice and provide you with delegated access to get started.

It barely takes any effort to get your offer listed. All you need is pre-configured groups and their ID’s in your Azure AD, your Tenant ID and some good marketing content. Using the cloud partner portal you can configure your managed services offer and get it listed within a few days (https://cloudpartner.azure.com/). Though, you do want to make sure you have that right level of access for the right users in your tenant. Make sure you read up on https://docs.microsoft.com/en-us/azure/lighthouse/concepts/recommended-security-practices before you end up with too many people being able to access too many customers. If anything, you don’t want to end up with all your users having access to all your customers that on-boarding using this self-service feature. Before you know it you’ll end up with the same situation as you did with the admin agent configuration within your CSP environment, just in a different portal. For example, you could create different configurations for different verticals or customer groups. Think ahead but do benefit from what Lighthouse has to offer from a Marketplace perspective. Good to know is that you can both publish private offers and public offers. Public offers speak for themselves but with private offers you can actually select which subscription ID’s can on-board (here’s the use case of Enterprise wanting to manage just a specific set of subscriptions).

Partner Admin Link
If you're an MSP  (especially CSPs) then it's likely that you want to have Partner Admin Link (PAL) configured on your customer subscription to track the impact you have on your customer or as Microsoft states: "Revenue generated by Azure resources via this offer will then be attributed to your organization" (https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cloud-solution-provider). So definitely something you want to configure. If you're pushing your managed services through the Marketplace offering then your MPN ID is already associated with your publisher profile and you're all set. Though, you can also achieve this using the Azure Portal, Az PowerShell or Az CLI (https://docs.microsoft.com/en-us/azure/billing/billing-partner-admin-link-started) but this requires a manual intervention.

Management at scale
As mentioned, multiple times, you can now manage at scale from a single tenant. The beautiful thing here is that there’s no big bang scenario. You can simple start by on-boarding a single subscription and go from there. This will barely impact your business as the impact is kept to a minimum. What’s going to save you time and money is that you are no longer required individually manage, apply configurations and deploy resources to each subscription one by one. But there is some stuff to think about before getting started.

Considerations before you go full scale

On-boarding through the marketplace (public offers)
You’re providing people with a way to pretty much self-service on-board onto your managed service practice. But do you want to manage all of those potential customers? What if they’re solutions don’t fit your managed service practice or what if you build a massive momentum and people are throwing delegated access to you left and right?

This is where good marketplace content and different plans come in maybe you want to build different tiers with different levels of access and – very important – set different levels of expectations.

Look into automating processes once subscriptions are on-boarded. Maybe you want to on-board them into a “free” tier, review the environment and then follow up with that.

Access control
On-boarding at scale can result in a chaotic environment. Remember that whoever has access through delegated resource management can use the subscription filter to select which subscriptions they want to add to their Azure Portal scope. If you’re not careful your users will end up with a massive list of subscriptions and resources that they can manage. This can get out of hand quickly.

For enterprise use this is probably not going to be an issue. As an MSP or ISV you need to think this through. For example look into:

-          Providing different plans for different types of customers (perhaps per industry) and assign specific teams / groups the role assignments applicable for that plan
-          Build different offerings for different types of customers
-          Use private offers for each specific customer

Or just go full scale and manage the chaos. Either way, think before you scale.

Who’s paying for the resources?
As you can now run automation from a single tenant across multiple environments it means that if you’re deploying automation to customer environments right now, you can move that to a single place and centralize your automation. This also means that the resources you need to achieve that will now (probably) run in your own environment instead of the customer environments. From a pricing perspective that means that you are now being charged for the usage of those automation resources. Whether that’s fair is up to you, and most of the time these costs are minimal.

Wrap up

Azure Lighthouse provides a multitude of possibilities and new features are still being worked on. Over time delegated resource management will become a hygiene factor within the larger environments as MSPs and Enterprise mature further into the Public Cloud. Should you use Azure Lighthouse? Definitely! What does it cost? Absolutely nothing, the Azure Lighthouse technology comes for free. You still have to pay for the actually resources and usage tho.