Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Lighthouse allows delegation of subscriptions and resource groups, but not management groups. However, you can use an Azure Policy to delegate all subscriptions within a management group to a managing tenant.
The policy uses the deployIfNotExists effect to check whether each subscription within the management group is delegated to the specified managing tenant. If a subscription isn't already delegated, the policy creates the Azure Lighthouse assignment based on the values you provide in the parameters. You then have access to all of the subscriptions in the management group, just as if you onboarded each one manually.
When using this policy, keep in mind:
- Each subscription within the management group will have the same set of authorizations. To vary the users and roles who are granted access, you must onboard subscriptions manually.
- While every subscription in the management group is onboarded, you can't take actions on the entire management group resource through Azure Lighthouse. You need to select subscriptions to work on, just as you would if they were onboarded individually.
Unless specified, a user in the customer's tenant with the appropriate permissions must perform all of these steps.
Tip
Though this article refers to service providers and customers, enterprises managing multiple tenants can use the same processes.
Register the resource provider across subscriptions
Typically, the onboarding process registers the Microsoft.ManagedServices resource provider for a subscription. When using this policy to onboard subscriptions in a management group, you must register the resource provider in advance. A Contributor or Owner user in the customer's tenant, or any user who has permissions to do the /register/action operation for the resource provider, can perform this registration. For more information, see Register resource provider.
You can use an Azure Logic App that automatically registers the resource provider across subscriptions. You can deploy this Logic App in a customer's tenant with limited permissions that allow it to register the resource provider in each subscription within a management group.
We also provide an Azure Logic App that can be deployed in the service provider's tenant. This Logic App can assign the resource provider across subscriptions in multiple tenants by granting tenant-wide admin consent to the Logic App. Granting tenant-wide admin consent requires you to sign in as a user that is authorized to consent on behalf of the organization. If you use this option to register the provider across multiple tenants, you still need to deploy the policy individually for each management group.
Create your parameters file
To assign the policy, deploy the deployLighthouseIfNotExistManagementGroup.json file, along with an deployLighthouseIfNotExistsManagementGroup.parameters.json parameters file edited to reflect your specific tenant and assignment details. These two files contain the same information required to onboard an individual subscription.
This example shows a parameters file that delegates the subscriptions to the Relecloud Managed Services tenant. It grants access to two principalID values: one account for Tier 1 Support, and one automation account that can assign the delegateRoleDefinitionIds to managed identities in the customer tenant.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"managedByName": {
"value": "Relecloud Managed Services"
},
"managedByDescription": {
"value": "Relecloud provides managed services to its customers"
},
"managedByTenantId": {
"value": "00000000-0000-0000-0000-000000000000"
},
"managedByAuthorizations": {
"value": [
{
"principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
"principalIdDisplayName": "Tier 1 Support",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
},
{
"principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
"principalIdDisplayName": "Automation Account - Full access",
"roleDefinitionId": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"delegatedRoleDefinitionIds": [
"b24988ac-6180-42a0-ab88-20f7382dd24c",
"92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"91c1777a-f3dc-4fae-b103-61d183457e46"
]
}
]
}
}
}
Assign the policy to a management group
After you edit the policy to create your assignments, assign it at the management group level. To learn how to assign a policy and view compliance state results, see Quickstart: Create a policy assignment.
This PowerShell script deploys the policy definition under the specified management group, using the template and parameter file you created. You need to create the assignment and remediation task for existing subscriptions.
New-AzManagementGroupDeployment -Name <DeploymentName> -Location <location> -ManagementGroupId <ManagementGroupName> -TemplateFile <path to file> -TemplateParameterFile <path to parameter file> -verbose
Confirm successful onboarding
There are several ways to verify that the existing subscriptions in the management group were successfully onboarded. For more information, see Confirm successful onboarding.
If you keep the Logic App and policy active for your management group, any new subscriptions that you add to the management group are onboarded as well.
Next steps
- Learn more about onboarding customers to Azure Lighthouse.
- Learn about Azure Policy.
- Learn about Azure Logic Apps.