The demand for managed services in the cloud is skyrocketing, presenting a golden opportunity for Independent Software Vendors (ISV) and Cloud Solution Provider (CSP) partners. As businesses increasingly move to cloud-based solutions, they seek reliable partners to handle the complexities of cloud management, security, and optimization. This is where Azure Lighthouse steps in as a game-changer. Azure Lighthouse is a powerful tool designed to enable scalable, secure, and efficient multitenant management, allowing partners to manage resources across multiple customer tenants from a single control plane. This not only streamlines operations for service providers but also provides enhanced control and visibility for their customers. This blog post will delve into how Azure Lighthouse specifically benefits ISV and CSP partners, exploring practical use cases, implementation strategies, and key takeaways to help you leverage its full potential.
Key Takeaways
Azure Lighthouse is a crucial tool for service providers: It enables efficient management of customer resources with strong security and control.
ISV partners can use Azure Lighthouse to deliver managed services, enhance their SaaS offerings, and protect their IP.
CSP partners can leverage Azure Lighthouse to improve security and efficiency in managing their customers’ Azure subscriptions.
Managed Service offers in Azure Marketplace streamline customer onboarding to Azure Lighthouse.
Combining Azure Lighthouse with Azure Managed Applications provides flexibility and can meet diverse customer requirements.
Partner ID linking allows partners to track their impact and receive partner-earned credit.
By embracing Azure Lighthouse, ISV and CSP partners can unlock new opportunities, enhance their service offerings, and position themselves for success in the rapidly evolving cloud landscape. It is an essential tool for any partner looking to expand their managed services and maximize efficiency.
Azure Lighthouse and Managed Applications can be used together, such as when a service provider uses Azure Lighthouse for managed services but restricts customer access to certain resources via a managed application6.
Cloud Solution Providers (CSPs) can use Azure Lighthouse with Administer On Behalf Of (AOBO) to enhance security through granular permissions.
Managed Service offers in Azure Marketplace simplify onboarding to Azure Lighthouse, with private plans available for specific customers.
There are no extra costs for using Azure Lighthouse.
Table of Contents
What is Azure Lighthouse?
Azure Lighthouse is a service that enables multitenant management, allowing service providers and enterprise organizations to manage resources across multiple customer tenants efficiently. In essence, it provides a logical projection that allows service providers to access and manage customer resources without needing to switch between different portals or contexts. This is achieved through Azure delegated resource management, where customer subscriptions or resource groups are delegated to specified users and roles in the managing tenant.
Key features of Azure Lighthouse
Azure delegated resource management: This feature allows service providers to manage customer resources securely from within their own tenant.
New Azure portal experiences: These experiences allow for cross-tenant information viewing and direct work within a delegated subscription. The "My customers" page in the Azure portal displays cross-tenant information. Customers can view and manage provider access on the "Service Providers" page.
Azure Resource Manager (ARM) templates: ARM templates can be used for onboarding delegated customer resources and performing cross-tenant management tasks.
Managed Service Offers in Azure Marketplace: Service providers can offer services to customers through private or public offers in the Azure Marketplace, which automatically onboard them to Azure Lighthouse.
Benefits of Using Azure Lighthouse
Azure Lighthouse provides several key benefits:
Scalable management: Customer engagement and lifecycle operations to manage customer resources become more manageable and scalable4. It also extends to resources hosted outside Azure.
Enhanced customer control and visibility: Customers have precise control over which resources are delegated and what permissions are allowed. They can audit service provider actions and remove access completely at any time. Customers retain full access to their resources.
Integration with existing tools and programs: Azure Lighthouse works with existing tools, APIs, Azure-managed applications, and partner programs like the Cloud Solution Provider (CSP) program. It also supports various licensing models, including EA, CSP, and pay-as-you-go. It allows you to integrate Azure Lighthouse into existing workflows and applications.
How does Azure Lighthouse work?
Azure Lighthouse works by creating a logical projection that enables service providers to sign in to their own tenant and access resources in the customer's tenant. The customer decides which subscriptions or resource groups to delegate to the service provider, and they retain full access to those resources. Crucially, customers can remove the service provider's access at any time, ensuring full control over their environment. This logical projection allows for efficient management without compromising security.
Azure Lighthouse for ISV Partners
ISVs can benefit greatly from Azure Lighthouse, especially those offering managed services that require access to a customer's subscription. By using Azure Lighthouse, ISVs can provide a seamless experience for their customers, making it easier to deploy and manage their solutions. One way ISVs can leverage Azure Lighthouse is by offering managed services via the Azure Marketplace. This allows them to streamline the onboarding process for new customers, making their services more scalable and accessible.
Combining Azure Lighthouse with Azure Managed Applications
Azure managed applications are another way ISVs can provide services to their customers. These applications bundle resources together and deploy them into a "managed resource group" within the customer's subscription. ISVs can manage these resources and also choose to restrict customer access to them. Azure Lighthouse and Azure-managed applications can be used together to enhance service delivery.
For example, a customer may want managed services delivered by a provider via Azure Lighthouse for visibility and control of the delegated subscription. However, the service provider might need to restrict the customer's access to certain resources or prevent specific actions. In this case, the ISV can deploy a managed application that contains these restricted resources and which is deployed to a resource group that is not directly accessible by the customer.
Scenarios where both are used together: A service provider might offer managed services through Azure Lighthouse so the customer has visibility into the partner's actions but also use a managed application to deploy resources that the customer should not access directly or customize.
How to use Managed Applications for specific resources: Managed applications deploy resources into a managed resource group in the customer's subscription that can be managed by the ISV, providing a way to protect intellectual property and control access. The ISV can restrict customer access (using deny assignments) to the managed resource group or grant the customer full access.
SaaS-Based Multitenant Offerings and Azure Lighthouse
Another scenario involves ISVs hosting resources in their own subscription and using Azure Lighthouse to grant customers access to those specific resources. This approach is particularly useful for SaaS-based multitenant offerings. This allows the ISV to maintain their IP in their own tenant and use their own support plan while still allowing customers to access the necessary resources. The customer logs into their own tenant to access the ISV’s resources. The ISV retains the ability to perform actions such as logging into VMs, installing apps, and performing maintenance tasks.
Hosting resources in the ISV's tenant while granting customer access: The ISV hosts the resources in their own tenant while granting customers access and maintaining their IP and control.
Security considerations and granting minimum permissions: It's crucial to grant only the minimum necessary permissions to customers accessing the ISV’s tenant. This prevents them from making unauthorized changes to the solution or accessing other ISV resources. The ISV must obtain the object ID for a user group in the customer’s Microsoft Entra tenant, along with their tenant ID, and then build an ARM template that grants the user group the appropriate permissions.
Publishing a Managed Service Offer
ISVs can streamline onboarding by publishing a managed service offer to the Azure Marketplace. This approach allows them to specify which subscriptions and resource groups should be onboarded.
Streamlining onboarding with Managed Service offers: When a customer purchases an offer, they will specify which subscriptions or resource groups should be onboarded.
Private vs Public Plans: Offers can have public plans to reach new customers or private plans, which are limited to specified subscription IDs. Once a plan is public, it cannot be changed to private.
Azure Lighthouse for CSP Partners
CSP partners who manage customer subscriptions through the CSP program can also greatly benefit from Azure Lighthouse. CSP partners have traditionally used the Administer On Behalf Of (AOBO) functionality to access their customer's subscriptions, which allows them to support, configure, and manage these subscriptions directly. Azure Lighthouse enhances this by enabling Azure delegated resource management alongside AOBO.
Using Azure delegated resource management with Administer On Behalf Of (AOBO): Azure Lighthouse can be used in conjunction with AOBO to provide more granular control over access to customer resources.
Improved security through granular permissions: Azure Lighthouse allows CSPs to assign different groups to different customers or roles. This is a significant improvement over AOBO, where any user with the Admin Agent role has full access to all CSP customer subscriptions.
Increased efficiency and scalability across multiple customer subscriptions: With Azure Lighthouse, users can work across multiple customer subscriptions using a single login in the partner tenant.
Comparison with AOBO
AOBO provides broad access to all customer subscriptions to users with the Admin Agent role. In contrast, Azure Lighthouse enables more flexibility by allowing the creation of distinct groups with specific roles and permissions, which greatly improves security by limiting unnecessary access.
Flexibility in assigning groups to customers or roles: Azure Lighthouse provides much greater flexibility in granting access than AOBO.
Reducing the number of users with full AOBO access: By using Azure Lighthouse, the number of users with the Admin Agent role (and thus with full AOBO access) can be reduced, thereby enhancing security.
Linking Partner ID to Track Impact and Receive Partner Earned Credit (PEC)
Partners in the Microsoft AI Cloud Partner Program can link their partner ID with the credentials used to manage delegated customer resources. This allows Microsoft to recognize partners who drive Azure customer success and allows CSP partners to receive partner-earned credit (PEC) for eligible customers.
◦
Steps for linking Partner ID with a user account: A service principal account should be created in the partner’s tenant, associated with their Partner ID, and then granted access to each customer that is onboarded with an appropriate Azure built-in role.
•
Onboarding CSP subscriptions to Azure Lighthouse
Onboarding a subscription created through the CSP program follows the same general steps as other subscriptions. Any user with the Admin Agent role in the customer’s tenant can perform the onboarding. Managed service offers with private plans are not supported by subscriptions established through a CSP reseller. In these situations, onboarding can be done via Azure Resource Manager templates.
Conclusion
Azure Lighthouse is a powerful and versatile tool that offers significant benefits for both ISV and CSP partners. It provides a secure and scalable way to manage customer resources, enhance service delivery, and streamline operations. By adopting Azure Lighthouse, partners can improve their efficiency, security, and customer satisfaction.
Comments