Tenants, users, and roles in Azure Lighthouse scenarios

Before onboarding customers for Azure Lighthouse, it's important to understand how Microsoft Entra tenants, users, and roles work, and how they can be used in Azure Lighthouse scenarios.

A tenant is a dedicated and trusted instance of Microsoft Entra ID. Typically, each tenant represents a single organization. Azure Lighthouse enables logical projection of resources from one tenant to another tenant. Users in the managing tenant, such as one belonging to a service provider, can access delegated resources in a customer's tenant. Enterprises with multiple tenants can also use Azure Lighthouse to centralize their management operations.

To achieve this logical projection, you must onboard a subscription (or one or more resource groups within a subscription) in the customer tenant to Azure Lighthouse. You can complete the onboarding process either through Azure Resource Manager templates or by publishing a public or private offer to Microsoft Marketplace.

With either onboarding method, you need to define authorizations. Each authorization includes a principalId (a Microsoft Entra user, group, or service principal in the managing tenant) combined with a built-in role that defines the specific permissions granted for the delegated resources.

Best practices for defining Azure Lighthouse users and roles

When creating your authorizations, follow these best practices:

• Whenever possible, assign permissions to a Microsoft Entra user group or service principal, rather than to a series of individual user accounts. By using this approach, you can add or remove access for individual users through your tenant's Microsoft Entra ID without needing to update the delegation every time your individual access requirements change.
• Follow the principle of least privilege. To reduce the chance of inadvertent errors, users should have only the permissions needed to perform their specific job. For more information, see Recommended security practices.
• Include an authorization with the Managed Services Registration Assignment Delete Role so that you can remove access to the delegation if needed. If you don't assign this role, only a user in the customer's tenant can remove access to delegated resources.
• Ensure that any user who needs to view the My customers page in the Azure portal has the Reader role (or another built-in role that includes Reader access).

Role support for Azure Lighthouse

When you define an authorization, you assign each user account one of the Azure built-in roles. Azure Lighthouse doesn't support custom roles or classic subscription administrator roles.

Azure Lighthouse supports all built-in roles, except for the following roles:

• The Owner role isn't supported.

• The User Access Administrator role is supported, but only for the limited purpose of assigning roles to a managed identity in the customer tenant. No other permissions typically granted by this role apply. If you define a user with this role, you must also specify the roles that this user can assign to managed identities.

• Roles with DataActions permission aren't supported.

• Roles that include any of the following actions aren't supported:

  • Microsoft.Authorization/*
  • Microsoft.Authorization/*/write
  • Microsoft.Authorization/*/delete
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleDefinitions/write
  • Microsoft.Authorization/roleDefinitions/delete
  • Microsoft.Authorization/classicAdministrators/write
  • Microsoft.Authorization/classicAdministrators/delete
  • Microsoft.Authorization/locks/write
  • Microsoft.Authorization/locks/delete
  • Microsoft.Authorization/denyAssignments/write
  • Microsoft.Authorization/denyAssignments/delete

In some cases, a role that Azure Lighthouse previously supported becomes unavailable. For example, if the DataActions permission is added to a role that previously didn't have that permission, you can't use that role when onboarding new delegations. Users who are already assigned that role can still work on previously delegated resources, but they can't perform any tasks that use the DataActions permission.

As soon as Microsoft adds a new applicable built-in role to Azure, you can assign it when onboarding a customer using Azure Resource Manager templates. There might be a delay before the newly added role becomes available in Partner Center when publishing a managed service offer. Similarly, if a role becomes unavailable, you might still see it in Partner Center for a while, but you can't publish new offers that use such roles.

Transferring delegated subscriptions between Microsoft Entra tenants

If you transfer a subscription to another Microsoft Entra tenant account, the registration definition and registration assignment resources that the Azure Lighthouse onboarding process creates stay intact. This preservation means that the access you grant through Azure Lighthouse to managing tenants continues for that subscription (or for delegated resource groups within that subscription).

The only exception is if you transfer the subscription to a Microsoft Entra tenant to which it was previously delegated. In this case, the delegation resources for that tenant are removed and the access granted through Azure Lighthouse no longer applies, since the subscription now belongs directly to that tenant (rather than being delegated to it through Azure Lighthouse). However, if you also delegated that subscription to other managing tenants, those other managing tenants keep the same access to the subscription.

Next steps

• Learn about recommended security practices for Azure Lighthouse.
• Onboard your customers to Azure Lighthouse, either by using Azure Resource Manager templates or by publishing a private or public managed services offer to Microsoft Marketplace.