What is Azure Lighthouse?

Save to My DOJO

What is Azure Lighthouse?

Whether you are a service provider looking for new tenants, an organization with multiple cost centers, or a business outsourcing your development, you should be excited about the latest features which come with Azure Lighthouse. At its core, Azure Lighthouse uses the Azure Delegated Resource Management (ADRM) service to allow trusted users to manage all Azure resource from within a single interface. I fall under the later category, I run a technology company with my CTO based in the US, my web developers in the Czech Republic, and my mobile developers in Mexico. At one point we had 8 Azure subscriptions. It took as long to figure out the right credentials, subscription, directory, and find the resource, as it did to perform the management task. Ultimately, we went through a time-consuming consolidation project to migrate these accounts under a single subscription, but Azure Lighthouse would have solved our problems from the beginning. This is a multi-part blog series with this first post focusing on the benefits of Azure Lighthouse to Managed Service Providers (MSPs), their tenant customers, and the Azure Marketplace ecosystem. We’ll dig deeper into specifics as the series progresses.

Before we go further, if you haven’t gotten started with Azure and you’re looking to get started, our eBook on Selling Azure Solutions would be a great place to start!

Azure Lighthouse Benefits for Managed Service Providers (MSPs)

While Azure Lighthouse can benefit any distributed organization, its core toolset is designed to help service providers who need limited access to their clients’ resources. Through the centralized management of all resources, it is now easy for MSPs to scale their operational efficiency, standardize their services, automate operations, and increase security and compliance. This unified view of all managed resources can now be seen through either the Azure Portal GUI, or interfaced through scripting with Azure PowerShell or Azure APIs, and there is full feature parity between all these management interfaces. Basically, Azure Lighthouse adds a new management layer at the customer level, allowing MSPs to add, sort and delegate access to all Azure resources which their tenants have permitted them to view, edit, create or delete. Service providers can now spend more time on enhancing their core competencies, adding new services, and finding new clients, instead of performing repetitive tasks across multiple accounts. These new capabilities are offered through Microsoft Azure for free, although the underlying cloud resources which are consumed are still billed to the service provider or tenant.

By being able to centrally manage hundreds of tenant accounts, Azure Lighthouse offers MSPs new operational efficiencies through automation. Through either the GUI or scripts, service providers can programmatically perform tasks against thousands of resources at once, provided that they are managed by Azure Resource Manager (ARM). This includes reporting, alerting, querying, servicing, security updates or even running custom scripts to deploy a new service. Now it is easy to run a global query to discover customer’s virtual machines (VMs) which need to be patched, or determine whether any ports are vulnerable to the latest malware attack. This comprehensive view also makes it easier to detect configuration drifts or determine if mistakes were made due to human error or unplanned changes. There are a variety of ARM templates offered through Microsoft (as well as GitHub) to automate your tenant management at scale, such as deploying resource groups, configuring resilient storage and enabling Azure Security Center.

Need a primer on Azure Resource Manager (ARM)?

The security enhancements provided by Azure Lighthouse are bilateral, helping both MSPs and tenants. Since the service provider can now use delegated access to manage their tenants’ resources, they can keep any custom scripts or templates services under their own management, and do not need to run them directly in their tenants’ environment. This means that tenants cannot view any proprietary scripts from the service provider, allowing MSPs to protect their own intellectual property (IP). If an MSP admin leaves the organization, the service provider can remove access for that user, offloading the user management responsibility from their tenant. Since MSPs can offer more services with less effort, they can maximize their profits or pass on the cost savings to their customers.

Azure Lighthouse Benefits to Tenant Customers

Azure Lighthouse was not just designed to make the life of MSPs easier, but also for their customers. In addition to running my own business on Azure, I recently helped my family’s company migrate their website to Azure. After their account was created, I needed access to their subscription, but the process of granting me access was not easy for my non-technical family members and ultimately, they just gave me their password so I could give myself access. This is a significant security liability, and unfortunately, some tenants operate this way by just trusting that their MSP, and every one of their employees, have good intentions.

This is where another major benefit from Azure Lighthouse is realized for customers and tenants – the easy to approve delegated access. It makes granting access to resources easy for tenants, as their MSPs can request access which the tenant sees in a dashboard, or the tenant can purchase a plan through the Azure marketplace which configures the appropriate permissions. An advanced tenant can even configure which of the 70+ Azure user roles has access to each of their resources. This is one of the core security benefits, limiting access to the MSP to perform only specific actions against approved resources. This is different from the Azure Cloud Solution Providers (CSPs) program where tenants are required to grant full access to their MSP.

Customers also have transparency into every action on each resource taken by their service provider, through logging and auditing. Each tenant is fully isolated from their peers to ensure that actions performed by the MSP on another tenant will not interfere with their systems if the change is unauthorized. The tenants still maintain full control of their budget and billing. They can provide their own licenses, get billed directly for services from the MSP, or purchase a service directly through the Azure Marketplace, provided that consumption can be metered through ARM.

Azure Lighthouse Benefits to the Azure Marketplace Ecosystem

The opportunities that the Azure Lighthouse program presents to MSPs and tenants extends to the Azure Marketplace, creating a new category of “Managed Services”. A certified service provider can quickly publish their services to all Azure users, allowing tenants to have a global selection of MSPs to work with. MSPs can make their offerings public and accessible to anyone, or private if only preapproved customers are allowed to subscribe. When a customer is interested in purchasing a plan, they can see exactly what level of access the MSP will be granted to each resource. If the tenant accepts the offer, the onboarding is streamlined and highly automated. The service provider can support any Azure licensing model, including pay-as-you-go, EA, and CSP. Within a few minutes, the MSP will be given access to the tenant’s environment to start delivering their services.


Ultimately Azure Lighthouse provides a better management experience for everyone. Even independent software developers (ISV) are leveraging Azure Lighthouse to upsell their software by also including deployment and support services, and we’ll be talking about that more in an upcoming segment. Azure Lighthouse easily plugs into existing programs and solutions, so now ISVs can spend more time with their customers and less time managing credentials. Stay tuned for the next post in this series to learn more!

What about you? Do you see this fixing the management pain with Azure and multiple customers? Why or why not? Let us know in the comments section below!

Altaro O365 Backup for MSPs
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

Leave a comment

Your email address will not be published.