Azure Lighthouse

Question

We Own two Different Tenants.

Eg: Tenant A & Tenant B

In Tenant A we are managing user accounts and mailboxes.

In Tenant B we are deploying and managing our Cloud Application, Currently Tenant A Users are invited as Guest users in Tenant B, those guest users are provided owner and contributor access at the resource and subscription level for management.

We would like to integrate these two tenants to avoid switching to directories and avoiding guest users usage.

Our Requirement is to avoid adding Tenant A users as guest users in Tenant B for Resource Management, and Tenant A User should be able to manage the resources on Tenant B Directly.

Can Azure Lighthouse solve this Requirement?

Answer 1

I like to compare Lighthouse to an on-premise, one-way, cross-forest trust.

Security groups in Tenant A are granted access to RBAC Roles assigned at the subscription or RG level in Tenant B. This is a onw-way or parent-child relationship. The relationship is defined by a simple ARM template.

Admins in Tenant A manage adding and removing users from the Lighthouse groups. All Tenant B admins need to do is authorize the agreement and monitor the activity. The activity logs in Tenant B will show all actions by Tenant A down to the user level.

Tenant A manages the relationship in "My Customers" and Tenant B has "My Providers".

This reduces the need for guest accounts. It reduces the need to switch directories. There are some admin actions that require a tenant local account. For example, activating a Sentinel connector. Also, Lighthouse is currently limited to built-in admin roles. Good for day-to-day administration and solution provider access.