Hi guys,
i'm working for a MSP who is setting up customers based on the CAF/ Enterprise Scale Landing Zone concept.
Therefore we are setting up some core subscriptions like a Management Sub, Connectivity Sub and so on.
The workloads and services have their own landing zone subscriptions.
We are currently leveraging Azure Lighthouse to get rid off guest invites and inefficient and insecure user management.
My plan is to set up different Lighthouse templates for the app/product teams, which are then onboarded to the specific landing zone subscriptions (least privilege).
Now it gets tricky: I want to make sure that app teams cannot modify the core subscriptions like the Connectivity sub. But at the same time they need Read access on it, e.g. to use the Azure Bastion host to jump onto VMs. I can't use the same template as for the landing zone subscription, because it contains Contributor access.
I thought about creating a special "Reader" template which contains all app/service groups from managing tenant. But that would give certain groups read access to some customers where they might not even provide their service.
Any suggestions on this? It feels like Lighthouse shows it's limits in terms of CAF subscription setup.
BR
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 89%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
