As a CSP, did you find an "efficient" solution for managing customer access? (Azure + M365)

JND 0 Reputation points
2024-11-12T17:10:22.38+00:00

Hello,

As a Cloud Service Provider (CSP), we are in search of a comprehensive solution that can fully support our needs in managing our customers' Azure and Microsoft 365 tenants. Our customers may utilize Azure, Microsoft 365, or both, and we need a unified approach to manage these environments effectively.

After evaluating the various solutions provided by Microsoft, we have yet to find one that fully meets our requirements across all scenarios. Here’s a summary of the limitations we’ve encountered:

·         GDAP: While GDAP provides some support, it lacks granular control over Azure object permissions and does not allow us to assign users to groups or specific object permissions due to hidden foreign accounts.

·         Lighthouse: This tool restricts permissions to the Contributor level, preventing Owner-level access and limiting our administrative flexibility.

·         Guest Account / Cross-Tenant Sync: Guest accounts cannot be used to connect to VMs, as they are shadow accounts without locally stored passwords.

·         Local Account: While local accounts cover the full scope of permissions, roles, and VM access, they require creating individual accounts for each user within each customer tenant—a highly inefficient solution for scaling. Licencing not applied as Guest accounts for using Access Package and PIM.

·         Azure AD Connect: This solution requires a local Active Directory, and add customer implementation and maintenance complexity, with high difficulty for automating the whole onboarding/account lifecycle process.

Ideally, we want a solution that enables a single, centralized account and password for each member of our technical teams (Support, Network, Development, etc.), allowing them to manage all customer Azure and Microsoft 365 environments with the least privilege required (Permission managed by Groups for being able to easily adapt the permissions in a centralized/automated way)

At present, each Microsoft solution only partially addresses these needs and comes with inherent limitations. We’re left wondering why Microsoft has not considered consolidating these tools (GDAP, Lighthouse, Guest Accounts, etc.) into a single, cohesive solution that meets CSPs’ needs holistically, enabling centralized, unified access management.

At one point, we believed we had found a workaround by using GDAP from our CSP Root Tenant for Microsoft 365 administration and adding cross-tenant synchronization to create guest accounts from the same root tenant. This approach would have allowed us to maintain a single login and password for both Azure and Microsoft 365, with least privilege access managed by groups. However, we soon discovered that GDAP does not support guest accounts from the same tenant, and creating a separate tenant for guest accounts simply reintroduces the need for multiple accounts—precisely what we want to avoid.

These improvements would helps, but it seems these points are blocking points by design :

  • Enable guest accounts to connect to VMs
  • Allow granular access control with foreign accounts, including visibility and the ability to add foreign accounts to local groups.
  • Support the use of foreign and guest accounts synchronized from the same source tenant.

It feels as though Microsoft’s various departments are developing solutions without a unified perspective on CSP identity and access requirements. It’s disappointing to see the considerable effort put into developing these tools without addressing the core need for centralized, single-account administration without limitations.

If anyone has seriously studied/found a solution for addressing all of these points :

  1. A single account and password per user administring customers
  2. The same account and password should be valid across all customers.
  3. Granular permission control (having only the option to assign full Owner access across the entire Azure tenant is not acceptable).
  4. All permissions should be assigned via groups containing the single user or guest user.
  5. No restrictions on user capabilities: users must be able to manage Microsoft 365, Azure, connect to VMs, user powershell cmdlt... and hold Owner permissions if required.
  6. Actions for customer onboarding and account life cycle (create/move/deletion) that can be automated (Powershell, Azue functions... )
  7. Ideally, usage of PIM for elevation of high privileges

please let me know.

Thanks,

JND.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,124 questions
Azure Lighthouse
Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
79 questions
Microsoft Partner Center
Microsoft Partner Center
A Microsoft website for partners that provides access to product support, a partner community, and other partner services.
1,034 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,496 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 9,295 Reputation points Microsoft Vendor
    2024-11-18T15:02:46.87+00:00

    Hello @JND,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that your query involves multiple service areas in Azure. Allow me to provide an explanation specific to my area of expertise.

    Guest Account / Cross-Tenant Sync: Guest accounts cannot be used to connect to VMs, as they are shadow accounts without locally stored passwords.

    This is a well-known limitation (or by design) regarding VM sign-in with Microsoft Entra Guest accounts. Microsoft Entra Guest accounts cannot connect to Azure VMs or Azure Bastion-enabled VMs using Microsoft Entra authentication.

    For further details, please refer to the official documentation:

    Authentication requirements for Azure VM sign-in

    Automating Customer Onboarding and Account Lifecycle Management

    You can simplify customer onboarding and manage account lifecycles effectively using Lifecycle Workflows in Microsoft Entra ID Governance. Additional governance capabilities include:

    • Entitlement Management
    • Access Reviews
    • Privileged Identity Management (PIM)

    Please review the following resources for detailed guidance:

    Lifecycle Workflows Deployment

    Entitlement Management Scenarios

    Privileged Identity Management Deployment Plan

    Using a single account to manage all customer tenants across Azure services may lead to limitations, such as the inability to sign in to VMs with guest accounts. These restrictions make managing multiple tenants less user-friendly.

    As you are already aware of these challenges, I would recommend requesting this on the Microsoft Feedback Portal. This is a great way to let them know how important this feature is for your organization. You can provide details with Microsoft can help push for the development of more integrated solutions in the future about how would benefit your use case and any other relevant information as Engineers constantly check there for features.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.