Marvin-1605 avatar image
0 Votes"
Marvin-1605 asked tbgangav-MSFT commented

Azure Lighthouse and CAF / ESLZ

Hi guys,

i'm working for a MSP who is setting up customers based on the CAF/ Enterprise Scale Landing Zone concept.

Therefore we are setting up some core subscriptions like a Management Sub, Connectivity Sub and so on.
The workloads and services have their own landing zone subscriptions.

We are currently leveraging Azure Lighthouse to get rid off guest invites and inefficient and insecure user management.

My plan is to set up different Lighthouse templates for the app/product teams, which are then onboarded to the specific landing zone subscriptions (least privilege).
Now it gets tricky: I want to make sure that app teams cannot modify the core subscriptions like the Connectivity sub. But at the same time they need Read access on it, e.g. to use the Azure Bastion host to jump onto VMs. I can't use the same template as for the landing zone subscription, because it contains Contributor access.

I thought about creating a special "Reader" template which contains all app/service groups from managing tenant. But that would give certain groups read access to some customers where they might not even provide their service.

Any suggestions on this? It feels like Lighthouse shows it's limits in terms of CAF subscription setup.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Marvin-1605,

As currently Azure Lighthouse provide granular level access until Resource Group level but not at Resource level so I believe you should design something around Lighthouse template with multiple Resource Group deployment delegations or authorizations. If you already haven't checked, then I would recommend checking these templates, especially Resource Group related templates and this Azure Lighthouse video.

0 Votes 0 ·

0 Answers