Share via

Azure Lighthouse - Assigning IAM permissions to users

Shalom Washington 0 Reputation points
2024-08-20T13:31:05.6933333+00:00

Aloha, all:

My MSP team and I have been using both Azure and M365 Lighthouse for a few months now. Now we're pretty comfortable with it, we've an ongoing project to remove all our native accounts from customer environments.

Going through the benefits and drawbacks of removing them, we came to the conclusion that the key functionality we're missing is the ability to assign IAM roles to customer resources. Azure Lighthouse templates can't assign the below roles, and these roles have the ability to manage roles access

Role IDRole8e3af657-a8ff-443c-a75c-2fe8c4bcb635Owner8e3af657-a8ff-443c-a75c-2fe8c4bcb635Ownerf58310d9-a9f6-439a-9e8d-f62e7b41a168Role Based Access Control Administrator18d7d88d-d35e-4fb5-a5c3-7773c20a72d9User Access AdministratorLet's say a customer need a new LAW set up and want to give a specific Entra group "Log Analytics Contributor" for the resource. We can create the Workspace with Contributor (Highest Azure Lighthouse permission), but I don't know how we'd assign permissions to the workspace.

I then though about using M365 Lighthouse to hop into the customer's Entra ID and grant GA access to manage Subscriptions (pictured below), but the option is greyed out

Image

Has anyone else encountered this? What's does everyone else do in situations like this?

Azure Lighthouse
Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
78 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prashant Kumar 780 Reputation points Microsoft Employee
    2024-08-23T13:04:02.97+00:00

    Hi Shalom,

    The owner role can do Role Assignments, but Azure Lighthouse does not allow delegating Owner role.

    If you just want to assign roles to the managed identity of resources, you can delegate yourself User Access Admin role which will allow you to assign roles to the managed identity.

    Reference: https://learn.microsoft.com/en-us/azure/lighthouse/how-to/onboard-customer#create-your-template-manually

    ""The last authorization in the example adds a principalId with the User Access Administrator role (18d7d88d-d35e-4fb5-a5c3-7773c20a72d9). When assigning this role, you must include the delegatedRoleDefinitionIds property and one or more supported Azure built-in roles. The user created in this authorization will be able to assign these roles to managed identities in the customer tenant, which is required in order to deploy policies that can be remediated. The user is also able to create support incidents. No other permissions normally associated with the User Access Administrator role will apply to this principalId.""

  2. SadiqhAhmed-MSFT 46,036 Reputation points Microsoft Employee
    2024-08-23T20:34:59.7566667+00:00

    @Shalom Washington Greetings!

    In an MSP (Managed Service Provider) scenario using Azure Lighthouse and M365 Lighthouse, assigning specific IAM (Identity and Access Management) roles to customer resources, such as a Log Analytics workspace, can be challenging if certain roles are not assignable via Azure Lighthouse.

    Azure Lighthouse templates indeed have limitations when it comes to assigning certain roles, such as Owner, Role Based Access Control Administrator, and User Access Administrator. These roles have the ability to manage role access, which is crucial for your scenario.

    One approach to address this is to use Azure Lighthouse's delegated resource management capabilities. While Azure Lighthouse allows you to manage resources across multiple tenants, it does not currently support assigning these specific roles directly through templates. However, you can still manage permissions by using custom role definitions and assignments.

    Here are a few steps you can consider:

    1. Custom Role Definitions: Create custom roles that include the necessary permissions for managing Log Analytics Workspaces. You can then assign these custom roles to the appropriate Entra groups.
    2. Manual Role Assignment: For roles that cannot be assigned through Azure Lighthouse templates, you may need to manually assign these roles using the Azure portal or PowerShell. This can be done by navigating to the specific resource and assigning the role to the desired Entra group.
    3. Automation Scripts: Consider using automation scripts to streamline the process of assigning roles. PowerShell or Azure CLI scripts can be used to automate the role assignment process, reducing the need for manual intervention.
    4. Azure Policy: Use Azure Policy to enforce role assignments and ensure compliance across your environments. Azure Policy can help you manage and audit role assignments, ensuring that the necessary permissions are in place.

    Hope this helps!

    If the response helped, do "Accept Answer" and up-vote it

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.