Azure Lighthouse samples
The following table includes links to key Azure Resource Manager templates for Azure Lighthouse. These files and more can also be found in the Azure Lighthouse samples repository.
Onboard customers
We provide different templates to address specific onboarding scenarios. Be sure to modify the parameter file to reflect your environment. For more info about how to use these files in your deployment, see Onboard a customer to Azure Lighthouse.
| Template | Description |
|---|---|
| subscription | Onboard a customer's subscription to Azure Lighthouse. A separate deployment must be performed for each subscription. |
| rg and multi-rg | Onboard one or more of a customer's resource groups to Azure Lighthouse. Use rg.json to onboard a single resource group, or multi-rg.json to onboard multiple resource groups within a subscription. |
| marketplace-delegated-resource-management | If you published a managed services offer to Azure Marketplace, you can optionally use this template to onboard resources for customers who accepted the offer. The marketplace values in the parameters file must match the values that you used when publishing your offer. |
To include eligible authorizations, select the corresponding template from the delegated-resource-management-eligible-authorizations section of our samples repo.
Typically, a separate deployment is required for each subscription being onboarded, but you can also deploy templates across multiple subscriptions.
| Template | Description |
|---|---|
| cross-subscription-deployment | Deploy Azure Resource Manager templates across multiple subscriptions. |
Tip
While you can't onboard an entire management group in one deployment, you can deploy a policy to onboard each subscription in a management group.
Azure Policy
These samples show how to use Azure Policy with subscriptions that are onboarded to Azure Lighthouse.
| Template | Description |
|---|---|
| policy-add-or-replace-tag | Assigns a policy that adds or removes a tag (using the modify effect) to a delegated subscription. For more info, see Deploy a policy that can be remediated within a delegated subscription. |
| policy-allow-certain-managing-tenants | Assigns a policy restricting Azure Lighthouse delegations to specific managing tenants. |
| policy-audit-delegation | Assigns a policy that audits for delegation assignments. |
| policy-delegate-management-groups | Assigns a policy to confirm that subscriptions within a management group are delegated to a managing tenant, and if not, creates the assignment. |
| policy-enforce-keyvault-monitoring | Assigns a policy that enables diagnostics on Azure Key Vault resources in a delegated subscription (using the deployIfNotExists effect). For more info, see Deploy a policy that can be remediated within a delegated subscription. |
| policy-enforce-sub-monitoring | Assigns several policies to enable diagnostics on a delegated subscription, and connects all Windows & Linux VMs to the Log Analytics workspace created by the policy. For more info, see Deploy a policy that can be remediated within a delegated subscription. |
| policy-initiative | Applies a policy initiative (multiple related policy definitions) to a delegated subscription. |
Azure Monitor
These samples show how to use Azure Monitor to create alerts for subscriptions that are onboarded to Azure Lighthouse.
| Template | Description |
|---|---|
| monitor-delegation-changes | Queries the past day of activity in a managing tenant and reports on any added or removed delegations (or attempts that weren't successful). |
| alert-using-actiongroup | Creates an Azure alert and connects to an existing action group. |
| multiple-loganalytics-alerts | Creates multiple log alerts based on Kusto queries. |
| delegation-alert-for-customer | Deploys an alert in a tenant when a user delegates a subscription to a managing tenant. |
| workbook-activitylogs-by-domain | Displays Azure Activity logs across subscriptions with an option to filter them by domain name. |
Additional cross-tenant scenarios
These samples illustrate various tasks that can be performed in cross-tenant management scenarios.
| Template | Description |
|---|---|
create-keyvault-secret |
Creates a Key Vault in the customer's tenant and creates access policies. |
cross-rg-deployment |
Deploys storage accounts into two different resource groups. |
deploy-azure-mgmt-services |
Creates Azure management services, links them together, and deploys solutions. For an end-to-end deployment, use the rgWithAzureMgmt.json template. |
deploy-azure-security-center |
Enables and configures Microsoft Defender for Cloud within the targeted Azure subscription. |
deploy-azure-sentinel |
Deploys and enables Microsoft Sentinel on an existing Log Analytics workspace in a delegated subscription. |
deploy-log-analytics-vm-extensions |
Allows you to deploy Log Analytics VM extensions to your Windows and Linux VMs, connecting them to the designated Log Analytics workspace. |
Next steps
- Learn about Azure Lighthouse architecture and technical concepts.
- Explore the Azure Lighthouse samples repository.