How to setup Azure Lighthouse (Manual)

Microsoft released Lighthouse last weekend, and since this is a great feature, I wanted to implement it as soon as possible, but the Microsoft docs might be a bit confusing, so I wanted to simplify the manual, so here it is! We will be using PowerShell, as this makes life so much easier, and faster.


  • Your admin tenant needs to have a valid Azure subscription
  • You need to have a native user account with the new Owner role in the tenant that you want to manage (Customer tenant)
  • Azure PowerShell module: AZ (Install-Module -Name az)

The following steps will be done on the admin tenant

Step 1: First we will need to retrieve information from your admin tenant, and the only way to get all the information you need is by using PowerShell. Alternatively you could use Azure Cloud Shell. For this manual we will use Azure PowerShell. Open an PowerShell prompt, and import the AZ module:

import-module az

Now we can connect to Azure with the following command, and login to your admin tenant.


Step 2: We will be needing the Azure Tenant ID, so first run the following command and save the output for later.


Step 3: We will need to set a group that will get rights to manage you customer subscription. In this manual we will use AdminAgents as an example (default Azure group) You can of course create your own and use that. Run the following command and save the output, we will use this later on as PrincipalId in a JSON parameters file. You might add multiple roles, just run this command for each group that you want to add.

(Get-AzADGroup -DisplayName 'AdminAgents').id

Step 4: Next step is to set the role for the subscription that we want to manage. This role will be applied to alle resources in that subscription. You can add multiple roles ass well with the group you have chosen above. Run the command below. Save the output as roleDefinitionId
NOTE: the following roles are not allowed: Owner, User Access Administrator

(Get-AzRoleDefinition -Name 'Contributor').id

The next steps will be done on the customer tenant

Step 5: Now connect with Azure PowerShell to your customers tenant.


First we will need to register a resourceprovider, first check if you have the right subscription selected. Run the following command:


If this is the subscription you want to manage, go to step 6, if not, select the right subscription first, lookup the current subscriptions in this tenant:


Now select the required subscription with the output from the previous command:

Set-AzContext -Subscription <subscriptionId>

Step 6: This is the step that might be a bit more work. First create a folder on your C drive. For example: “C:\Azure Lighthouse”

We will be downloading 2 files, a JSON file and a parameters file. And we will be editing just the parameters file. For your convience I’ve made them available as download in a simple ZIP file where I’ve left out the multiple roles from the GitHub templates. But you can also find them on GitHub. Save the files to your newly create “C:\Azure Lighthouse” folder.

Recommended download:
ZIP file with the files used in this manual: Azure Lighthouse json files

Original sources:
GitHub template file for subscription: delegatedResourceManagement.json
GitHub parameter file: delegatedResourceManagement.parameters.json

Now we will need to adjust the parameters.json file. Change the fields as state below:

mspName: Your managed service provider name, visible for the customer
mspOfferDescription: Your MSP description
managedByTenantId: Your admin tenant ID from step 2
PrincipalId: Your group id from step 3
PrincipalIdDisplayName: Your group name from step 3
RoleDefinitionId: Your role id from step 4

After you have change the parameters file it should like this:

Step 7: Now we can deploy the JSON file with the parameters file. Just run the following command (if you did choose a different folder to save your files, change that path)

New-AzDeployment -Name LightHouse -Location westeurope -TemplateFile "C:\Azure Lighthouse\rgDelegatedResourceManagement.json" -TemplateParameterFile "C:\Azure Lighthouse\rgDelegatedResourceManagement.parameters.json" -Verbose

Step 8: We can now verify if the link has been established successfully. In the Azure portal go to All services, and search for my customers. Here you can verify the connection.

Step 9: Start managing! Just select the subscription that you want to manage by going to the Directory + subscription button on the right top in the Azure portal, and select the desired subscriptions, and start managing!


Add a Comment

Your email address will not be published. Required fields are marked *