Microsoft released Lighthouse last weekend, and since this is a great feature, I wanted to implement it as soon as possible, but the Microsoft docs might be a bit confusing, so I wanted to simplify the manual, so here it is! We will be using PowerShell, as this makes life so much easier, and faster.
Your admin tenant needs to have a valid Azure subscription
You need to have a native user account with the new Owner role in the tenant that you want to manage (Customer tenant)
Azure PowerShell module: AZ (Install-Module -Name az)
The following steps will be done on the admin tenant
Step 1: First we will need to retrieve information from your admin tenant, and the only way to get all the information you need is by using PowerShell. Alternatively you could use Azure Cloud Shell. For this manual we will use Azure PowerShell. Open an PowerShell prompt, and import the AZ module:
Now we can connect to Azure with the following command, and login to your admin tenant.
Step 2: We will be needing the Azure Tenant ID, so first run the following command and save the output for later.
Step 3: We will need to set a group that will get rights to manage you customer subscription. In this manual we will use AdminAgents as an example (default Azure group) You can of course create your own and use that. Run the following command and save the output, we will use this later on as PrincipalId in a JSON parameters file. You might add multiple roles, just run this command for each group that you want to add.
(Get-AzADGroup -DisplayName 'AdminAgents').id
Step 4: Next step is to set the role for the subscription that we want to manage. This role will be applied to alle resources in that subscription. You can add multiple roles ass well with the group you have chosen above. Run the command below. Save the output as roleDefinitionId NOTE: the following roles are not allowed: Owner, User Access Administrator
(Get-AzRoleDefinition -Name 'Contributor').id
The next steps will be done on the customer tenant
Step 5: Now connect with Azure PowerShell to your customers tenant.
First we will need to register a resourceprovider, first check if you have the right subscription selected. Run the following command:
If this is the subscription you want to manage, go to step 6, if not, select the right subscription first, lookup the current subscriptions in this tenant:
Now select the required subscription with the output from the previous command:
Set-AzContext -Subscription <subscriptionId>
Step 6: This is the step that might be a bit more work. First create a folder on your C drive. For example: “C:\Azure Lighthouse”
We will be downloading 2 files, a JSON file and a parameters file. And we will be editing just the parameters file. For your convience I’ve made them available as download in a simple ZIP file where I’ve left out the multiple roles from the GitHub templates. But you can also find them on GitHub. Save the files to your newly create “C:\Azure Lighthouse” folder.
Now we will need to adjust the parameters.json file. Change the fields as state below:
mspName: Your managed service provider name, visible for the customer mspOfferDescription: Your MSP description managedByTenantId: Your admin tenant ID from step 2 PrincipalId: Your group id from step 3 PrincipalIdDisplayName: Your group name from step 3 RoleDefinitionId: Your role id from step 4
After you have change the parameters file it should like this:
Step 7: Now we can deploy the JSON file with the parameters file. Just run the following command (if you did choose a different folder to save your files, change that path)
Step 8: We can now verify if the link has been established successfully. In the Azure portal go to All services, and search for my customers. Here you can verify the connection.
Step 9: Start managing! Just select the subscription that you want to manage by going to the Directory + subscription button on the right top in the Azure portal, and select the desired subscriptions, and start managing!