Azure Lighthouse is a Microsoft solution that enables managed service providers (MSPs) to manage their customers’ Azure resources from a single control plane. It provides a centralized view of all customer tenants and allows MSPs to manage them without switching between Azure AD tenants or subscriptions. This feature simplifies the management of multiple Azure tenants and subscriptions for MSPs, providing a more secure and efficient way to manage their customers’ resources. 

Azure Lighthouse offers several advantages to MSPs, including:

  • Streamlined operations: MSPs can automate routine tasks and implement best practices across all customer tenants, increasing efficiency and faster response times.
  • Scalability: MSPs can easily onboard new customers and resources without setting up new management environments or toolsets.
  • Flexibility: Azure Lighthouse supports a wide range of Azure resources and services, giving MSPs the flexibility to manage various customer environments.
  • Enhanced security: Azure Lighthouse uses role-based access control (RBAC) to ensure only authorized personnel can access customer resources.

Getting the most out of Azure Lighthouse as an MSP requires understanding the service’s basic concepts and functions. This article will review Azure Lighthouse in detail, including key concepts, benefits, how to get started, and six essential best practices for MSPs. 

Summary of key Azure Lighthouse concepts

The table below summarizes the key Azure Lighthouse concepts this article will explore in more detail. 

What is Azure Lighthouse? A service that enables MSPs to manage and govern customers’ Azure environments across tenants, subscriptions, and regions from a single control plane.
How does Azure Lighthouse help MSPs?Centralized and streamlined management and governance of multiple customers’ Azure environmentsImproved security and complianceReduced costs and complexityDifferentiated and value-added services to their customers.
How does it work?Role-based access control (RBAC) in Azure Lighthouse provides granular access control and allows for assigning specific permissions and roles to users and groups.MSPs create a service principal in their Azure AD tenant, which allows them to manage resources across multiple customers or tenants.MSPs use Azure Lighthouse to assign their service principal the required roles and permissions, such as contributor or reader access.
What are the best practices for using Azure Lighthouse? Understand your customers’ requirementsStandardize your processesMonitor and report on activityImplement RBAC best practicesImplement security best practicesContinuously review and optimize
How does Azure Lighthouse help MSPs accelerate cloud automation and cost optimization?Deploy and manage Azure Automation and Azure Cost Management tools to customer subscriptions and manage them centrally.Create and apply policies and templates for these tools to ensure consistent deployment and configuration across customer environments.

Six key Azure Lighthouse benefits

Azure Lighthouse provides MSPs with powerful tools and capabilities to manage and govern multiple customers’ Azure environments, reducing costs, improving security and compliance, and enabling MSPs to offer differentiated and value-added services to their customers. 

Azure Lighthouse helps MSPs simplify customer engagement and onboarding experiences at scale. (Source)

Below are six key benefits MSPs can gain from using Azure Lighthouse.

Centralized management and governance

Azure Lighthouse allows MSPs to manage and govern multiple customers’ Azure environments from a single pane of glass, making it easier to monitor and troubleshoot issues, apply policies and compliance standards, and optimize resources and costs.

Cross-tenant visibility

With Azure Lighthouse, MSPs can access and manage resources across multiple tenants without switching between tenants or subscriptions. This allows them to monitor and manage resources for their customers more efficiently.

Role-based access control

Azure Lighthouse supports role-based access control (RBAC), which enables MSPs to delegate specific management tasks to different users or teams. This helps ensure that only authorized personnel can access and manage resources.

Automation and customization

Azure Lighthouse provides automation capabilities through Azure Resource Manager templates, PowerShell, and Azure CLI, making automating management tasks across multiple customers or tenants easier. It also supports custom policies and tagging, which enables service providers to enforce specific governance requirements across all customers or tenants.

Efficient Client onboarding 

Azure Lighthouse simplifies and accelerates the client onboarding process for MSPs by providing efficiency via standardization, centralized management, delegated access, security, and scalability. It enables MSPs to deliver high-quality services to their clients while reducing manual effort and ensuring consistent operations across multiple client environments. 

  • Efficiency and time savings: Azure Lighthouse provides a streamlined and automated approach to client onboarding. MSPs can create new Azure accounts for clients quickly and easily using Azure Lighthouse templates and configurations. This automated process eliminates the need for manual account creation, reducing the time and effort required to onboard new clients.
  • Standardization and consistency: Azure Lighthouse enables MSPs to establish standardized configurations, policies, and security measures for client accounts. By using templates and predefined settings, MSPs can ensure consistency across multiple client environments, reducing the risk of errors or misconfigurations that can occur in a manual process.

Value-added services

Azure Lighthouse allows MSPs to offer differentiated and value-added services to their customers, such as advanced analytics and reporting, custom dashboards, and proactive monitoring and alerts, which can help MSPs differentiate themselves from competitors and increase customer satisfaction.

“The features and support CloudBolt provides will allow my team to spend more time focusing on the delivery of quality customer outcomes.”

Phil Redmond, Cloud Services Lead at Data#3


How does Azure Lighthouse work?

Azure Lighthouse leverages Azure Active Directory (AD) to manage identities and provide access control for MSPs and customer organizations. MSPs use their Azure AD identity to authenticate and gain access to their customer’s Azure resources. This eliminates the need for service providers to switch between different Azure AD identities or subscriptions when managing customer resources.

RBAC is a key Azure Lighthouse component, allowing service providers to delegate management permissions to customer tenants. RBAC defines permissions and roles that can be assigned to users, groups, and applications to manage Azure resources. 

With Azure Lighthouse, service providers can delegate management permissions to customer tenants using the same RBAC model as in their Azure tenant. This allows customers to take charge of their resources while allowing the service provider to maintain oversight.

RBAC in Azure Lighthouse provides granular access control and allows for assigning specific permissions and roles to users and groups. This enables service providers to grant access only to the resources that customers require without providing excessive permissions that could compromise security. Additionally, RBAC in Azure Lighthouse supports custom roles to meet a service provider’s or customer’s specific needs.

At a high level, the process works as follows: 

  1. MSPs establish a delegated resource management relationship with their customers or tenants. This relationship allows the service provider to manage Azure resources on behalf of their customers.
  2. The MSP creates a service principal in their Azure Active Directory tenant, which allows them to manage resources across multiple customers or tenants.
  3. The service provider then uses Azure Lighthouse to assign their service principal the necessary roles and permissions, such as contributor or reader access.
  4. Once the roles and permissions have been assigned, the service provider can manage and monitor Azure resources across multiple customers or tenants from a single Azure environment. This includes viewing, managing, and automating tasks across all resources, regardless of the customer or tenant they belong to.

Supported Azure Lighthouse roles and groups

All built-in roles are currently supported with Azure Lighthouse, with a few exceptions. For example, the Owner’s role isn’t supported. 

For simplicity, MSPs can assign any of the below roles and groups in Azure Lighthouse:

ContributorCreate, modify, and delete resources but cannot grant access to other users or groups.
ReaderView resources without making changes or performing actions.
User Access AdministratorManage access to Azure resources for users and groups.
Security ReaderView security-related information and resource recommendations.
Security AdminView and manage security policies and security-related resource configurations.
Log Analytics ReaderView log data and perform queries on Log Analytics workspaces.
Monitoring ReaderView monitoring data and resource alerts.

Getting started with Azure Lighthouse

To begin, the service provider must fulfill two requirements: having an Azure subscription and obtaining permission from customers to access their Azure resources. Once these prerequisites are met, proceed to log in to the Azure portal.

Azure Lighthouse Service providers menu

Next, navigate to the “All services” section in the Azure portal and search for “Azure Lighthouse.” Add your customer’s Azure tenant to the list of service providers. You will need to provide the client ID and the client’s secret.

Finally, assign Azure roles and permissions to your customers to define their access and privileges within the Azure environment.

Below are the basic instructions on how MSPs can get started with Azure Lighthouse configuration.

As a prerequisite, a service provider must have an Azure subscription and a customer or multiple customers who have given the MSP access to their Azure resources. Once these are in place, log in to your Azure portal.

  1. Go to the “All services” menu in the Azure portal and search for “Azure Lighthouse“. Select “Azure Lighthouse” from the results.
  2. In the “Service providers” menu, click “Add” to add your customer’s Azure tenant to your service provider list.
  3. In the “Add service provider” menu, enter the name of your customer’s Azure tenant, select the access type (Delegated or Application), and enter the client ID and client secret (if using Application access).
  4. Once you have added your customer’s tenant to your service provider list, you can now assign Azure roles and permissions to your customers. Go to the “Customers” menu in the Azure Lighthouse dashboard.
  5. In the “Customers” menu, click “Add” to add a customer subscription to your list of managed subscriptions.
  6. In the “Add customer subscription” menu, select the service provider (your MSP organization) and enter the customer subscription ID and display name. You can also specify the Azure Resource Manager tags to apply to the subscription.
  7. Once you have added your customer’s subscription to your list of managed subscriptions, you can now assign Azure roles and permissions to your customers. Go to the “Role assignments” menu in the Azure Lighthouse dashboard.
  8. In the “Role assignments” menu, click “Add” to add a role assignment for a specific customer subscription.
  9. In the “Add role assignment” menu, select the customer subscription, the Azure role you want to assign, and the scope of the assignment. You can also specify the Azure Resource Manager tags for the assignment.
  10. Repeat steps 8-9 for each Azure role and customer subscription you want to manage using Azure Lighthouse.
2023 SURVEY. 80% of enterprises are looking to replace their MSP.

Learn more about the growing complexity and the widening skills gap causing this dissatisfaction.


Six essential Azure Lighthouse best practices for MSPs

Implementing best practices is crucial to utilizing Azure Lighthouse effectively. These practices include understanding your customers’ requirements, standardizing your processes, monitoring and reporting on activity, implementing RBAC and security best practices, and continuously reviewing and optimizing. 

Understand your customers’ requirements.

Before onboarding customers to Azure Lighthouse, it’s important to understand their specific requirements, including their Azure environment, compliance needs, and security policies. This will help you tailor your Azure Lighthouse management strategy to meet their needs.

Standardize your processes

To ensure consistency and efficiency across multiple customer environments, it’s important to standardize your processes for managing Azure resources. This can include defining templates for resource deployment, using consistent naming conventions, and establishing policies for security and compliance.

Monitor and report on activity

Azure Lighthouse provides a range of monitoring and reporting capabilities, including Azure Monitor and Azure Security Center. By leveraging these tools, MSPs can proactively identify and address issues before they become problems and provide regular reports to customers to ensure transparency and accountability.

Implement RBAC best practices.

To ensure secure and efficient management, following best practices for RBAC is important, including creating custom roles that align with customers’ specific requirements and minimizing permissions granted to users and groups.

Implement security best practices

These tips can help harden your Azure Lighthouse implementation:

  • Use delegated access instead of application access to reduce the risk of exposure of service provider credentials.
  • Use different credentials for multiple customers or for accessing multiple subscriptions or resources.
  • Don’t assign more permissions than necessary to service provider staff or customer users.
  • Don’t store service provider credentials in plaintext or insecure locations.

Continuously review and optimize

As customer requirements evolve and new Azure features are introduced, it’s essential to continuously review and optimize your Azure Lighthouse management strategy. This can include identifying areas for automation, evaluating new features and capabilities, and staying up-to-date with Azure best practices.


Learn More

Decrease cloud billing cycles by 80% or more without sacrificing accuracy.

Raise operational efficiency by 20-30% by automating common cloud admin tasks.

Boost service margins by 1-2x using powerful built-in provider management features.

Final thoughts

MSPs can maximize the benefits of Azure Lighthouse by following these fundamental practices:

  1. Gain a thorough understanding of the customer’s environment, including their security and compliance needs. This will enable MSPs to customize their Azure Lighthouse management approach to meet specific requirements.
  2. Standardize Azure resource management processes across multiple customers to ensure consistency and efficiency.
  3. Implement RBAC and security best practices to protect customers’ environments from unauthorized access and potential threats.
  4. Utilize Azure Monitor and Azure Security Center to identify and address issues proactively before they escalate into problems. Regular reports should be provided to customers to maintain transparency and accountability.
  5. Review and optimize your Azure Lighthouse management strategy to ensure it aligns with changing business needs and emerging technologies.

As more organizations embrace the cloud and seek to optimize their Azure environments, Azure Lighthouse will become an increasingly important and valuable tool for MSPs in the future. This platform provides a centralized and simplified approach for service providers to manage their customers’ Azure resources. Alongside Azure Lighthouse, platforms like CloudBolt offer additional features that can further streamline operations, reduce costs, and enhance customer experiences. With CloudBolt, MSPs can launch new FinOps services in half the time and focus scarce resources on higher-value work, making it a powerful essential tool for service providers of all sizes.

You like our article?

Follow our LinkedIn monthly digest to receive more free educational content like this.

Subscribe Now

Explore the chapters:

Related Blogs

The New FinOps Paradigm: Maximizing Cloud ROI

Featuring guest presenter Tracy Woo, Principal Analyst at Forrester Research In a world where 98% of enterprises are embracing FinOps,…

VMWare Alternatives – What’s Next For Your Cloud Practice

As a VMware partner, you may have received notice that Broadcom is terminating your contract.  It’s like the tech world’s…

The cloud ROI problem

Why the cloud cost problem is not going away, and why we need to change the way we look at…

VMWare Competitors: Exploring Migration Options after Broadcom’s Acquisition

As the saga of the recent $69 billion acquisition of VMware by Broadcom continues to play out, it has sent…