Azure Lighthouse Deep Dive

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone in this video i want to talk about azure lighthouse this fantastic capability where i as a service provider want to be able to manage resources for my various customers and in a very efficient way both for the customer and for me as the service provider as always a like and subscribe is appreciated so if i take a step back if i think about well what is life without azure lighthouse so what would we typically have to do if i was a service provider i want to be able to manage resources for my customer and i can think about well as a service provider i have my own azure active directory so this is the service provider side and i may have subscriptions but we don't care about those and as a service provider i have all the people that are going to do work for my customers and then on the customer side i can think about well the customer well they have their own resources so the customer have their own azure id so that's the customers azure ad instance and then the customer has their resources so the customer has well um they have their subscriptions obviously they'll have multiple of these then inside those subscriptions they'll have the various resource groups well without lighthouse what would have to happen is the users from the service provider each of them well they would all have to get added all of these things would be added as guests so i'll be using the external identities feature b to b so then they get this little external identity object the authentication is still happening over here but they're going to show up as guests and then likely hey i'll create some groups in the customers azure id and i would have to add them into it then that group would be given certain roles so hey that group is given roles either at resource group level or subscription level but it will be using that role-based access control now this is really horrible for everyone as the customer well what about when new people join the service provider well they have to go and do a new guest now i could use features like the governance capabilities i could use service packages so they could go and maybe join in a simpler way but it's still ugly and as the service provider if i'm one of these people well if i'm managing 100 different customers why i have to constantly be switching tenants and so that's a really miserable experience for me as well if i wanted to try and do actions across hundreds of different customers that's a really painful thing to do when people leave or i have to try and terminate those various relationships it's really not a great experience so yes entitlement management may help with bits of that but it's still not a great thing so how are we solving this problem and this is where we think really about azure lighthouse so if now we add in the whole idea of azure lighthouse and i think they missed something so i really think kind of you should have the lighthouse as part of that but azure lighthouse this really changes the entire structure both for the service provider and for the customer now we have really the same components in play here so once again as the service provider i still have my azure active directory so i can think yep i have my azure 8 i have my azure id and once again i'm going to have all my various users that are part of my company and then once again we have the customer and once again the customer has their own azure id and once again the customer has their own sets of resources so we can say hey yet they have subscriptions and the various resource groups so all those same things exist now in this example scenario we'll actually say me as a service provider just you can see in the demos i'm going to be on board to azure dot com so this is the service provider company and the customer is going to be savile tech dot net just so you can really see the demonstrations flow through so we have exactly the same components as we had before but now the process is going to change i don't want to add all these users as guests to the customers azure id i do not want to do that instead i'm going to use azure lighthouse to essentially create an offer of hey i as a company i'm going to be able to manage resources for you so the first step to make this a reality well before we had the idea of just the users i'm actually going to create a group just change my color so we'll actually light up the pieces that are lighthouse so i'm going to create a group and i'm going to put the users into that group now obviously over time new users may join i can add and remove people from the group but it's the group that i'm going to give a certain permission to on the customer side that's really the big deal now the way we're going to do this is through an azure resource manager template now i'm going to show you this in a second but the whole point is i'm going to create this template so this template is going to consist of basically this json file and it's going to have an offer so i'm offering basically my services now when i look at this file there's a various sets of components that actually go into this file but for the first thing instead of giving it to individual users what i want to actually do here is it's going to be a group from my tenant so i have my service provider tenant so that's the first part there's going to be kind of this managed tenant id as a property so the id of my azure id as the service provider is part of it and then what i'm going to have is a principle so the actual security principle that i'm giving this to this is going to be the id of the group and then i'm going to specify particular roles so there's going to be a particular role id and that's one of the standard roles defined in azure resource manager and optionally i could specify a target like a particular subscription or resource group but more likely the customer is going to want to pick that at the time of the actual application now these this principle and the role what i'm really doing with those is that's an authorization and i can have multiple authorizations within a single file because i may have different groups of people that are going to perform different functions for my customers so they might need different roles i don't want to give everyone the same highest level of role i need say hey i've got some people that just need to interact with a certain type of object well they only get the role the least set of permissions to do that role i have another set of people in my service provider that need to do other things so they get certain roles so in my file my offer i will have multiple sets of authorizations for the various roles that different groups of people within my azure ad tenant actually need so i'm gonna have different groups of people that need the different roles and today it cannot be a custom role it cannot be owners there's a few things that i cannot do today contributor really is the highest role that i can do and once i create this file the whole point now is i can make it available in different ways i could think well hey we have the azure marketplace so i might publish this into the marketplace really make it available to everyone or and this is more common i can think about well there's some person i've been working with over on that company that i'm going to provide them service management for so that particular person i'm working with hey i would send them the file so it's got all those configurations so before we go any further let's have a look actually at this process so what i want to do super quickly is there's a whole bunch of templates available so if i go and look at the templates so what i'm doing right now is these are the sample files for azure lighthouse and what i can see is well hey there's examples here for deploying to a subscription i i'm importing an entire subscription to be managed by the service provider or i just want to onboard particular resource group multiple resource groups hey i'm boarding and using pim pym is in preview right now but they would have to elevate up before having those roles so all these different types of templates huge numbers available i'm going to focus on the resource group now i could go and look at the template or i could just say deploy to azure if i hit deploy to azure it's going to bring up that custom deployment and notice what it's asking for are a set of parameters now what i've done is to save a little bit of time and what i would probably deliver to my customer i would deliver to my customer the template and also i would pre-create the parameter file so notice in the parameter file i have things like well a unique offer name an offer description i have the managed by tenant id so this value this is the service provider's azure ad tenant id so if i was that service provider so this is my onboard to azure.com if i was to look at my azure active directory notice my onboard to azure my tenant id is c33 etc etc etc but c33 that's an important part to remember so that's what i'm putting in as my tenant id so here we can see that c33 etc so that's the tenant id and then i have a number of authorizations now the authorizations these are the components of what the permissions so we have a principal id so here we can see it's the same principle id so this is the principle this is a group remember i don't want to give it to users i want it to be a principal id so what we've done here is in the service provider tenant i have created a group and it's my lighthouse manage group into which i can add and remove users but the key point here is notice it has an object id f3c so when i go and look at my authorizations it is the id of the group f3c f3c and then i'm specifying a role definition id now these are standard across the regular azure roles if i was just going look notice i'm doing two this b24 and this 91c if i now just go and look at a regular azure subscription so if i look at my subscription access control roles we have contributor so if i look at contributor role and look at the json i can see the role definition b249 so that b249 well that's the first role i'm giving it contributor and then the second role is this 9 1 c well 9 1 c 1 etc etc well what i'm going to do remember is i'm granting my group certain permissions on the tenant but i might want to remove that relationship one day so the other role i want to make sure i always give myself is there is this managed services registration assignment delete role and that gives me the ability to remove myself from essentially the customer so if that role if i was to actually scroll down and go over i've deleted all my things but that role is the other id i've made it all scroll over so i can't see it properly but that's what that role would give me so the other id is that manage services assignment remove role because i want to be able to actually remove myself from managing that tenant in the future so i want to make sure i always at minimum give myself the role i need and then make sure hey i also give myself this role the managed services registration assignment delete role so that is the second role in this file now in my example i'm also specifying the resource group that i want but obviously i don't have to do that but i would copy paste this and then as the customer in my custom deployment i could edit parameters notice it's asking me for the values of all of those various things region and the details so rather than typing them in i can just do edit parameters paste in that value and then it's filled in all of the various details so it's put in hey the group of authorizations tenant id the offer etc i'd review and create it's doing a check and then i would just say create so i would go through i would hit create now i've already run this in my environment but remember my target here is this resource group rglh delegate so i have deployed this template to stand up azure lighthouse which is going to this particular resource group if i was to look at my deployments i can see i ran this in the past i can see the details of yes i did that manage services registration so what i've done now with that step is whether it was from the marketplace or whether or not i just gave them the file what we have done is deployed this to the target scope be it a resource group or it could have been a subscription the net result is i have assigned using azure lighthouse now that particular set of roles now when i did that there are no aad changes there are no guests added there were no r back changes to the resources themselves remember i gave myself permission to a particular resource group if i go and look at that resource group as the customer says actually go and look at that so i can see the deployment happened if i actually look at the access control and role assignments it was at the resource group level and i gave it contributor remember well there are no scopes set at the resource group level nor can i see that managed services assignment delete it does not show up in the regular role-based access control there were no guests added it was completely transparent to me as that customer but as a customer i executed it that i have now given permission through the azure lighthouse now as a service provider i now have permission so if i switch over now to my onboard to azure identity so the first thing remember the pain point in the past was to be able to manage things my customer i would have to go and switch directory i would have to go and switch over to saviletech.net i am not having to do that my focus is still on board to azure and now what will happen is for the subscriptions i can now see well the directory that i've been delegated to and now under the delegated i can see the subscription from that delegated azure id so i have not had to switch even though that subscription trusts a different azure id it's now showing up because of lighthouse under a delegated tenant as a delegated subscription so i now have access to that subscription even though i have not switched tenants now think about that for a second that now means that through my portal if i had a hundred customers in that filter i could select subscriptions across a hundred different customers all in one go so in terms now of my view when i go and look at my portal now so let's think about that i'm this user for example we'll draw the user as a slightly different color so imagine i'm this particular person the member was in that group that was given that role so now me as that particular person if i'm sitting at my computer whether i want to use the portal whether i want to use powershell the cli and an arm template a bicep file it anything it doesn't matter i am not switching tenant i will now just be able to act on it based on the role that i was given from the lighthouse so i can now just do things at that scope so that's the the super powerful part so i'm now very happy that i can do things across lots and lots of different tenants with no changes to my environment i can now mass manage all those different things so that's a huge change for me so i now have that access so let's kind of continue this through so if we go back again as me on that service provider so i can now see it i could select all of the hundreds of different subscriptions that i might have access to well i can now see that resource group it shows up for me i see the resource group if i had pim i could use pim the pin would be on my side as the service provider and i can now manage all of those different aspects to it now notice i only see one resource group if i go home for a second and if i look at all of the resource groups i only see one that's it even though on the tenant side my customer my customer has huge numbers of resource groups so many resource groups but i want delegated access to those so i can't see them i can only see the resource that i was actually delegated to go away go away so at this point i have whatever permission that i had so i could absolutely think about well i could go and create a resource in that resource group so i could hey do create and the key point here is i can do anything that you would normally be able to do as long as it's a control plane operation so when i think about hey i can do all of these things i just need to make sure it is from an armed perspective control plane create resources using arm all those delete modify whatever permission i have i can do but it has to be control plane not data plane i cannot do data plane operations today but anything that is armed control plane is just going to work for me so hey let's go and create something if i was to do something super simple let's say a storage account there's too many offers in the marketplace hey let's create a storage account remember i'm still looking at my tenant but notice the subscription is showing me that delegated subscription under the delegated azure id i can only see the resource groups i've got permissions for and i could say hey onboard storage 007 i could pick the region and doing all the regular things there's no difference to my experience here as that service provider hit create validation go and create so it's doing the deployment from my azure ad tenant and through the magic of lighthouse it's not magic is the azure resource manager it's letting me go and manipulate resources in my customer that was given those roles remember to the group my account was never given those permissions i could add and remove people from that group on the service provider side and they would now just instantly get those permissions so that succeeded i can see the resource it's right there if i go back and look at the resource group in my customer and these things might take a little while to catch up sometimes but within there you go it showed up on the customer side so let's think about this for a second i don't see the user in role-based access control i do not see the user in my azure id i can see the resource group okay well i can see the resource now if i go and look at the activity log though although the user from the service provider is not in my azure id well let's see the activity log who is the event initiated by it's the user from the other tenant so as a customer my audit logs are still good it's still showing me the detail of exactly what happened and exactly who did it so even though it's only the group that was given the permission i still get the full auditing as the customer to regard to the individual identity that actually performed the action so i still get that even though there's not in the rbac even though it's not in the azure id i still get that detail and now i think as the service provider i could write scripts or automations to now perform things across hundreds of different customers because of this i don't have to switch tenants or mess around with that and it's i can add and remove different identities through my choosing if people come and go within my company if i decide to use a service principle an application my customer doesn't have to make any changes because it's just the group now if i wanted to add additional groups in the future i'm gonna have to create an updated offer and resend after another deployment it was the marketplace actually then i can update it so that is a possibility through the marketplace that would be the one benefit of the marketplace there so you really do want to try and think this through in advance what are the different types of activity i want to perform what are the different sets of permissions for different groups of people create the groups create the different authorizations in advance and then i make that available to my customer and they can use it so once again i do as the customer from an activity log i do get the actual person so i actually would see hey this person who's very happy um they performed i still get all the details even though they're not in my azure id it doesn't stop me being able to get that auditing to see exactly who specifically did what that's important i wouldn't want to see some generic hey group did something that's very bad from a tracking perspective if that's all the log had it could be hundreds of different people here so i still can name the individual people so how do i kind of manage this lighthouse so i don't see lighthouse really as a resource in any of this so there's two sides to how i can think about seeing the lighthouse as the customer what i can do is well they have a service provider to me so i can go to service providers and i can see the delegations so i can see i've delegated to this particular resource group rg lighthouse delegate this this particular name and i can see the role assignments now you might remember in our file we had this principal id display name lighthouse contributor you might have wondered what is that for well this is what it's for this is what shows up as a display name so i want to use again descriptive group names and what permissions maybe i'm giving them as part of those offers so as the customer i'm in the customer subscription right now as a customer person john savoltech.net i can see okay i've got these delegations and i've given these roles so contributor and that managed services registration assignment delete got a great big role that would allow the managing tenant to delete this relationship if they wanted to so as the customer i can see the details i can see the audit logging as the service provider over here well i can go to lighthouse and i can say manage my customers and at this point i could see my customers so there's sampletech and i could see the delegations i have for savile tech i can see the role assignments exactly the same way that the customer could see so i get the same i can see the principal id the group the roles i have on them and this is where if i wanted to because i have that role i can manage this i could for example go and hey if i don't want these anymore i could go and remove particular customers from this there's things around the activity log if i had that permission no this account doesn't have that so i have all of these capabilities and if you really boil this down if you think about what all of this really is i mean it's role-based access control it's just i'm not seeing it in the portal but what i'm doing i'm giving groups from the service provider roles on scopes in the customer that's it it's really all this boils down to groups given roles at customer scope but what it's doing for me is as the customer i'm not worried about individual users it's not clogging up my azure id as a service provider i manage the life cycle of who should have the various permissions and i don't have to switch tenants to operate at the azure resource manager control plane so it's a phenomenal experience for me managing those multiple multiple customers so i think about well this is azure lighthouse so what does this cost nothing is free there is no cost at all to use azure lighthouse if i think about using this i get this single pane of glass i get a single sign-on i don't have to change my context from a best practices perspective always use groups for the authorization do not put users in there because if someone leaves someone joins that's that's horrible use groups plan this out in advance so i don't have to go and update the offer in the future really think about what i want to be able to offer my customer okay well these are the different roles i would need these are different groups of people that would need the different roles so i can make this a nice complete offer i don't want to have to keep going back to them saying oh sorry can you redo this deployment please so use groups plan it through make sure you get that managed service provider assigned delete role otherwise if you terminate that relationship i can't delete it i'd have to go and ask the customer very nicely please please go and delete so make sure you include that role in it in terms of some restrictions today and this could change in the future so remember it's no custom roles cannot create a custom role with particular sets of permissions it's only the ones that the inbox i cannot be an owner so there's no owner role really contributor is the highest role i can do there is no data plane so many resources today in azure now have data plane role-based access control i cannot do those lighthouse operates at the control plane i cannot environment so if i think about what does that mean remember there are multiple azure environments there's azure commercial there's gov china germany etc i cannot cross those i cannot have this azure ad tenant in commercial and try and manage my customers gov tenant so that that would not work today but that's really it i mean hopefully i kind of showed really how simple it was it's literally create the template use the ones at the samples i just have to customize the parameter file for my tenant my offer name and description and then which authorizations i want the security principles which will be groups and then the particular role ids which are standard for those when i give it to the customer they would probably update the target with the particular resource group or subscriptions they want to give this set of permissions to or maybe i'd work with them they deploy it hey now it just shows up for me through all of the regular azure resource manager control plane interactions portal i don't have to switch tenant template deployments arm json bicep could be third parties it doesn't matter powershell cli but i can operate across all of those without changing anything as the customer hey i still get the full information in the activity log of the individual that actually performed the various actions but i'm not clogging up my azure id with a bunch of guest users i'm not having to add and remove guest users it just doesn't show on there but i get all of these capabilities and that's it so as always a lot of work goes into creating these so please like but outside of that i hope this is useful this is easy to go and play around with you can create as many as id tenants as you want so even if you only have one test subscription kind of what i was doing i can create a second azure id tenant and modify that parameter file and try this stuff out it's very easy to do so go give it a go and until next video take care you
Info
Channel: John Savill's Technical Training
Views: 39,826
Rating: undefined out of 5
Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, service provider, management
Id: IrqkHOPFktM
Channel Id: undefined
Length: 35min 8sec (2108 seconds)
Published: Tue Apr 19 2022
Related Videos
Microsoft Azure Managed Identity Deep Dive
John Savill's Technical Training
76K
Azure Bastion Deep Dive
John Savill's Technical Training
31K
Azure VMware Solution (AVS) Deep Dive
John Savill's Technical Training
23K
Understanding and Getting Started with ZERO TRUST
John Savill's Technical Training
130K
Azure Lighthouse: A unified control plane for managing Azure at scale | Azure Friday
Microsoft Azure
18K
Azure DNS Private Resolver Deep Dive
John Savill's Technical Training
47K
Anatomy of Azure Policy
John Savill's Technical Training
36K
Microsoft Azure Private Link Deep Dive
John Savill's Technical Training
90K
Azure Monitor Logs Log Types
John Savill's Technical Training
38K
OPS118 Deep dive on Onboarding customers into Lighthouse
ITOpsTalk
1.7K
Elon Musk JUST Revealed The Last And Most TERRIFYING Secret We Are NOT Supposed To Know
Star Investing
6.4K
Azure AD Cross-Tenant Access Settings Deep Dive
John Savill's Technical Training
38K
Azure Virtual Network Manager Deep Dive
John Savill's Technical Training
24K
Understanding DNS in Azure
John Savill's Technical Training
113K
Azure Firewall Deep Dive
John Savill's Technical Training
110K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.