StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

How to integrate Privileged Identity Management with Azure Lighthouse

  • August 12, 2021
  • 7 min read
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.

Azure Lighthouse

One year ago, I wrote the following article that explained how to manage multiple Azure tenancies with Azure Lighthouse: Azure Lighthouse is Microsoft’s multitenant management solution for use by its managed service provider (MSP) partners, who may be overseeing Azure services for customers. Azure Lighthouse was released in 2019 and became essential for day-to-day tasks. But what about the security?

Today, I write a new article based on Azure Lighthouse and Azure Privileged Identity Management (PIM). Few weeks ago, Microsoft released the preview of this new feature: The main goals are to add more security and to increase the trust relationship between MSPs and customers.

What is Azure PIM?

Microsoft describes PIM with the following definition:

“Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization “.

When MSP want to access customer’s resources, they will have to activate RBAC role such as:

  • Reader
  • Contributor,
  • Policy Contributor,

Azure Lighthouse with PIM can also force MSP to enable their MFA before accessing resources.


This only prerequisite is the EMS E5 or Azure AD Premium P2 license that must be held by the managing tenant.

Getting started

Let’s see how to implement Azure Lighthouse with Azure PIM. In this guide, I will authorize two Azure AD Groups. The first one will have “Reader” role and the second one will have “Contributor” role. In this case, I can add all the engineers as reader so that they can only see the Azure resources. When they need to perform a technical task, such as creating a new Virtual Machine in the customer subscription, they will have to activate the “contributor” role.

Please note two things:

  1. You can not delegate the owner role.
  2. If you already deployed Azure Lighthouse, you must use the same MSPOfferName to override the deployment

Go to this link and download the following JSON files:

  • Subscription.json
  • Subscription.Parameters.json

In these files, you must replace the following values:

Then, run the following command to start the deployment:

New-AzDeployment -Name LighthousePIM

If you want to check the deployment, you can run the following command

If you go to the customer portal, you should see the following in the service providers. The first one is the contributor role that must be activated for 8 hours maximum, and the second one is the reader role which is the permanent role.

Customer portal

If I switch to the MSP tenant, I can see the eligible roles in the PIM section -> “Azure Resources” -> “My Roles”:

Azure Resources - My Roles

In this example, I activated the contributor role which can be deactivated; however, the reader role can’t be deactivated because the role is permanent.

After activating a role, the following notification will be sent


Hey! Found Nicolas’s insights useful? Looking for a cost-effective, high-performance, and easy-to-use hyperconverged platform?
Taras Shved
Taras Shved StarWind HCI Appliance Product Manager
Look no further! StarWind HCI Appliance (HCA) is a plug-and-play solution that combines compute, storage, networking, and virtualization software into a single easy-to-use hyperconverged platform. It's designed to significantly trim your IT costs and save valuable time. Interested in learning more? Book your StarWind HCA demo now to see it in action!