Azure Lighthouse

One year ago, I wrote the following article that explained how to manage multiple Azure tenancies with Azure Lighthouse: Azure Lighthouse is Microsoft’s multitenant management solution for use by its managed service provider (MSP) partners, who may be overseeing Azure services for customers. Azure Lighthouse was released in 2019 and became essential for day-to-day tasks. But what about the security?

Today, I write a new article based on Azure Lighthouse and Azure Privileged Identity Management (PIM). Few weeks ago, Microsoft released the preview of this new feature: The main goals are to add more security and to increase the trust relationship between MSPs and customers.

What is Azure PIM?

Microsoft describes PIM with the following definition:

“Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization “.

When MSP want to access customer’s resources, they will have to activate RBAC role such as:

  • Reader
  • Contributor,
  • Policy Contributor,

Azure Lighthouse with PIM can also force MSP to enable their MFA before accessing resources.


This only prerequisite is the EMS E5 or Azure AD Premium P2 license that must be held by the managing tenant.

Getting started

Let’s see how to implement Azure Lighthouse with Azure PIM. In this guide, I will authorize two Azure AD Groups. The first one will have “Reader” role and the second one will have “Contributor” role. In this case, I can add all the engineers as reader so that they can only see the Azure resources. When they need to perform a technical task, such as creating a new Virtual Machine in the customer subscription, they will have to activate the “contributor” role.

Please note two things:

  1. You can not delegate the owner role.
  2. If you already deployed Azure Lighthouse, you must use the same MSPOfferName to override the deployment

Go to this link and download the following JSON files:

  • Subscription.json
  • Subscription.Parameters.json

In these files, you must replace the following values:

Then, run the following command to start the deployment:

New-AzDeployment -Name LighthousePIM

If you want to check the deployment, you can run the following command

If you go to the customer portal, you should see the following in the service providers. The first one is the contributor role that must be activated for 8 hours maximum, and the second one is the reader role which is the permanent role.

Customer portal

If I switch to the MSP tenant, I can see the eligible roles in the PIM section -> “Azure Resources” -> “My Roles”:

Azure Resources - My Roles

In this example, I activated the contributor role which can be deactivated; however, the reader role can’t be deactivated because the role is permanent.

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!

After activating a role, the following notification will be sent


Views All Time
Views Today
Back to blog
The following two tabs change content below.
Nicolas Prigent
Nicolas Prigent
Nicolas Prigent works as an IT Production Manager, based in Paris, with a primary focus on Microsoft technologies. Nicolas is a three-time Microsoft MVP in Cloud and Datacenter Management with 10 years experience in administering Windows products. He also received the "PowerShell Heroes 2016" Award.