Managed Services Provider

If you work for a Managed Services Provider, you have to switch between multiple browsers in order to manage all the Azure Resources for your customers. Microsoft solved this problematic by releasing Azure Lighthouse. Azure Lighthouse enables you to see and manage Azure resources from different tenancies in a single console, which will save your time! On top of that, your customers can see the delegated permissions in real time from their own console.

How does Azure Lighthouse work?

Microsoft published the following Azure Resource Manager template that will help you to enable Azure Lighthouse in your tenant. First, you have to collect some information:
1. Your tenant ID also called Directory ID, under Azure Active Directory on the Properties blade.
2. The principal ID and the principal ID Display Name of the following groups:

– A “Contributors” group that you must create in your Azure AD

– A “Readers” group that you must create in your Azure AD

To get these information, run the following command:

3. The Role Definition: You need to decide the built-in role regarding your access needs. For instance, I selected the Reader and Contributor roles.

You can also get these ID from this link:

Note that the Owner role can’t be delegated as explained in the documentation: “All built-in roles are currently supported with Azure delegated resource management except for Owner”

4. Azure Resource Manager Template: you can download the following json files

Azure Resource Manager Template

5. Edit the parameters file and replace with the collected information:

We can now deploy the ARM template. The deployment must be done by an account that has the built-in Owner role for the subscription being onboarded. So log into the customer subscription using the Connect-AzAccount cmdlet and then run the following command:

Connect-AzAccount cmdlet

Here is the command line:

Here is the output:


The deployment is done. You can check in the customer Azure Portal that your deployment is complete.

The deployment is done

In the customer tenant, search for “Service Providers” in the search bar:

Service Providers

You can confirm that your tenant has been added as a service provider.

Service providers | Delegations

If you click on the delegation, you can see both Azure AD groups that you assigned for this deployment.

Azure AD groups

Now switch to your Azure tenant, and search for “my customers

Azure tenant

In the customers blade, you can see your customer with some basic information.

Customers blade

Click on the customer in order to open a new blade. This blade will display the customer Azure Resources. Depending the role you assigned to your account, you will be able to manage or read the resources from your Azure tenant.

Azure Resources

You can manage all the services from this console, such as Azure Backup, Azure Automation, Azure Compute, Azure Network, …

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!


Thanks to the Azure Lighhouse, we can easily see and manage the customers Azure resources from a single console. You will save a lot of time!

Back to blog
The following two tabs change content below.
Nicolas Prigent
Nicolas Prigent
Nicolas Prigent works as an IT Production Manager, based in Paris, with a primary focus on Microsoft technologies. Nicolas is a three-time Microsoft MVP in Cloud and Datacenter Management with 10 years experience in administering Windows products. He also received the "PowerShell Heroes 2016" Award.