Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Azure Lighthouse

With Microsoft Azure Lighthouse, service providers can now manage and operate customers’ Azure resources at scale with higher automation and visibility, from within their own context. These foundational management capabilities built comprehensively throughout the Azure platform,allow you to focus on your core expertise and sets you on a more profitable path.

Documentation: https://docs.microsoft.com/azure/lighthouse


  1. Allow Lighthouse tenants to be added to an Azure Management Group

    Currently if you have a management group you can't add Lighthouse tenants (subscriptions) into the management group (like you can if you have multiple subscriptions you manage).

    Since you also can't have definitions/initiatives stored in your management tenant (definition location) assigned to your Lighthouse tenants it makes policy management a nightmare. You have to have definitions/policies duplicated into each tenant (thus Lighthouse not solving the current problem).

    If you could add Lighthouse tenants to a management group you could use that management group as the definition location and assign policies to that management group and/or tenant subscription beneath the management…

    44 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Cross-Tenant Update Managemet

    It would be great to have a solution where all the VM could be linked to a Log Analytics workspace located at the customer side. But we do have the ability to manage the update cross tenant.

    5 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow Cost Management for CSP Tenants in Managing tenant

    Currently, Cost Management for CSP tenants is not visible by the managing tenant. It would be nice if there's a way to allow managing tenant the billing access.

    61 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow alerts to be set at the managing subscription

    At the moment alerts with an action need to be set at the customer subscription, which forces the repetition of a lot of alerts across the subscriptions. if one alert is updated we need to update all environments. from a management perspective it would be nice to create an alert in the management subscription that uses a query that checks the customer subscriptions.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow service provider Azure AD Security Group (already used by Azure Lighthouse) to be nested in customer tenant security groups

    Scenario: Many Azure Sentinel incidents arise from data connectors to Microsoft security services like Defender for Endpoint. Properly investigating such an incident requires the SOC analyst to pivot to the customer tenant’s Microsoft Defender Security Center portal (https://securitycenter.microsoft.com). Remediation actions such as isolating a computer then require a pivot to Microsoft Endpoint Manager (MEM) admin center (https://endpoint.microsoft.com).

    Background: With Azure Lighthouse, MSSP service providers can access Azure Sentinel workspaces using ARM-based delegations. A security group in the service provider’s Azure AD tenant is trusted by customer Azure ARM-based resources like Azure Sentinel for access generally at…

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Log Analytics for all tenants

    Currently lighthouse allows you to run the log analytics workspace against multiple subscriptions if you scope queries by hand.

    It would be good from an MSP point of view if you could have a dynamic scope or * on queries to allow the creation of central views/dashboards etc which automatically cover "all" tenants both now and in the future without having to rewrite queries

    21 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. Allow for assignment of lighthouse at the management group level

    Where we manage multiple subscriptions it would be much easier to assign lighthouse at a management group level. When new subscriptions are added to the management group level they are automatically enrolled into the lighthouse policy.

    76 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add support for Azure Key vault with Lighthouse

    At the moment, you cannot add your Lighthouse enabled groups to Azure Keyvault in a customer's subscription. So now we would need to have accounts in a customer's subscription, which we just stopped needing due to Lighthouse.

    30 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Automatically refresh Alerts on interval basis and keep filters in Monitor -> Alerts

    We are managing multiple customers with Azure Lighthouse. We also make use of the Alerts overview in Azure Monitor to follow up on alerts generated for those multiple customers.

    We would really appreciate it if it would be possible to perform automatic refreshes on interval basis. (i.e. every 5 minutes). And also when automatically refreshing the alerts also keeping the filters on the overview.

    This makes monitoring more efficient for our managed services department.

    38 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add support for Custom roles

    As a service provider we would love to deploy resources trough Azure Lighthouse. Since we also make use of Resource Locks (which is an authorization action), we cannot set lock since there is no builtin role that includes the Microsoft.Authorization/locks/* action. If we could delegate custom role with Lighthouse we could do this easily.

    70 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow custom naming in Lighthouse "My customers" view.

    Current customer view in provider's Lighthouse shows Azure customer name and id. A provider specific name or id column would help identify customers in the provider's nomenclature.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow export My Customer - Delegations list

    We need to export my customer - delegations list. It cannot export know.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow delegate also for roles owner and user access administration

    As service provider we are full managing customer subscriptions including access management. Azure Lighthouse is much better than the 'Guest' mechanism we were using before as we can manage access to customer subscriptions in a central place.

    Currently the roles 'Owner' and 'User Access management' are excluded from delegated resource management. Without these roles we still have to fall back to the 'Guest' mechanism, CSP roles or accounts in the customer tenant for user access administration.

    Allow 'Owner' and 'User Access Administrator' as roles to be delegated.

    117 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Extend Lighthouse to include customer O365 co-administration

    Lighthouse doesn't itself provide a means to perform delegated admin functions in the customer O365 subscription. Azure AD and O365 admin activities (such as admin on O365 groups, or make a mailbox a shared mailbox) are in scope for a comprehensive office automation service provider offering. Perhaps an 'O365 Lighthouse' stack that parallels Azure Lighthouse in marketplace and powershell/JSON based admin.

    113 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Being able to remove a delegated subscription that has been removed

    First off, I know there is the "Managed Services Registration Assignment Delete Role", but I have seen on several occasions that subscriptions get disabled or removed without Lighthouse being removed first. So then you first have to do the song and dance to enable it, then actually remove the delegation from the customer subscription, and next disable it again.

    So: We would love it if the managing tenant was able to remove a delegation from their side without needing rights in the customer subscription in the case that the managed subscription is disabled or removed.

    9 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Grant access to Kudu services (Advanced Tools/ Logging) for delegated Contributors

    Users that have delegated Contributor (via Lighthouse) rights cannot login to Kudu services directly. It would be a far better user experience if these users kan access the Kudu services from the Azure Portal instead of the work around we now have to apply: login via /basicauth with App Credentials.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow delegations at Management Group level

    We need to delegate the Management Group owner role. We would like to create management groups, then move the ownership to a central security service which can set policies at this level. The clients remains subscription owners of most of the subscriptions, except one for each management group where we setup the security tooling.

    13 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Include Azure-AD delegation

    currently it's only possible to delegate subscriptions or resource group, but this means we cannot manage our customers Azure services, such as Azure AD, InTune and Office365. So we still need an Admin account in the customers tenant. It would be of big help if Ligthouse can include the delegation to the whole tenant-level.

    7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  19. Being able to onboard subscriptions on the same tenant

    Hi,

    My company (Energy company) has a lot of subsidiaries all over the world.

    Currently we have 200 subscriptions and 40 others legacy Azure AD tenants.

    We are looking at Azure Lighthouse to manage all subscriptions efficiently from the group legacy Azure AD tenant.

    In the group at the “Corp” level we have a team/ entity that want to be able to manage all group subscriptions (Policies, Azure monitor, audit, etc) in a centralized way.

    Today its possible to onboard subscriptions from other tenants but it’s not possible to onboard subscriptions from the same tenant.

    We have the group tenant…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. Provide support for service provider name fidelity in customer logs

    When a customer has delegated an Azure subscription to their service provider, the object ID of the service provider user appears in customer logs in these fields: AccountCustomEntity, UserDisplayName, and UserPrincipalName. For example, when Sentinel alerts on the built-in rule "Failed login attempts to Azure Portal", when the subject of the alert is a delegated service provider user, the customer sees a GUID ObjectId rather than a person's name.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Azure Lighthouse

Categories

Feedback and Knowledge Base