Azure Management Groups for subscriptions under another Tenant

Question

We are trying to find a way to govern CSP subscriptions we provide to our customers. We are looking for a definitive answer to if this is possible or not.

After we provide the CSP subscription to our customer we join the subscription to our Azure Lighthouse tenant to manage. The ultimate goal here is to apply policy to all subscriptions from our Lighthouse tenant.

Can we add an Azure Subscription from "Tenant A", to an Azure Management Group in Tenant B, if the subscription has a service provider delegation using Azure Lighthouse to Tenant B?

We created the management groups in our Azure Lighthouse tenant but we are not able to see the subscriptions under the management groups.

Thanks in advance!

Answer 1

Hi Blair,

you are not able to move a subscription for this purpose into another tenant - using lighthouse the delegated resources (Subscriptions, Resource Groups) will stay in the original tenant. Otherwise, there will be a big trouble around the Identity and Access Management.

The other important aspect is, that the managed subscription oder resource group is also in a context of any cloud governance at the customer tenant - so all policies from the original would not be able to work anymore if you move them.

What you as a CSP can do - during the onboarding of the subscription you should deploy the policies to the customer tenant and then assign the in the customer tenant using any infra as code solution. You can look at our enterprise scale reference implementation, where we use a pipeline with "azops" to assign policies to different scopes.

I hope this helps to get into the right direction.

Best
Niels