Azure Lighthouse and the Cloud Solution Provider program
If you're a CSP (Cloud Solution Provider) partner, you can already access the Azure subscriptions created for your customers through the CSP program by using the Administer On Behalf Of (AOBO) functionality. This access allows you to directly support, configure, and manage your customers' subscriptions.
With Azure Lighthouse, you can use Azure delegated resource management along with AOBO. This helps improve security and reduces unnecessary access by enabling more granular permissions for your users. It also allows for greater efficiency and scalability, as your users can work across multiple customer subscriptions using a single login in your tenant.
Administer on Behalf of (AOBO)
With AOBO, any user with the Admin Agent role in your tenant will have AOBO access to Azure subscriptions that you create through the CSP program. Any users who need access to any customers' subscriptions must be a member of this group. AOBO doesn’t allow the flexibility to create distinct groups that work with different customers, or to enable different roles for groups or users.
Azure delegated resource management
Using Azure delegated resource management, you can assign different groups to different customers or roles, as shown in the following diagram. Because users will have the appropriate level of access through Azure delegated resource management, you can reduce the number of users who have the Admin Agent role (and thus have full AOBO access). This helps improve security by limiting unnecessary access to your customers’ resources. It also gives you more flexibility to manage multiple customers at scale.
Onboarding a subscription that you created through the CSP program follows the steps described in Onboard a subscription to Azure delegated resource management. Any user who has the Admin Agent role in your tenant can perform this onboarding.
The My customers page in the Azure portal now includes a Cloud Solution Provider (Preview) section, which displays billing info and resources for CSP customers who have signed the Microsoft Customer Agreement (MCA) and are under the Azure plan. For more info, see Get started with your Microsoft Partner Agreement billing account.
CSP customers may appear in this section whether or not they have also been onboarded for Azure delegated resource management. If they have, they'll also appear in the Customers section, as described in View and manage customers and delegated resources. Similarly, a CSP customer does not have to appear in the Cloud Solution Provider (Preview) section of My customers in order for you to onboard them for Azure delegated resource management.
- Learn about cross-tenant management experiences.
- Learn how to onboard a subscription to Azure delegated resource management.
- Learn about the Cloud Solution Provider program.