Azure delegated resource management
Azure delegated resource management is one of the key components of Azure Lighthouse. With Azure delegated resource management, service providers can simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision.
What is Azure delegated resource management?
Azure delegated resource management enables logical projection of resources from one tenant onto another tenant. This lets authorized users in one Azure Active Directory (Azure AD) tenant perform management operations across different Azure AD tenants belonging to their customers. Service providers can sign in to their own Azure AD tenant and have authorization to work in delegated customer subscriptions and resource groups. This lets them perform management operations on behalf of their customers, without having to sign in to each individual customer tenant.
Azure delegated resource management can also be used within an enterprise which has multiple Azure AD tenants of its own to simplify cross-tenant management.
With Azure delegated resource management, authorized users can work directly in the context of a customer subscription without having an account in that customer's tenant or being a co-owner of the customer's tenant. They can also view and manage all delegated customer subscriptions in the new My customers page in the Azure portal.
The cross-tenant management experience helps you work more efficiently with Azure management services like Azure Policy, Azure Security Center, and more. All service provider activity is tracked in the activity log, which is stored in the customer's tenant (and can be viewed by users in the managing tenant). This means that both the customer and service provider can easily identify the user associated with any changes.
When you onboard a customer to Azure delegated resource management, they'll have access to the Service providers page in the Azure portal, where they can confirm and manage their offers, service providers, and delegated resources. If the customer ever wants to revoke access for a service provider, they can do so here at any time.
You can publish the new Managed Service offer type to Azure Marketplace to easily onboard customers to Azure delegated resource management. Alternatively, you can complete the onboarding process by deploying Azure Resource Manager templates.
How Azure delegated resource management works
At a high level, here's how Azure delegated resource management works:
- As a service provider, you identify the access (roles) that your groups, service principals, or users will need to manage the customer's Azure resources. The access definition contains the service provider's tenant ID along with the required access for the offer, defined using principalId identities from your tenant mapped to built-in roleDefinition values (Contributor, VM Contributor, Reader, etc.).
- You specify this access and onboard the customer to Azure delegated resource management in one of two ways:
- Publish an Azure Marketplace managed service offer (private or public) that the customer will accept
- Deploy an Azure Resource Manager template to the customer's tenant for one or more specific subscriptions or resource groups
- Once the customer has been onboarded, authorized users can sign in to your service provider tenant and perform management tasks at the given customer scope, based on the access that you defined.
You can manage delegated resources that are located in different regions. However, delegation of subscriptions across a national cloud and the Azure public cloud, or across two separate national clouds, isn't supported.
Support for Azure delegated resource management
If you need help related to Azure delegated resource management, you can open a support request in the Azure portal. For Issue type, choose Technical. Select a subscription, then select Lighthouse (under Monitoring & Management).