Microsoft Azure – View Delegated Roles in Azure Lighthouse
In this article we will learn how to view delegated resource groups in Azure Lighthouse in the Azure Portal. In the article, you will learn how to view delegated resource groups and subscriptions in Azure Lighthouse and also get an introduction to the Azure Lighthouse’s integration with Azure Active Directory privileged identity management.
Let’s head over to the Azure Portal to get started. . So if you haven’t used Azure Lighthouse before, you can search for Azure Lighthouse in the global search, and then once you have used it, you will find it in the list of recently used services the next time you go there. So, clicking on it navigates you to the Azure Lighthouse landing page.
So, Azure Lighthouse allows customers to delegate their resource groups and subscriptions to service providers who can perform additional management tasks on them based on roles that have been assigned to them.
So to view the delegations assigned to your resource providers, you click on the view service provider button. And you are relegated to the service provider overview page. So on this page, to view your delegations, you can either click on delegations on the left or you can click on the view delegations button below.
So on the delegations blade, Azure groups your resource groups and subscriptions under the different service providers that you’re working with. So, let’s click on one of the role assignments to view the details. Over here, you can see the details of the role assignment. Azure shows you the description of the offer of what the service provider will be giving you, and Azure also shows you the subscription that you have delegated to them.
Now, head over to the role assignments tab to view details of the role assignments. So, on this tab, it shows on Tier 1 support, which is a group that consists of many members. So, all the members in this group will have access to the list of roles on this page. So, for example, the reader role allows the service providers to view all resources but does not allow them to make any changes, whereas the contributor role grants them full access to manage all resources but does not allow them to assign roles in Azure RBAC, manage assignments in Azure Blueprint, or share image galleries.
Azure also shows you the different access types in Azure Lighthouse. Azure has permanent roles and eligible roles. Originally, Azure Lighthouse only supported permanent roles, but with the integration with Azure Active Directory privileged identity management, Azure is also supporting eligible roles. Eligible roles have many benefits that permanent roles do not have. Eligible roles are activated just on a just-in-time basis. Azure has a maximum activation duration of eight hours.
You can require your service provider to use multifactor authentication in Azure and then once the role expires, they can reactivate. They can also require that the eligible roles have an approver workflow associated or not.
So if you click on this approver link, Azure shows you the list, the details of the approvers for this delegation. So, essentially, the integration of Azure Active Directory privileged identity management with Azure Lighthouse aligns with the Zero Trust security strategy, which uses the principle of least privilege and it adds an extra layer of security when others are accessing your environment.
Hence, this is how you can view delegated resource groups in Azure Lighthouse in the Azure Portal.
Please Login to comment...