MSP: The well-tempered Azure tenant – Part 2

Posted on

This is part two of my series for managed service providers (MSPs) on being a patient Azure tenant. In part 1 I explained how to set up your partner management tenant. The process of migrating your clients to Azure Lighthouse under your delegated administration is next on the agenda.

Since this is the phase during which the delegation of authority necessary to manage your clients from your management tenant is established, it is also very likely to be the longest post in the series.

Phase 2: Acquiring New Customers

When it comes to onboarding, you can go one of two routes.

The Azure marketplace is where you may offer your managed service to the public. You can provide this to the general public through a marketplace or privately to specific customers through the Microsoft Azure marketplace.

You’ll need to have earned silver or gold in cloud platform competency and gain access to the commercial marketplace before you can promote your offer as a partner using this option.

Using your offer information and delegated powers, you can draught a new ARM from scratch. This method is far more efficient, and it enables you to onboard consumers quickly, easily, and, with the right tools, even automatically.
This article focuses on the second possibility.

Model ARM

What we need to decide here are the security groups and RBAC roles that we wish to authorise for access to our customers. As discussed in the first instalment of this series, you should now have your groups set up and your RBAC responsibilities assigned.

We will need to delegate these security groups to our customers at either subscription or resource group level. There is no support for management group delegation for Azure Lighthouse now therefore each subscription needs to be onboarded independently.

Some customers may have more specific access needs, so it’s possible that you’ll need to utilise separate ARM templates for them, but in most cases, you can get by with a single, generic ARM that works for everyone.

You can leverage the Azure portal experience to construct your ARM template with minimal effort. This template can be updated subsequently with any adjustments required.

You will locate this template generator within the “My Customers” area of Azure Lighthouse in the Azure Portal.

In the first section of the sample, you’ll select a name and description for the offer. This will represent your MSP’s organisation and service offering and will appear on the customer subscription under the “Service Providers” section in Azure Lighthouse. We will opt to delegate access to a full Azure subscription in this example.

In the next part we set up our authorisations which truly is the access delegations for our security groups. Depending on how fine-grained you want to get with your access delegations, you can add as many separate authorizations as you like here.


Selecting the relevant security group on our management tenant and the necessary RBAC assignment suffices for each authorization. Assigning this degree of access permanently or making the members of the group eligible for access on demand are both options. Privileged Identity Management is used in this function to grant permissions on demand. This feature requires some particular licence requirements – specifically Azure AD Premium P2.

As discussed in part 1 of this series, at a minimum I would recommend creating at least two security groups. One can be a “contributor,” while the other can only “read” the content.

In addition, I would also recommend adding the below assignments to your full access/contributors group as this would allow you to distribute and administer Azure policies including managed identities for policy remediation tasks to your customers later on.

In addition, you should know that you cannot provide your accounts the authority to perform RBAC modifications on your customer tenants because Azure Lighthouse does not yet support delegated ‘Owner’ access. A separate ‘Owner’ account is still required to do this directly on the tenant’s end.

When you’ve finished adding your permissions, the ARM template will become available for viewing and downloading. Since this is only a JSON file, any necessary edits may be made in any text editor; I suggest using Visual Studio Code.

Aboard we go!

For successful client onboarding, this template must be deployed to all Azure subscriptions under the customer tenant. This can only be accomplished with an account that has a ‘Owner’ RBAC assignment on the subscription as this is required to add the required delegated authorisations.

PowerShell, either on your own device or after initially authenticating to the customer tenant using the command, is the easiest method to go about this.

1 \sConnect-AzAccount \s…

or else by using the CloudShell in the Azure Portal and submitting your ARM template via the CloudShell.

Select the Azure subscription where you wish to deploy your template.

1 \sConnect-AzAccount \s…

as an alternative, you can upload your ARM template by using the CloudShell feature of the Azure Portal.

Select the Azure subscription where you wish to deploy your template.

Invoke 1 Select-AzSubscription with the -SubscriptionId parameter.
Deploy the template by providing the deployment name, Azure region, and JSON filename of the ARM template.

A Z Subscription Deployment 1 2 3 4 New-AzSubscriptionDeployment -Name deploymentName> ” -Location : “AzureRegion” To specify a template file, use ” -TemplateFile pathToTemplateFile>. To Speak in a Verbose Manner
The deployment process typically takes between 30 and 60 seconds.

After processing is finished, you will be granted access to this Azure account.

A few points here:

  1. Remember this step needs to be performed for each customer subscription thus if your customer has more than one Azure subscription then you need to select the subscription ID and run the deployment for each one


  2. Any modifications to your authorizations will necessitate re-deployment of the updated ARM template to all subscriptions for all customers, therefore it’s important to plan this step carefully in advance.


  3. Accessing your allocated customer resources

With your clients onboarded, you will notice these delegated tenants and subscriptions are now available in the subscription filter of your management tenant.