Extending Azure Resource Manager with delegated resource management
Today, Erin Chapple, Corporate Vice President, Microsoft Azure, announced the general availability of Azure Lighthouse, a single control plane for service providers to view and manage Azure across all their customers. Inspired by Azure partners who continue to incorporate infrastructure-as-code and automation into their managed service practices, Azure Lighthouse introduces a new delegated resource concept that simplifies cross-tenant governance and operations.
Granular access, better automation, and simplified customer onboarding
Powering Azure Lighthouse is an Azure Resource Manager capability called delegated resource management. Delegated resource management lets customers delegate permissions to service providers over scopes, including subscriptions, resource groups, and individual resources, which enable service providers to perform management operations on their behalf. After customers delegate resources to a service provider, the provider can provide access to users or accounts in provider’s tenant within the constraints specified by the customer, using the standard role-based access control (RBAC) mechanisms. The standard RBAC mechanisms work as if customer resources were resources in provider’s own subscriptions. Finally, delegated resource management works consistently regardless of the licensing construct service providers and their customers might choose—enterprise agreement (EA), cloud solution provider (CSP), and pay-as-you-go.
“Azure delegated resource management enables Nordcloud customers to easily provide secure access. It simplifies onboarding new managed services customers, ensuring our high security and compliance standards are met.”
Ilja Summala, Group CTO, Nordcloud
Cross-tenant management at scale, with enhanced visibility and governance
Delegated management uniquely supports management-at-scale and automation patterns of service providers, whether those providers are managed services partners acting on behalf of customers or central IT teams of enterprises with multiple Azure tenants. Partners can now manage tens of thousands of resources from thousands of distinct customers from their own Azure portal or CLI context. Because customer resources are visible to service providers as Azure resources in their own tenant, service providers can easily automate status monitoring, and applying create, update, change, delete (CRUD) changes across the resources of many customers from a single location.
Everything relevant to Azure resource management, from the Azure portal to services such as Azure Policy, Resource Graph, Log Analytics feature of Azure Monitor, or Update Management, all honor delegated resource management. What’s more, both customers and service providers can see who took actions on the resources from the activity log, increasing accountability for both parties, with protection of the privacy of individual service provider identities. That’s because the newly built resource provider, Microsoft Managed Services, enables Azure services to determine if a call was made from a resource’s home tenant or from a service provider’s tenant.
Our partners have several options for how they use these new capabilities. Since the Azure Lighthouse portal experiences have corresponding APIs, PowerShell, Azure CLI, REST APIs, or client SDKs, it’s easy to integrate into other cloud management portals, ITSM tools, or monitoring tools.
How our partners use Azure Lighthouse
Examples from two of our expert partners, Rackspace and Sentia, highlight the power of Azure Lighthouse and delegated resource management:
Rackspace is enhancing security and response capabilities using Azure Lighthouse in three steps:
- Utilizing Azure Resource Graph and cross-tenant queries to quickly detect which customers have impacted images or hosts deployed
- Applying an in-guest audit policy across all customers’ managed estates to verify host settings relating to impact/vulnerability
- Using update management to report on impacted systems and schedule targeted hot fixes
Sentia pivoted CI/CD pipeline to use declarative Azure Resource Manager templates for provisioning management artifacts across all customers who are under Azure CSP licensing construct. Sentia’s managed services offer is now 90 percent based on Resource Manager templates, which simplifies deployments dramatically, automating monitoring, governance, and management tasks at scale, across customers.
Continued Azure Resource Manager investments for our partners
Azure Lighthouse and delegated resource management are just the latest of the platform investments we continue to make for our partners. Together with Azure managed applications and custom providers, they enable comprehensive management-at-scale capability for partners and customers. To hear more, watch my demo at Microsoft Build 2019. Some of the other management innovations we’ve made include the following:
- Partners can build cross-tenant experiences into their solutions with minimal development, since Azure Resource Manager APIs and Azure Resource Graph queries are now enhanced with tenant context.
- Service providers and ISVs can extend and serve-up their IP natively within Azure using custom providers. Imagine end-customers raising service requests to service providers from within Azure, thanks to the ability of custom provider to integrate ITSM tools’ capabilities natively to Azure.
- Customers can purchase applications developed by partners from the Azure Marketplace that come with management out of the box provided by service providers. Underlying application resources are protected from the customer while they use the new managed application UI to interact with an application safely. Service providers are given full access to the application to maintain, update, and provide application support for the customer from managed application center.
“We are delighted to see the adoption of the new Azure Lighthouse capabilities into Veeam’s Backup-as-a-Service offerings, representing a natural extension of our cloud-based business offerings. This partnership is a great opportunity for our managed services providers to easily extend Backup-as-a-Service offerings by Veeam using Azure Lighthouse, in order to manage their Azure customers at scale.”
Tim FitzGerald, Vice President, North America Cloud, Ingram Micro Inc.
When Azure as a platform does more for our partners, our partners can focus more on providing differentiated services and higher value to our joint customers. That is how partners make more possible on Azure. We look forward to hearing your feedback on Azure Lighthouse and delegated resource management.