Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Lighthouse enables service providers to create and edit policy definitions within a delegated subscription. To deploy policies that use a remediation task (that is, policies with the deployIfNotExists or modify effect), you must create a managed identity in the customer tenant. Azure Policy can use this managed identity to deploy the template within the policy.
This article describes the steps to enable this scenario, both when you onboard the customer to Azure Lighthouse and when you deploy the policy.
Tip
Though this article refers to service providers and customers, enterprises managing multiple tenants can use the same processes.
Create a user who can assign roles to a managed identity in the customer tenant
When you onboard a customer to Azure Lighthouse, you define authorizations that grant access to delegated resources in the customer tenant. Each authorization specifies a principalId that corresponds to a Microsoft Entra user, group, or service principal in the managing tenant, and a roleDefinitionId that corresponds to the Azure built-in role that you grant.
To allow a principalId to assign roles to a managed identity in the customer tenant, set its roleDefinitionId to User Access Administrator. While this role isn't generally supported for Azure Lighthouse, it can be used in this specific scenario. Grant this role to the principalId so it can assign specific built-in roles to managed identities. These roles are defined in the delegatedRoleDefinitionIds property. You can include any supported Azure built-in role except for User Access Administrator or Owner.
After the customer is onboarded, the principalId created in this authorization can assign these built-in roles to managed identities in the customer tenant. It doesn't have any other permissions normally associated with the User Access Administrator role.
Note
You must currently use APIs, not the Azure portal, to create role assignments across tenants.
This example shows a principalId with the User Access Administrator role. This user can assign two built-in roles to managed identities in the customer tenant: Contributor and Log Analytics Contributor.
{
"principalId": "00000000-0000-0000-0000-000000000000",
"principalIdDisplayName": "Policy Automation Account",
"roleDefinitionId": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"delegatedRoleDefinitionIds": [
"b24988ac-6180-42a0-ab88-20f7382dd24c",
"92aaf0da-9dab-42b6-94a3-d43ce8d16293"
]
}
Deploy policies that can be remediated
After you create the user with the necessary permissions, that user can deploy policies that use remediation tasks within delegated customer subscriptions.
For example, suppose you want to enable diagnostics on Azure Key Vault resources in the customer tenant, as shown in this sample. A user in the managing tenant with the appropriate permissions (as described earlier) deploys an Azure Resource Manager template to enable this scenario.
You currently must use APIs to create the policy assignment to use with a delegated subscription; you can't use the Azure portal. When you create the policy assignment, set the apiVersion to 2019-04-01-preview or later to include the delegatedManagedIdentityResourceId property. This property allows you to include a managed identity that resides in the customer tenant (in a subscription or resource group that you onboarded to Azure Lighthouse).
The following example shows a role assignment with a delegatedManagedIdentityResourceId.
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[parameters('rbacGuid')]",
"dependsOn": [
"[variables('policyAssignment')]"
],
"properties": {
"roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
"principalType": "ServicePrincipal",
"delegatedManagedIdentityResourceId": "[concat(subscription().id, '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignment'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignment')), '2018-05-01', 'Full' ).identity.principalId)]"
}
Tip
A similar sample is available to demonstrate how to deploy a policy that adds or removes a tag (using the modify effect) to a delegated subscription.
Next steps
- Learn about Azure Policy.
- Learn about managed identities for Azure resources.