Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,022 questions
As a CSP, did you find an "efficient" solution for managing customer access? (Azure + M365)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 78%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
JND
0
Reputation points
Hello,
As a Cloud Service Provider (CSP), we are in search of a comprehensive solution that can fully support our needs in managing our customers' Azure and Microsoft 365 tenants. Our customers may utilize Azure, Microsoft 365, or both, and we need a unified approach to manage these environments effectively.
After evaluating the various solutions provided by Microsoft, we have yet to find one that fully meets our requirements across all scenarios. Here’s a summary of the limitations we’ve encountered:
· GDAP: While GDAP provides some support, it lacks granular control over Azure object permissions and does not allow us to assign users to groups or specific object permissions due to hidden foreign accounts.
· Lighthouse: This tool restricts permissions to the Contributor level, preventing Owner-level access and limiting our administrative flexibility.
· Guest Account / Cross-Tenant Sync: Guest accounts cannot be used to connect to VMs, as they are shadow accounts without locally stored passwords.
· Local Account: While local accounts cover the full scope of permissions, roles, and VM access, they require creating individual accounts for each user within each customer tenant—a highly inefficient solution for scaling. Licencing not applied as Guest accounts for using Access Package and PIM.
· Azure AD Connect: This solution requires a local Active Directory, and add customer implementation and maintenance complexity, with high difficulty for automating the whole onboarding/account lifecycle process.
Ideally, we want a solution that enables a single, centralized account and password for each member of our technical teams (Support, Network, Development, etc.), allowing them to manage all customer Azure and Microsoft 365 environments with the least privilege required (Permission managed by Groups for being able to easily adapt the permissions in a centralized/automated way)
At present, each Microsoft solution only partially addresses these needs and comes with inherent limitations. We’re left wondering why Microsoft has not considered consolidating these tools (GDAP, Lighthouse, Guest Accounts, etc.) into a single, cohesive solution that meets CSPs’ needs holistically, enabling centralized, unified access management.
At one point, we believed we had found a workaround by using GDAP from our CSP Root Tenant for Microsoft 365 administration and adding cross-tenant synchronization to create guest accounts from the same root tenant. This approach would have allowed us to maintain a single login and password for both Azure and Microsoft 365, with least privilege access managed by groups. However, we soon discovered that GDAP does not support guest accounts from the same tenant, and creating a separate tenant for guest accounts simply reintroduces the need for multiple accounts—precisely what we want to avoid.
These improvements would helps, but it seems these points are blocking points by design :
- Enable guest accounts to connect to VMs
- Allow granular access control with foreign accounts, including visibility and the ability to add foreign accounts to local groups.
- Support the use of foreign and guest accounts synchronized from the same source tenant.
It feels as though Microsoft’s various departments are developing solutions without a unified perspective on CSP identity and access requirements. It’s disappointing to see the considerable effort put into developing these tools without addressing the core need for centralized, single-account administration without limitations.
If anyone has seriously studied/found a solution for addressing all of these points :
- A single account and password per user administring customers
- The same account and password should be valid across all customers.
- Granular permission control (having only the option to assign full Owner access across the entire Azure tenant is not acceptable).
- All permissions should be assigned via groups containing the single user or guest user.
- No restrictions on user capabilities: users must be able to manage Microsoft 365, Azure, connect to VMs, user powershell cmdlt... and hold Owner permissions if required.
- Actions for customer onboarding and account life cycle (create/move/deletion) that can be automated (Powershell, Azue functions... )
- Ideally, usage of PIM for elevation of high privileges
please let me know.
Thanks,
JND.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 63%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Ashok Gandhi Kotnana 555 Reputation points Microsoft Vendor2024-11-13T06:07:57.4633333+00:00 Hi JND,
Welcome to Microsoft Q&A Forum, thank you for posting your query here!
Azure Lighthouse is designed for cross-tenant management, allowing delegated access to customer environments at specific permission levels, typically Contributor or Reader. However, it indeed restricts Owner-level access, which can limit certain administrative capabilities. This restriction is intentional, as Azure Lighthouse aims to enable secure, controlled delegation without providing full ownership rights in a customer tenant.
Options to Work Around This Limitation
Elevated Permissions Through Custom Roles:
- You can create a custom role with permissions that closely match your requirements and then assign it via Azure Lighthouse. While it won't allow full Owner-level access, a custom role can be tailored to include additional permissions beyond Contributor, if needed.
- Administrative Access in Specific Scenarios:
- For tasks that require Owner-level permissions, ask the customer to grant direct access (outside of Azure Lighthouse) for your admin account on a temporary basis. The customer can assign the Owner role on specific resources or subscriptions and revoke it when the elevated permissions are no longer necessary.
Sign in to comment
Sign in to answer