With PIM-enabled delegations, Azure Lighthouse managed service providers (MSPs) on Azure Lighthouse can have specific benefits. For example, the ability to specify what their MSP is able to access, and what actions they can take.
Microsoft initially brought PIM support to Lighthouse in preview a year ago. Now the integration is making its general public debut.
If you're unfamiliar with Azure Lighthouse, it is a multi-tenant solution that focuses on bringing management tools to MSPs. According to Microsoft, the service is enterprise-grade and allows “cross-tenant management” tasks via Azure services.
“With Azure Lighthouse, service providers can deliver managed services using comprehensive and robust tooling built into the Azure platform. Customers maintain control over who has access to their tenant, which resources they can access, and what actions can be taken. Enterprise organizations managing resources across multiple tenants can also use Azure Lighthouse to streamline management tasks.”
PIM integration means Azure customers can mandate that MSP tenancies require multi-factor authentication (MFA) for access.
“Create eligible authorizations
Creating eligible roles is a simple process that can be found in our docs, through Azure portal, as well as through the Partner Center Experience.
Activate eligible roles on a just-in-time basis
Once the ARM template is deployed, which creates the registration definition and the registration assignment on the scope that the template was deployed on, the permanent and eligible roles will appear within the Azure Lighthouse > My Customers > Delegations blade. If the user has an eligible role, they will navigate to the Azure AD PIM blade to activate the role.
Enforce approval-based workflows
When a user tries to activate an eligible role, Azure AD PIM will enforce the Azure AD PIM approval-based workflow. All designated approvers will be notified by email when a role activation request comes in and will have 24 hours to approve the request. Once the request is completed, the requestor will also be notified that they now possess the eligible role.
View audit logs
All Azure AD PIM activity will automatically appear within the Azure AD PIM audit logs within the Azure AD PIM blade.”
Tip of the day: Headsets are a vital tool for communication and can cause stressful moments when they don´t work as planned. In our tutorial we are showing you how to properly set up a headset on your Windows PC so this will be a thing of the past.