Azure Lighthouse: The MSP’s Guide to Multi-Tenant Management

For Managed Service Providers, efficiently handling multiple customer environments is the difference between scaling your business and drowning in administrative overhead. Azure Lighthouse transforms how MSPs manage customer environments by breaking down the walls between tenants. Let’s dive into the technical details that matter for service providers.

What’s Azure Lighthouse, Anyway?

As an MSP, imagine having a central command center for all your customer environments. That’s Azure Lighthouse – Microsoft’s solution for managing resources across different customer tenants from a single control plane. No more switching between portals or juggling different credentials for each client.

Want to check resource health across your entire customer base? Need to apply security policies to hundreds of VMs spread across dozens of clients? Lighthouse makes these everyday MSP tasks straightforward operations.

Core Architecture for Service Providers

Understanding Lighthouse’s architecture helps MSPs build better service delivery models. At its foundation, Lighthouse creates secure pathways between your management tenant and your customers’ environments – without moving or replicating their data.

Here’s how the key components serve MSP operations:

1. Azure Resource Manager Integration The backbone of cross-tenant management uses ARM to handle authentication primarily from your management tenant. Every operation gets logged in both your and your customer’s activity logs, providing the audit trail needed for service delivery reporting. Standard ARM rate limiting ensures your automated management tools don’t overwhelm customer environments.
2. Granular Access Control The RBAC-based model lets you define exactly what each member of your team can do in customer environments: MSP Tenant ─── RBAC Delegation ───> Customer Tenant │ │ └── Service Team └── Customer Resources - Support roles - Original location - Engineering roles - Direct access path
3. Customer Onboarding Architecture Two key resources make customer onboarding seamless. A Registration Definition acts as your service template, defining which roles your team needs. The Registration Assignment activates this template for each customer, streamlining the onboarding process.

Core Architecture

Azure Lighthouse implements a logical projection model that enables direct resource access and management across tenant boundaries. Unlike what some might assume, it doesn’t create physical replicas or move resources between tenants. Instead, it establishes secure, direct access paths to resources in their original locations.

Here’s how the core components work together:

When a customer tenant is onboarded to Lighthouse, two key resources are created:

• A registration definition that specifies access levels and permissions
• A registration assignment that links the managing tenant’s authorizations

This architecture ensures secure, scalable management while keeping resources in their original locations. Think of it as creating secure tunnels between tenants rather than copying or moving resources.

Technical Architecture Deep Dive

Azure Lighthouse’s architecture leverages several key Azure components to enable secure cross-tenant management:

1. Azure Resource Manager Integration Azure Resource Manager (ARM) serves as the foundation for cross-tenant operations with primary authentication occurring in the managing tenant. Every operation gets recorded in activity logs across both tenants, creating a clear audit trail while adhering to standard ARM rate limiting. The Microsoft Managed Services resource provider acts as a gatekeeper, validating each cross-tenant call to ensure proper authorization.
2. RBAC-Based Permission Model The delegation model uses Azure’s native Role-Based Access Control:

Managing Tenant ─── RBAC Delegation ───> Customer Tenant
     │                                        │
     └── Service Principal                    └── Resources
         - Defined permissions                    - Original location
         - Optional PIM integration              - Direct access path

1. Resource Provider Architecture At the heart of Azure Lighthouse sits two critical resources that work together to establish the management relationship. The Registration Definition acts as the blueprint, carefully outlining which roles and permissions are delegated to the managing tenant. Its companion, the Registration Assignment, brings this blueprint to life by creating the actual authorization links between tenants.
2. Resource Graph for MSP Operations For service providers, Azure Resource Graph transforms how you monitor and manage customer environments. Consider a common MSP scenario: verifying compliance across your entire customer base. Instead of accessing each customer tenant individually, Resource Graph’s pre-indexed database enables instant visibility across your managed estate.

Tips from the Expert

Adam Bertram

Adam Bertram is a 20-year veteran of IT. He’s an automation engineer, blogger, consultant, freelance writer, Pluralsight course author and content marketing advisor to multiple technology companies. Adam focuses on DevOps, system management, and automation technologies as well as various cloud platforms. He is a Microsoft Cloud and Datacenter Management MVP who absorbs knowledge from the IT field and explains it in an easy-to-understand fashion. Catch up on Adam’s articles at adamtheautomator.com, connect on LinkedIn or follow him on X at @adbertram.

Linkedin

• Use Lifecycle Policies to Save Money: Set up lifecycle policies to move old backups to cheaper storage options like Amazon S3 Glacier. This can help you save a lot of money on storage costs.
• Back Up to Different Regions and Accounts: Make your disaster recovery plan stronger by copying backups to different AWS regions or accounts. This protects your data from region-specific problems and security issues.
• Automate Your Backup to Reduce RTO: Use AWS Backup to set up frequent backup intervals. Automating backups every hour or even every few minutes ensures you can recover data quickly, minimizing downtime.
• Tag Your Resources for Easy Management: Tags help you quickly identify and group related backups, making it easier to manage them and to monitor costs. This can also simplify reporting and compliance checks.
• Test Your Disaster Recovery Plan Regularly: Automate DR drills to check your backup and recovery processes. Make sure your backups work and that you can restore data quickly to find and fix any potential problems.

Here’s how an MSP might track VM compliance across their customer base:

Resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| extend customerName = tenantId,
         subscriptionName = subscriptionId,
         complianceStatus = tags['ComplianceStatus']
| project name,
          location,
          complianceStatus,
          customerName,
          subscriptionName

This query demonstrates Resource Graph’s power for MSPs. Instead of querying each customer environment directly, it leverages a cached snapshot (refreshed every 24 hours) to provide instant results. This architecture choice means you can scale your monitoring without performance penalties – whether you’re managing ten customers or a thousand.

A few technical points crucial for MSP operations:

• Query results only include customers who have delegated access through Lighthouse
• Resource properties reflect cached data, perfect for reporting but not real-time operations
• Custom tags must exist on resources to be queryable
• Authorization checks require separate RBAC queries

For comprehensive service delivery, combine Resource Graph queries with Azure Policy. This pairing lets MSPs both analyze current state and enforce ongoing compliance across their entire customer base.

Cross-Tenant Resource Analysis

Let’s explore how Azure Lighthouse handles real-world scenarios, such as checking compliance across a large customer base. Imagine needing to verify virtual machines across 50 different customer tenants – a task that would traditionally require logging into each tenant individually.

Azure Resource Graph makes this possible through its pre-indexed database of resource properties. Instead of querying each tenant in real-time, Resource Graph maintains a cached snapshot of resource properties (typically refreshed every 24 hours), enabling lightning-fast queries across your delegated tenant estate.

Here’s a practical example of a cross-tenant query:

Resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| extend tenantName = tenantId,
         subscriptionName = subscriptionId,
         complianceStatus = tags['ComplianceStatus']
| project name,
          location,
          complianceStatus,
          tenantName,
          subscriptionName

This query leverages Azure Resource Manager (ARM) to access resources across delegated tenants – but there’s an important distinction. Rather than distributing requests directly to each tenant, Resource Graph queries its centralized cache. This architectural choice explains why these queries return results so quickly, even across hundreds of resources.

A few key technical points to understand:

• Results only include tenants and subscriptions delegated through Lighthouse
• Resource properties come from a cached snapshot, not real-time data
• Custom tags (like ComplianceStatus) must exist on resources to be queryable
• Authorization data requires separate RBAC queries

To build a complete compliance solution, combine Resource Graph queries with Azure Policy for automated assessment and enforcement across your tenant estate. This pairing enables both point-in-time analysis and ongoing compliance monitoring.

The power of this architecture becomes clear when you need to handle tasks at scale. Whether analyzing backup configurations or verifying security settings, Resource Graph’s indexed approach means you can query thousands of resources across dozens of tenants without performance penalties.

Transforming MSP Operations with Lighthouse

For managed service providers, Azure Lighthouse represents a fundamental shift in multi-customer management. Instead of juggling separate processes for each customer, MSPs can now standardize operations across their entire customer base from a single pane of glass. Resource Graph queries provide instant insight across all customers, while security policies and compliance checks can be consistently applied and monitored without switching between portals.

The real power shows in scalability. As your customer base grows from ten to a hundred, the same workflows and tools scale effortlessly with you. With ongoing enhancements like Azure Arc integration and enhanced policy frameworks, Lighthouse continues to evolve as the technical foundation for modern Azure service delivery. It’s not just about managing more customers – it’s about managing them better.

Empowering MSPs: How N2W Revolutionizes Backup and Disaster Recovery

N2W offers MSPs a powerful solution to enhance their backup and disaster recovery offerings, providing significant benefits for both businesses and their bottom lines. By leveraging N2W, MSPs can deliver robust data protection and rapid recovery capabilities to their clients, providing a single console to manage multiple clients. N2W improves overall reliability and meets stringent and diverse compliance requirements.

The cloud-native solution that is launched within AWS and Azure environments allows for seamless management across multiple regions and accounts, streamlining operations, maximum security and reducing costs. With N2W, customers have suffered ZERO breaches. MSPs can offer advanced features like cross-region disaster recovery, granular file-level recovery, and automated disaster recovery drills – all while maintaining control over their clients’ data within their own cloud environments. This results in higher client satisfaction, increased loyalty, and new revenue streams for MSPs looking to differentiate themselves in the competitive managed services landscape.

Want to learn more about how we help hundreds of MSPs manage data protection? Check out our documentation and start a free trial of N2W Backup & Recovery.