Skip to main content
Azure
  • 4 min read

Privileged Identity Management with Azure Lighthouse enables Zero Trust

Recent incidents from ransomware to supply chain compromises have shown both the interconnectedness of our digital world and the critical need to secure these digital assets from attackers, criminals, and other hostile third parties. To achieve this, our customers need Zero Trust security and least privilege access for users and resources.

Recent incidents from ransomware to supply chain compromises have shown both the interconnectedness of our digital world and the critical need to secure these digital assets from attackers, criminals, and other hostile third parties. To achieve this, our customers need Zero Trust security and least privilege access for users and resources. This becomes even more important in the context of a customer’s partners who may require continuous access to a customer’s environment to provide management and support services.

As organizations migrate to the cloud and engage service providers (internal or external) to manage Azure Infrastructure to run business and mission-critical workloads, it is imperative that we continue to secure cloud and hybrid footprints. Partners have been working closely with Azure and Microsoft to keep up to date with the latest guidance and services that Microsoft offers to ensure customer security as well as achieve a zero-trust security strategy, including enforcing least-privileged access for all parties across cloud and hybrid environments.

To serve both our customers and their partners, Microsoft has invested deeply in Azure Lighthouse. Azure Lighthouse makes it easier for service providers to automate their management of customer infrastructure. At the same time, it provides fine-grained access control that places the customer in charge of which resources are available to which service providers. With Azure Lighthouse, customers can be confident that their exposure to security risks from integrating with partners is appropriately limited. John Tabako, Director of IT Infrastructure at PM Pediatrics, notes, “Moving to Azure through Azure Lighthouse was easy. We have peace of mind knowing [our service provider] can programmatically provision the right people at the right time with zero-touch provisioning.

Today we are very excited to announce the latest iteration in our journey towards Zero Trust and least privilege access: The preview of Azure Active Directory Privileged Identity Management (Azure AD PIM) integration with Azure Lighthouse.

To understand how this integration enables least privilege access, consider the example of the company Contoso, which partners with a service provider to manage their network security. Contoso wants to make sure that this partner is following best practices around least privilege. In particular, Contoso doesn’t want the partner to have standing access to their resources. Instead, the partner should gain access only when it is necessary for them to perform some operation.

To achieve this, the service provider crafts their offer in Azure Lighthouse so that it requires their operators to elevate their access to a privileged role before they can work on Contoso’s network. This just-in-time (JIT) access only lasts for a limited period (up to eight hours), after which the access for that operator is automatically removed, and they go back to having read-only access to Contoso’s delegated resources. Additionally, Contoso can require that the service provider obey a defined set of policy options when authenticating, such as requiring multifactor authentication. These capabilities are free to Contoso as a customer because they are granted as part of the service provider’s tenant.

In addition to the peace of mind that JIT access provides for Contoso, there are benefits for the service provider as well. By limiting each operator’s access to just when it’s needed, the service provider can demonstrate clearly when operators had and (more importantly) did not have access to their customer’s resources using traceable Azure AD PIM audit logs that can be reviewed with the customer.

The great news for service providers that want to take advantage of these capabilities to deliver Zero Trust services for their customers is that creating an Azure AD PIM-enabled Azure Lighthouse offer is simple. After the customer accepts the offer, service provider users can activate an Azure role on the delegated scope through an intuitive portal experience. Only the eligible roles that have been assigned to that specific user can be activated, significantly reducing the risk of operator errors.

We’re thrilled that these capabilities are already demonstrating their value to Azure Lighthouse customers. James Brookbanks, from Microsoft partner rhipe, notes, “The integration of Azure AD PIM with just-in-time access controls through Azure Lighthouse is a tremendous value-add for our clients. We already had granular and secure access, but now we’re able to add security best practices of least-privilege principles, providing even more comfort and confidence for our clients.

Of course, these new security capabilities are only a part of our journey to make it easier for service providers to deliver reliable, secure, and automated services to Azure customers. The Azure Lighthouse team is hard at work on Azure Advisor recommendations to leverage Azure Lighthouse for cloud solutions provider subscriptions. We are also integrating the Azure AD PIM activity logs with the standard Azure Resource Manager (ARM) activity logs for a unified view of who did what when. And for those of you who prefer Azure CLI-based integration, we will soon be delivering an onboarding experience for Lighthouse and Azure AD PIM integration through PowerShell and Azure CLI.

Learn more

New to Azure Lighthouse? Get started now by visiting the Azure Lighthouse website, learn how to use Azure Lighthouse with your managed service business on Microsoft Learn, and read the story of a Microsoft partner, Vandis, on how they’re leveraging Azure Lighthouse to scale their offerings to organizations.

If you are a service provider already using Azure Lighthouse, you can update your existing offers to include eligible authorizations with approvers using the marketplace managed services offers, or by updating your ARM templates. To learn more about Azure AD PIM, visit our website and check out the Azure Lighthouse and Azure AD PIM documentation.

Join us for a deeper look at Azure Lighthouse at Microsoft Inspire. Azure Lighthouse will be featured in two sessions: