Trace Id is missing
Skip to main content

Azure Lighthouse

Secure managed services and access control for partners and customers.

Stay in control of your Azure environment

Gain full transparency into service provider actions and manage access without compromising security. Decide who can access your tenant, what they can access, and when. Talk to your service partners about implementing these security and access control protocols for free with Azure Lighthouse.

Azure Active Directory Privileged Identity Management (PIM) integration with Azure Lighthouse is now in public preview. Learn more.

Ask for Azure Lighthouse

Learn how customers are using Azure Lighthouse to take control of their IT estates with enhanced security, granular controls, and full transparency. Build better partner connections with Azure Lighthouse.

Video container

Partner with confidence

Manage your service providers across all clouds.

Take control

Assign precise permissions to each provider with role-based access control (RBAC).

Stay secure

Enable just-enough and just-in-time access for providers with Privileged Identity Management and Azure Multi-Factor Authentication.

Be informed

Access on-demand auditing and reporting across all service provider actions.

Take control by allowing just-enough access

Limit access to your resources with role-based access control (RBAC), a granular access management system. Control permissions, including who has access, what actions they can take, and what areas they have access to. RBAC in Azure allows service providers to work autonomously while keeping your systems secure.

Service providers and role assignments in Azure

Reduce risk with just-in-time access

Provide time- and approval-based role activation to service providers with Privileged Identity Management* (PIM), a service of Azure Active Directory (Azure AD). For jobs that fall outside the parameters of RBAC roles built in to Azure, PIM further mitigates risk by assigning providers the exact level of access needed, per resource, for the exact amount of time needed to complete a task. Customers also benefit from added security by requiring Azure Multi-Factor Authentication before a provider's access is elevated.

*In public preview

Stay informed with activity reports

Ensure transparency across all service provider actions with on-demand auditing and activity logs. Take the uncertainty out of guest access with real-time insights about who accessed which resources when, and what actions they took, including all PIM-related activity, available directly in all Azure Resource Manager-based logs.

An activity log in Azure

Build and scale secure managed services

Deliver well-architected managed services with cross-tenant management and deployment automation in a single, unified portal for managed service providers.

Comprehensive security and compliance, built in

A security center overview in Azure showing policy and compliance data and resource security hygiene

Get started with an Azure free account


Start free. Get $200 credit to use within 30 days. While you have your credit, get free amounts of many of our most popular services, plus free amounts of 55+ other services that are always free.


After your credit, move to pay as you go to keep building with the same free services. Pay only if you use more than your free monthly amounts.


After 12 months, you'll keep getting 55+ always-free services—and still pay only for what you use beyond your free monthly amounts.

Documentation and resources

Get started with learning resources

Learn more about role-based access control in Azure and Azure AD PIM.

Learn how to view and manage service providers and view provider activity.

Watch a demo on how to onboard to a service provider with Azure Lighthouse.

Take a deeper look with the Azure Lighthouse for customers presentation.

Explore popular developer resources

Read the Azure Lighthouse overview and explore the underlying technology, Azure delegated resource management.

Explore partner resources and get hands-on experience through MS Learn Labs.

Access GitHub templates demonstrating Azure Lighthouse usage with various Azure services, such as Azure Security Center and Azure Monitor.

Frequently asked questions about Azure Lighthouse

  • Azure Lighthouse is for both managed service providers (MSPs) and customers. MSPs can use Azure Lighthouse to help build and scale a secure managed services practice, while customers benefit from best practice security features. Enterprise customers also deploy Azure Lighthouse internally to help manage multiple internal tenants, often after a merger or acquisition.

  • By using Azure delegated resource management, MSPs no longer need to create administrator accounts in your company’s tenants. This allows MSPs to manage the life cycle of delegated administrators within their own Azure AD tenant. MSPs can also add user accounts to the user group in their Azure AD tenant while, as a customer, you make sure those groups have the required access to manage their resources. To revoke access, the user is removed from the specific group access that was delegated.

  • Azure Lighthouse capabilities apply consistently across all licensing and sales channels. You can continue to work with CSPs and use valuable new management tools. For example, the cross- and multi-customer managed service provider access framework enables granular access control and scope definition for CSPs—key to both customers and partners.

  • Azure is the only cloud provider that offers consistent, centralized management and monitoring capabilities for partners to manage on behalf of customers through a single control plane and at scale. We’re the only provider enabling partners to grow their business through multiple avenues for delivering management automation. And unlike other cloud providers, Azure allows ISVs and MSPs to incorporate Azure Lighthouse into joint services and solution packages.

  • Azure delegated resource management is the foundational management technology that powers Azure Lighthouse. This core technology enables customers to delegate and explicitly provision access for single or multiple service providers for defined resource scopes (including subscriptions and resource groups) for specific roles. It enables flexible customer onboarding via Azure Resource Manager templates and Azure Marketplace managed services offerings, simplified governance with Azure Policy and Azure Resource Graph, and cross-tenant management with access to services like Azure Security Center and Azure Service Health.

  • The EMS E5 or Azure AD Premium P2 license is required on the managing tenant only. This applies to all users who are activating a role in the managing tenant. There are no license requirements for customers.

Ask for Azure Lighthouse

Contact sales for assistance
AI-powered assistant