 Hey, folks, do you manage multiple subscription or multiple customers? Well, if they do, this session's for you. With me, I've got Archana Balakrishnan, and she's the principal PM for Azure Lighthouse, and she's going to tell us all about it. Hey, how are you doing, Archana? Hey, Pierre. Thanks a bunch for having me here. Super excited to be here and talk to you all about Azure Lighthouse today. Yes. I understand that there's lots of, not so much confusion, but there's lots of questions about how we onboard customers into Lighthouse. Can you tell us a little bit more about that? Absolutely. When we built Azure Lighthouse, we actually wanted to give customers and partners a lot of choice. We wanted them to have their tool of choice. If they preferred using the portal, they could use the portal to onboard. If they preferred using Marketplace, they could use Marketplace. If they preferred ARM templates, REST API, they could use that. If they wanted to use client tools, they could use that. That's definitely been part of the questions we've been receiving, is how do I onboard? What tooling is available out there? What are all the options, and how can I choose the option that's best suited for my needs? Apart from that, Azure Lighthouse itself is more of a tool for multi- and cross-tenant management measures. There's definitely concepts of crossing accounts and tenant boundaries, which makes management that scale really easy, but that leads to a lot of confusion in the onboarding process. Which tenant scope am I using? What can my customer see? What can my partner see? Those are a couple of reasons we've really decided to focus this topic on onboarding customer scopes with Azure Lighthouse. Oh, great. Are we looking at this from a service provider perspective or from a customer's perspective? I'd like to show you both, so you can appreciate if you're a customer, what the partner is doing, as well as from the partner's experience, you can also see what the customer will experience. I think it's important for us to understand both personas, and so throughout this experience, I will demo both the partner experience and the customer experience for you. Oh, perfect. So teach me. Take me to school. Perfect. All right. Let's get started. We're going to keep it fairly light on the slides today and go a little bit more into the demo experience. We'll start with the basic introduction of what is Azure Lighthouse. I'll show you a couple of demos there and really deep dive into the onboarding bits. We'll talk about how to onboard primarily with the two most popular routes that we have, arm templates and marketplace offers. And then we'll also talk about governance when it comes to thinking about Azure Lighthouse, especially as you think about hybrid scopes, how can customers control and maintain ownership as they onboard with Lighthouse offers to partners. And of course, we'll cover some of the resources in the next steps there. So a little bit about the problem. You know, most customers out there are engaging partners, right? Because there's a severe lack of skilled resources. There's increased complexity and the pace of change is crazy, especially when you think about hybrid environments, the customer has one foot in a data center, they've got another foot with a partner, a hoster, and then they've got this foot that hopefully they have in the cloud and they're this three-footed and sometimes multi-footed creature that are dealing with increased costs and this need to transform at a pace that they don't necessarily have skills to handle. And all this time, they're really worried about their security exposure. They want to maintain compliance and they really want to maintain their ownership control. And visibility into what all these partners are doing in their environments. And so the customers are looking for simplicity, they're looking for visibility, they're looking for security and compliance. You know, switching hats and kind of putting the partner persona in mind, you know, as partners are dealing with not one, not two, but you know, tens and hundreds of these customers, suddenly they're using different tool sets to manage on-premises resources. They're using different tool sets to manage Azure and they're using different tool sets to manage, you know, other cloud environments. And so, you know, they suddenly got this very tool sets, they're spending a lot of money, their margins are shrinking, you know, onboarding the customer is taking so much longer because they have to understand the customer's environment, what are all these different components. And then, you know, the customer requirements are translating into how many of the feet the customer has in different clouds, right? So it's translating into, oh my God, I need to govern one, two and three. And so that's really, they're looking for, you know, maybe I can just use one tool set in Azure Native Tooling. How can I automate all this stuff? So I'm not doing the same thing four or five different times. And at the same time, I get the required access, I need to perform my task, but the customer is assured that it's secure. And so, kind of to address these problems is where we came up with Azure Lighthouse, right? Again, like I said throughout this, I'll kind of be showing you both the customer and the partner perspective. And so from the customer perspective, it's all about, you know, owning and taking control, maintaining security and having that visibility and transparency. So here, what I'll do right now is I'll switch into a demo and kind of show you the end experience, right? So once a customer is onboarded with Azure Lighthouse, what does it look like for the customer to, you know, our listeners and you have an idea of, you know, what this looks like and then we can go through the process. Does that sound good? That sounds perfect, actually. Thank you. Awesome. So since I'm going to be switching personas, I'm going to be using this darker team in the portal to represent the customer. So you see here that I'm logged in as myself. I work for Microsoft and in this case Microsoft is the customer. So once I'm logged into the Azure portal, I actually navigate over to Azure Lighthouse, right? And in this case, I can go in here and really focus on this aspect that's called controlling service provider access. So let me kind of go in here and really you see those, you know, core value propositions iterated again, right? About taking control, being informed and staying secure. So in here, I want to go and view all of the partners and service providers who have access to my environment. So loading this lid, you see here that, you know, someone logged in as a customer from Microsoft, I can now go in here and see all of the different partners that have access to my environment. So for example, you can see Rally Cloud manage services, they're managing certain subscriptions, Fabricam's another partner of mine and they're managing a certain set of subscriptions. So, you know, it's a single place for me to go and view all of the partners and service providers that have access to my environment. Now I can click in there and I can see the exact scope that they have access to. So Arcana, are you telling me that we can actually pick and choose the granularity of what we're allowing service providers to do within our environment? Like is it at the subscription level or is it at the resource group directly to resources themselves? Great question Pierre. Right now Azure Lighthouse allows delegation subscriptions and resource groups. We don't support resource granularity or we don't support granularity about subscription like management groups today. But kind of the bottom line is that the customer is in complete control of the granularity as you asked for it, right? So there's the granularity of the scope for sure, right? It can be a subscription nor resource group. In this case, for example, I want Rally Cloud to manage the subscription called Lambda Healthcare for me. There is also granularity and kind of the role definitions that I want the service provider to have, right? So this is a bit Pierre, which has actually been kind of the key success aspect for our service because a lot of our customers out there engage with partners in the CSD model. And in that model, a lot of the partners end up getting admin access keys to the kingdom if you may, right? And a lot of customers as they're becoming more savvy as you start thinking about security and you know, hero cross security, least access principles, they really are jumping onto Lighthouse to manage that access granularly. So in this case, you can see the exact entity, right? So this can either be a group, a user, a service principle and automation account from the partner Rally Cloud. And you can get really granular access in terms of the roles. You can also really see that we have now integrated with PIM. This is something that's in private preview right now. And so this is basically giving, you know, partners just in time access to scopes. We'll talk a little bit about how to configure this in the onboarding as well. But now you can see that there's this additional aspect of multi-factor authentication in here, for example, right? So this means that the partner needs to use MFA. This means that the partner can access the scope only for X number of minutes at the given time using this elevated role. And again, you know, the question you had around granularity is great because that's really what this is, right? Granularity of scope, granularity of role, granularity of like the time that's required. And then granularity of even the access mechanisms like MFA required, that's in there. And so it just makes, you know, from the customer perspective engaging a partner so much easier. Yeah, yeah. And I can see that it's good for partners and for customers because then you don't have to worry about having to secure your own hand when you're trying to access your customer's environment because you're not gonna be able to change anything. You're not going to be able to like get anything broken if you only have like a reader access for their log analytics or something like that that you're monitoring. Yes, spot on. A lot of our partners, their support teams, for example, are just happy with the reader access, right? Cause they can just read, you know, let's say, you know, they have monitoring reader and they can just read log analytics outputs. They can see the alerts but they can't go and delete a resource or a virtual machine, right? And, you know, it's a great segue to kind of that experience from the customer's perspective because now, you know, the customer can actually go into the activity log. And again, this is the power of Lighthouse. It's integrated and built as a core into the Azure platform, right? And so, you know, if I were to, for example, go back into that Lambda healthcare subscription, let's kind of go in there and let's maybe, you know, look at maybe a little bit more than even the last month. Let's maybe start from 11-1-2020. Yeah, so now what I'm doing here, Pierre, is ask the customer, right? I can actually go in here and look at who made what changes. And this activity log is transparently shared between me and the partner. So, you know, I can, for example, go and see what activities, obviously, like people on my environment and people, you know, services are making in my environment. But now, if I kind of wanted to go and look for Rally Cloud, for example, I can see all the activities that were performed by the partner Rally Cloud, right, in my environment. And that level of transparency, this is the same activity log that the partner sees. And so it gives kind of both the customer and partner a lot of confidence in kind of what is going on in the environment. And in case of issues or troubleshooting, they can really go and say, hey, you know, this person from this organization performed this change and, you know, use Azure Lighthouse to institute even more controls to prevent those issues from happening for the company. Okay. Perfect. So, yeah, start again. So here, you know, Pierre, I'd love to kind of just walk you through the partner experience as well. So for those of our listeners who are partners or managing multiple environments, what this experience looks like at the end of the day for them in terms of being able to drive more of that automation. So I'll switch over views now and kind of go into the partner experience itself, right. And so here you can actually see that I'm logged in as Raleigh Cloud, right. And I'm going here to manage my customers. And, you know, I literally want to go in and view all my customers at one go. So here you can see that I'm actually, so you can see that I can actually go in here and view a complete list of my customers. You know, Microsoft's one of those customers that we just saw. I can view exactly what scope they have delegated over to me and then, you know, what groups of mine have access. And this is, you know, kind of the ease of management from the partner's perspective, because, you know, let's say Anthony joined my team tomorrow. And I want to add Anthony and make sure he gets access to all of these customers rather than go to every customer and you know, request for Anthony to be added. I can kind of add him to this group, right. Or let's say Archana left the group. I can go and remove Archana from this group and she would immediately lose access to all those customer scopes. Again, a lot of security displaying that relationship and trust between the customer and the partner. And really when you come back here, you know, a lot of this is logged in the activity as well, right. And, you know, the partner can get alerted, for example, when a customer delegates a new scope or deletes a scope. But that's not the real fun of Azure Lighthouse for the partner. The real fun comes in the broader platform. So, and you know, we won't go super deep into this today. But, you know, I definitely want to show kind of the same experience for our partners. Is a, you know, here, for example, I have two customers, Koho Waineri and Katozo. And they're both, they both have log analytics workspaces or in this case, Sentinel workspaces. And they kind of, as a partner now, you know, I can have a team that's focused on handling security incidents rather than having a team that's focused on one particular customer, right. And so this ability to manage across all customers at scale is really, you know, the power of Azure Lighthouse. The onboarding is a process that facilitates that. But at the end of the day, you know, the whole platform becomes available. And, you know, all of the native tooling that's there in the platform really become available at scale. And a lot of our customers and partners out there frequently get asked is like, how can I have an environment where I can play and understand the power of Azure Lighthouse? So really we don't have a lab environment yet, but that's something that works. So hopefully, you know, we'll have that out to you by February. But we highly recommend you kind of use your personal MSDN subscription and kind of have two tenants to play with here. You know, you really need two tenants to work with Azure Lighthouse. And that's kind of one of the, you know, multiple asked questions, especially there are, you know, more of the advanced folks like our listeners today who keep coming back and asking, is there a way I can simulate and test Azure Lighthouse in a single tenant environment? And the answer is no, you really need two different tenants to test Azure Lighthouse. And when you kind of test that, you know, you'll start seeing this power of Azure Lighthouse, which is, you know, kind of like what I'm demonstrating now, I can see secure our scores and I can see, you know, the Sentinel incident across all of these customers kind of from the single pane of glass. And so that really is, you know, the end experience once you complete the onboarding step, but today we're going to focus really on the onboarding step. Any questions here before we, before I jump there? No, no, this is actually really informative for me. Okay, perfect. So let's, you know, move on. Again, I just want to mention that, you know, I keep saying par and customer, but we do have a lot of customers who have multiple tenants. And at the base of it, if you think about Azure Lighthouse, it is a multi and cross tenant management example, right? So it needn't necessarily be an partner and a customer, it can be a customer who has multiple tenants and we have multiple of those as well, use cases. So let's actually move on and talk about how to onboard to Azure Lighthouse. We'll, you know, start with this option with the marketplace, right? And let me, you know, actually go ahead and really demo how this marketplace experience looks from a service provider perspective. So in this case, I do want to, you know, share that the altering experience via marketplace is fairly limited and it's only available to partners, meaning you have to be a partner with a Microsoft partner network ID, so an MPN ID, and you also need to have a silver or a gold competency, right? So it's fairly limited in that sense, but you will see kind of in a little bit, you know, what are the advantages when you kind of have that, then we'll kind of move on to the option that doesn't have any limitations or any constraints. Okay, great. So, you know, if you were a partner and you logged into Partner Center, you could go into commercial marketplace. There's an offering experience that's available here for you. Again, all of this is available via APIs as well. So, you know, if you wanted to do that, you can. We're particularly looking for managed services offers, right? So you could go ahead and create, you know, an offer. I don't think those underscores are allowed. So we're going to remove those. And, you know, you can go ahead and create that offer in here. And really as part of the onboarding, I kind of want to, you know, I'll skip through some of the steps here, but I really want to show you that the unique aspect, right? Everything else is kind of similar to other offers in the marketplace, such as setting up a CRM so you can understand, you know, kind of who are the folks who are, you know, all accepting your plan, for example. But let's say IDOPS plan one. And let's just use the same name here. Again, you want to use something a little bit more descriptive. But, you know, in terms of the altering experience here, I really want to kind of show you this technical configuration tab that's available. Again, I'm skipping a lot of steps that are very common to all other offer types and really focusing on what makes Azure Lighthouse offer type unique, right? So, you know, I'm going to type in a version. Now, it's going to ask you for a tenant ID, right? So this is the tenant ID that you as the partner, you know, want to use. This is kind of that central managing tenant that we were talking about here, right? And so this central managing tenant, you know, it's not necessarily a CSB tenant. It can be a completely different tenant. Azure Lighthouse works irrespective of licensing model so it can be a different tenant. What I'm doing here is I navigated over to the Azure AD blade and literally copying that tenant ID over from there, right? So that is my managing tenant ID. So this is your partner or your managing tenant ID. Now, here's the, you know, the fun bit, right? Which is basically picking up those authorizations and then really saying, so let's say, you know, I want to give the MSP Architects Group. And so we need to go and find the principal ID for this Architect Group. Again, this is actually one of our largest support volume drivers. People are a bit confused about where to exactly find that because there are a couple of IDs when it comes to looking at a group, right? So one thing that I want to tell our users here is that we only support security groups. It is literally this object ID that you want to pick up here. We support security groups. We support users and we support service principles, right? And for all these cases, you really want to pick up the object ID here. Our docs have detailed instructions for actually each of the types. For example, if you don't want to use the portal and you want to run the command on PowerShell or CLI, it's kind of put that in there as well. So yeah, you kind of want to pick up that principal ID. You want to think about whether this is a permanent or a, you know, a just-in-time access type. And if it's a just-in-time access type, you want to specify the duration and whether or not you require MFA. And then, you know, there's a nice experience where you can, you know, for example, go through and the list of roles that are supported and then you can, you know, continue adding more and more of these authorizations in here. Okay, so you can actually break it down into, I want to be able to see the Sentinel events and then I want to be able to see the resources in this area. So I want to read her in this one, contribute her into this one and so on. So you can break it down into each plan. Exactly. And a single plan can have multiple of these, right? So a single plan can say give my, you know, maybe my MSB monitoring team, just the reader level of, you know, Azure monitoring reader access. So, you know, and then you could say another group gets another user gets a different, you know, let's say a contributor level of access, right? And then you can also have, you know, obviously use service principles. Again, I think most of you who are, you know, using automation a lot will end up using enterprise applications and service principles. So, you know, here's where you really want to pick up that object ID and not the application ID. You really want to pick up that object ID and use that. Now, one thing that I want to mention is that, you know, with Lighthouse today, we do not support a few roles, right? So just as an example, if I were to pick, let's say the user access administrator role, this is not available, for example, for eligible authorizations, right? It says I support it for permanent authorizations, but it is pretty constrained. So there are these, there's this concept called assignable roles and, you know, let me kind of explain what that is. So what I'm saying here is that this particular, you know, group of users, they can use user access administrator, but it will be constrained to all of the actions that are allowed by the contributor roles. You can obviously get even more granular with something like resource policy contributor, right? And right now what I'm saying is, you know, let's just, right now what I'm saying is, that's actually just only select that resource policy contributor role. What I'm saying is that the MSP monitoring team, when a customer sees and accepts the software, this team will be able to use that resource policy contributor role, which is basically a role that allows a certain list of actions, right? relating to contributing to Azure policy. So they would be able to, for example, author policies on behalf of the customer tenant, they would be able to, you know, evaluate those policies. They would be able to deploy policies with the, you know, remediation effect, but they would not be able to manage user access, right? So the role itself is constrained by the other role. And again, you know, I will point our users to the docs here. If we, you know, you go to the built-in roles in here, you know, built-in RBAC roles, you'll see a list of, you know, about 72 roles in here. And, you know, what you really wanna do is go and look at the actions in that particular role. And even with user access administrator, the actions will be scope to the actions and the not actions list that are actually on there. So just wanna tell our users that, you know, we don't support the owner role yet. We don't support user access administrator. You can use it constrict with certain of these assignable roles for more of the managed identity scenarios. Okay, perfect. Perfect. So let's actually kind of, you know, switch back over and look at how this looks from a customer perspective, right? So, you know, we're gonna assume that the partner actually published this offer and from a marketplace perspective, kind of the customer experience is fairly seamless, right? So they would be able to, you know, so yeah, as a customer again, I could go in here. I could navigate offers that are private to me that we just talked about. I could, you know, pick that private offer and then go through the plans that are available, create that specific plan, select the scope that I want the folks to manage. Again, you know, you're gonna get errors if you are not an owner. As a customer, you need to be at least an owner on the subscription to Onboard to Delighthouse offer. And we particularly made it that way that you don't need to be a global admin, you don't need to have access beyond the scope that you are trying to Onboard. But for the marketplace offers, you know, you definitely need to have at least a subscription owner permission. And yeah, you know, everything that the partner just authored in their authoring experience is gonna be visible to you. In this case, you know, you can see the exact users who are getting access. And, you know, you can go ahead and Onboard to their offer, which I'm not gonna do now, but if you were and wanted to, you know, make sure you selected the right scope as an owner, and then you could definitely Onboard that scope. So as you can see, very, very UI driven, right? Fairly simple for most folks. But the biggest problem is that many folks are not partners and yet they wanna use Azure Lighthouse for multi-tenant management, right? And that means they really can't use the marketplace track. So we've obviously, you know, really strived hard to make Azure Lighthouse available across the board. So you, you know, again, like we announced our Ansible just a week back in the new year, our Terraform provider was made available in December. You know, we've, as you can see, we've been putting out some revisions for those of you who are PowerShell fans out there. You know, again, like December, we pushed out a bunch of updates to our PowerShell experiences. But really you see that we've been striving to give you that option, right? Of wherever you are, wherever your customer is, meet them where they are, you know, use your tool of choice rather than being limited to just the portal or just the marketplace. And so, you know, a common experience for partners is how do I go and author these ARM templates, right? There's really no portal-based experience. I will kind of definitely point our folks to the docs because there is detailed documentation that we've, you know, revised again earlier this month. But I will also go ahead and actually show you, right? How you can author an ARM template and kind of what are the resources in there? Just kind of walk you through it so you understand what's happening under the scenes as well. Okay, so one quick question. So we can create an ARM template and what do we do? So we provide the customer with that ARM template and that customer runs this ARM template against their own tenant and subscription. And that will provide, basically plug in all of the bits that are needed for the provider, the support provider to have access. Exactly, yeah. So they just deploy the ARM template, again, they pick the scope that they want the software to be deployed at resource group or subscription. And that's pretty much it from the customer's perspective, right? And we'll kind of go through, you know, some of those options in a bit as well, but right now, you know, let's go ahead and look at our ARM template. We've made this available in our GitHub repository. So, you know, you can absolutely kind of clone it down, which I have done here. I just cloned our repository down. And, you know, you'll see multiple options. We've provided a ton of resources out there for scenarios beyond just the onboarding. But today we're just going to focus on the onboarding scenario, right? And so, you know, you can navigate over to that full, you know, specific folder in there that's called Allegated Resource Management Delegable Authorizations. And what I'm going to do here is I'm going to, you know, just maybe take a couple of minutes to walk you through, you know, what's happening under the scenes, right? I think all of you who are hopefully by now very familiar from the marketplace experience that what you are doing is you're, you know, passing a string, you know, with the tenant ID, again, you're managing tenant ID, right? And then you're passing a list of authorizations in there. This is extremely similar to the marketplace experience as well, right? Just in an ARM template format in here. So, you know, the baseline is going to be the same. You pick out the principal ID, you know, your group, give it a name, find the role that you want of this group to have and kind of put it in the authorizations and eligible authorization area. Here what I'm looking to do is maybe just give you an insight into what's happening behind the scenes. So Azure Lighthouse is kind of powered by an RP that is called by a resource provider. That's called Managed Services, right? And Managed Services actually has two objects or two resources, right? So resource number one is called the Registration Definition. And the second resource is Registration Assignment. So the definition resource is the one that contains all of the properties that you define, let's say, in your parameters file, right? So, you know, what's the name, what's the ID, the authorization area, the eligible authorization area. And so, you know, the definition is something that exists, let's say, at a subscription scope, right? So what is happening when the customer deploys your ARM template is that there is a resource called Registration Definition that gets created at that subscription scope. And that definition actually contains this whole definition, right? So it contains all of this information of who's your partner, what groups, and what access do they need. Now, that doesn't really give your partner access, right? And so if you were, you know, to just think of an analogy in terms of portal experience, this just means that there is an offer without any delegation that exists, right? And when we say partner is, it doesn't necessarily, unlike the portal experience, it doesn't have to be a registered Microsoft partner, it's just whichever company or service provider you decide to work with. Exactly, yeah. Thank you for bringing that back, Pierre. Yeah, absolutely. I mean, it could be your IT department, right? They're just operating from a different tenant. We've had enterprises that have had mergers and acquisitions. And so, you know, our largest enterprise customer actually has something like 70 different tenants. And so their IT department is just looking to drive consistent governance across all the 70 tenants. And so, you know, they're using Lighthouse. So absolutely, like, you know, this is, and you know, the terminology that we actually use is called managed by tenant, right? And that is the managed by tenant that's out there. So yes, you know, again, once, you know, this managing tenant ID is, you know, they don't get access with just the creation of this resource called registration definition. So there's a second resource that gets created. And this is called registration assignment, right? So this is the resource that actually points to the definition. So as you can see, it's pointing to a particular definition. And in this case, we're just reading it from the top by their registration name in here, right? You can see that. Reference in there. And this really is the one that performs the delegation action, right? So there where this object resides. So let's say your registration assignment resource gets created at the resource group scope. That is really where like the partner gets access. So in a sense, it's almost what makes the offer come live, right? So this is literally the object that kind of makes it come live. And so, you know, that's literally kind of what you need to understand about, you know, the ARM template onboarding route is at the end of the day when your customer goes and applies this ARM template, these two resources get created in the customer scope, that may be a subscription or resource group. And wherever the registration assignment scope sits, that's really where, you know, the offer is live and that, you know, managed by tenant actually gets access. And, you know, we've been getting a ton of questions about how do I update and offer? So this is a fairly common experience, right? So some customers, for example, demand to see every single user who has access to their environment. And so kind of, you know, when Archana joins this, you know, IT team or the service provider team or this partner team, the partner needs to push an update to the offer. So, you know, you're looking at an update action on that resource, right? Again, you're gonna refer to stuff by that registration name, which basically is, again, these, you know, the set of properties that define that registration, right? And so you update that, in this case, you know, you would be going and updating the authorizations parameter. And, you know, you would say, hey, not only, you know, peer and Anthony, but Archana also now has access. And then you make it available to an end customer. Okay, so the first resource basically makes the link to your partner. And the second resource actually defines what rights and access that partner has in your environment. Yep, all gone peer. Yep, and, you know, that at the end of the day is, you know, as long as you really understand that, you've kind of really understood the core of the core of our service. A question that I often get is, you know, does Lighthouse creates gaps to users, right? And this is one of the main reasons I kind of wanted to spend some time here and talk about the creation of these two resources, right? Because Azure Lighthouse is powered by a technology that's called Azure Delegated Resource Management, right? Where we really brought a new concept to the market and that concept is resource projection, right? And what that means is we're not creating guest users, right? So when you accept the Lighthouse offer, it's not like this user from the partner or the managed by tenant, that user is created as a guest user in your tenant. That's not what's happening, right? What's happening is, you know, your resources are in a way projected over to their environment and this is made possible because of the creation of, you know, these two resources that we just went through the definitions and the assignments resource and we've built this technology as an extension of ARM, right? So any ARM resource out there, you think of a VM, you think of a SQL data warehouse, you think of literally any ARM resource that's out there in the control plane, they will be able to honor and identify, you know, these two resources without creating any of these guest users. And that, you know, is kind of one of the, that's the power that you see in that end experience that I demonstrated earlier where literally when Azure Lighthouse as a service comes live, you know, all of the hundred plus services that are there in Azure now become cross tenant supported, right? So you don't have to go and do something specific or learn a new set of APIs. So, you know, let's, let's maybe take the example of log analytics, right? Log analytics have their own work spaces, their own set of resources in there. And really what we're saying is you continue to use log analytics, you don't need to learn a new set of API, your automation scripts don't need to report to a new set of API. Literally by just performing this onboarding step, you can now use log analytics across multiple different tenants. And that's really the power of Azure Lighthouse. And you avoid, because I've been stuck on that end before where I was supporting other companies or tenants and they had invited me into their subscription. Now I no longer have any dealings with that specific company that my contact person at that company is gone, but somehow they never actually did remove me from their directory. And I still see them to this day when I log in with my personal, my old personal account as a directory that I can go in if I wanted it to. So Lighthouse kind of removes that possibility. Absolutely. That is actually one of the top reasons customers are now asking and forcing their partners to have a conversation about why aren't you using Lighthouse, right? That's the exact reason. There's just way too much access provision because from the customer's perspective, I don't wanna go and manage pure access every single time. There's also, whoops, I don't know that pure no longer needs access. So he continues to have access, right? Years later. Yeah, years later, exactly. And Lighthouse kind of simplifies that whole. It's again, built on that principle of least privileged access, zero trust security, right? And it's that whole visibility is there, the auditability is there, the transparency is there and the control is still there with the customer, right? So while the partner is responsible for the upkeep and the maintenance and the management of their environments. And so yeah, I think the other, that's literally the ARM template. We have obviously a bunch of, if you go to our repository here, as a customer, kind of the question you asked me earlier up here is how does once the partner's kind of authored this offer on the ARM template, how can a customer deploy it? Now, obviously the customer can just go to PowerShell and log into PowerShell and get kind of, just do a simple deployment command, right? And just literally take the template and deploy it at the subscription that they want the partner to manage or the manage by tenant to manage. Again, a lot of our IT teams give this command, right? So literally all they're doing is they're going into PowerShell, the customer, they're going into PowerShell, they're authenticating in and then they're kind of deploying the template. But we learned that not all customers are even comfortable with something like that, right? So it's just going into PowerShell and running a command that's given to them. There's a lot of issues and debugging. So we did make available our GitHub repositories deployed to Azure buttons. It's a super simple experience for the customer. The customer goes, logs in, and then the template is literally there. So if you were to go to our repository and kind of clone it, author your own ARM template and parameters file, you could also similarly host it in a GitHub or some other repository store. And all that the customer needs to do is just select scope, right, that they want you to manage. And once they select that scope, they can go ahead and onboard to the offer. So for those of your customers who aren't savvy enough to run or deploy the template on their side, there's obviously this easy option upon boarding. We have the portal as well. Well, I've always told my customers and anybody in the audience that if you're getting a PowerShell script from somebody to actually read the script and figure out what it's doing before you actually execute it. So this option and a deployed to Azure button is basically just a command to like bootstrap the ARM template into a portal deployment. It's probably a lot less scary for a lot of people. And you can actually publish that on your company's website as, okay, I'm a support professional and I can help you support your environment. Click here to onboard me. Or you can send that as part of an onboarding package through email or something similar. Absolutely. And I would iterate on that advice that you give customers, right? And it's so important to read and understand. And even if you don't at the point of deploying, with Azure Lighthouse, you can always come back to it. You could come back to Azure Lighthouse, you could come back to the service provider's experience. And there's a very, very friendly way for you to see what exactly happened, right? What access you've given, what scope you've given access to. This actually brings me to another section that I was planning to cover. So, let me kind of jump over to that a little bit because we've gone through the acceptance experiences. An important question is, from a customer's perspective, I want to really govern, who is using Azure Lighthouse in my environment? We've really made a couple of very simple built-in policies available. So, if you aren't using Azure Policy yet, super highly recommend you consider using it. I think more than 95% of our 4,500 and a large percentage of our customer base is using Azure Policy. So, we do have a couple of options for you as the customer to really monitor and govern who gets access to your environments with Azure Lighthouse. This is done using Azure Policy. And again, if you haven't checked it out, highly, highly recommend you check it out. So, there are a couple of very easy built-in definitions. So, you can just search for Lighthouse right now. For example, I don't have Lighthouse as an offer that's applied to any scope, right? So, this is the cool part as the customer, if I log in, I can say, for example, at the root level, which is across my whole subscription groups, I could go and select a set of policies. So, in this case, this is a built-in policy that is actually telling you as an administrator that you only allow certain managing tenant IDs, right? So, let's say you only want to work with Fabricam and Rally Cloud, nobody else. Nobody in your organization can go and work with partner of two. And this is especially in those kind of enterprise scenarios or enterprise having multiple tenant scenarios. They're fairly particular about which vendors and which IT departments get access. So, this is definitely one of those policies that we highly recommend you apply and control the governing. So, even if someone has a lower scope price to onboard using Azure Lighthouse, it will make sure that the managing tenant IDs are matched. So, this is one that we highly apply. Let me also search for the other one. So, give me one minute. I'm gonna go and see. It's probably called audit delegation. Yep. So, the other thing that you can do is also, as a customer, you can use an audit delegation policy. So, this is going to, let's say you don't want to be super restrictive, right? So, there are different organizations, business units, they want to work with different customers, but you still want to be notified when a delegation activity happens. And it will flag it as an audit event. Again, that's a simple enough built-in policy as well that we recommend you select and apply to your scope. And then once you've actually applied that to your scope, it's gonna show up in your, you know, you're gonna be able to see whether or not it's compliant in this case, you know, Lambda Healthcare is delegated out to a partner and it's gonna show that as like, oh, there's some delegation happening and let you actually go and audit that and retrieve details and have further conversations if necessary with the relevant organizations. So, I would say that's, you know, that's the government's part of it. Any questions there, Pierre? No, I find that the, especially the governance parts because I've had a lot of conversations about governance with customers in the last few years because cloud for some of them being new, they're not kind of unaware of all the things that they need to protect themselves on and putting your trusted partner in a policy so that if somebody on boards a different partner, it doesn't block it, but at least reports it so that you can make informed decision as to whether or not you want to revoke that access or keep it going. Absolutely, yeah. And, you know, I think at the end of the day, like you said, governance is so top of mind, right? And one of the benefits, and I know, you know, this is a conversation that our listeners have joined in to understand a bit more about hybrid, right? One of the amazing powers of Azure Lighthouse, Pierre, is that, you know, as a partner, you can now govern customers, you know, hybrid scopes. They're on-premises resources. And, you know, let me kind of show you how that's different with Lighthouse and Azure Arc, right? So, Pierre, I'm kind of logged in again as that partner managing tenant persona. And if I go into the All Resources tab here, you can see that obviously I am, you know, selecting scopes across multiple customers in here. So let me say across all my customers, I basically want to go in here and see some Azure Arc servers, right? So now what you're seeing is from the single pane of glass, you're actually able to see Microsoft customer, Microsoft is the customer, a set of on-premises servers that are in there. And, you know, building on that governance concept, you can now, you know, go and apply these policies to those on-premises Arc servers, right? Again, I know you have a topic that's deep diving on Azure Arc and how to connect your servers up with Arc QA subscription. So I will not go into those details, but kind of what I really wanted to show you here is that now, you know, in your customer environment, as Microsoft, you can have on-premises machines and have those on-premises machines managed by a partner of Light Relay Cloud. And Relay Cloud is obviously, you know, benefiting a lot from using the same tool, like Azure Policy to manage Azure and hybrid resources. And, you know, that in a nutshell is like the power of Azure Lighthouse, right? It is, you know, purpose built for management that's key and management of hybrid resources with kind of that transparency, security, and auditability aspects front, center, and public line. So really, if I get it, Azure Lighthouse allows a partner, any partner of any status to onboard a customer and then go and help them manage their environment, whether it's in the cloud or if it's on-prem or in another cloud, as long as those resources are connected to that Azure environment somehow. Absolutely, yes. And Azure Arc really helps with connecting servers and they've got Kubernetes coming down the pipeline as well. So, yep, Lighthouse is gonna work out of the box whenever Kubernetes comes alive as well, which is kind of the other point that you're emphasizing as you're saying resources is, and it's not just managing infrastructure, right? It's managing even past services or setting up past services, helping with deployment, helping even with assessment, right? Like imagine you were this enterprise company that acquired six other companies and you just wanna see all the resources and take stock of what's there. So, from inventory to infrastructure to paths, deployment, management, the whole life cycle, it's all made simpler across tenants with Azure Lighthouse. Yeah, oh, that's perfect. And now we've looked at onboarding through the portal, but the portal has some limitation, but onboarding through PowerShell and specifically through ARM, that all those limitations kind of go away. So, any partner can onboard any customer that has their own tenant. Absolutely, yep. I think kind of just will give a couple of footnotes before I end, just in terms of things that I guess asked often, right? One of the things that I get asked really often is I'm doing something else. Let's say for example in PowerShell and give me one minute, I'm gonna just navigate over here. So I'm doing something in PowerShell and now because of Azure Lighthouse, I have all of these subscriptions and resources from so many different environments, I don't know what context I'm operating in, right? And so I point folks to this particular API and again, if you go to our docs, you will see PowerShell, CLI, Equal and Command Blitz in there, but given that now you're operating in this multi-tenant scope, we really made improvements to pass this information through the API, which means it's gonna come through in PowerShell, CLI and all the amazing experiences you use. We've actually enhanced that GET subscription, such as a core API of ARM to now include those managed by tenants. So you can always know, right, that this subscription belongs to this tenant. So this is Lambda Healthcare, it belongs to Microsoft tenant, but it is managed by Rally Cloud. So at all times, whenever you're writing your automation scripts, when you're performing a simple lookup or taking inventory activity, you always know which tenant you're operating in and which is the managed by tenant. So again, one of those questions that doesn't come up upfront, but kind of once you're on board, it's a big question of, okay, now how do I start using? And for the next step, I think it's critical that our listeners kind of understand where to get this. So that's definitely one thing that I wanted to highlight. And another footnote is we have this role called managed services registration assignment delete role. It's a built-in RBAC role, right? And since we've kind of gone through it, you now understand that registration assignment is this resource that gets created when you onboard the lighthouse. So deleting that registration assignment means that the partner no longer has access to the customer, right? Or the managed by tenant no longer has access to the customer. So as part of the onboarding scenario, what we always say is, please, please include this role as part of your authorizations because it gives you the privilege as the partner or as the managed by tenant to delete an assignment away. You may be asking, like, why would I wanna do that? We've had cases where maybe there's a customer who speaks a certain language and is expecting services in that language, right? Managed services in that language, but the partner may not be offering that. And so they actually go to the public marketplace to accept the offer. And then the service provider has no way to decline services themselves other than reaching out to the customer and doing it in an async manner. So including this role gives that partner the service provider the privilege to delete it away. Again, as you're authoring that template as the partner or the managed by tenant or the IT department of an enterprise, make sure to include this role so it deletes that resource away at the end. So the partner can delete its own registration into the client's tenant? Yes, exactly. And just let me kind of show that in the portal experience. So you can also get an idea of how that looks. So as the partner now, if I were to go and look at all my customers and look at kind of some of the delegations they have, I'll see this little delete button here as the partner. And that is thanks to this registration assignment delete role. So as best practice, we highly recommend you include this in the offers that you author so that you have this privilege to decline managing scopes that you don't want to manage. And we would add that in the second resource of our ARM template. Exactly. Yep. So if you were to go to the ARM template and you were to go, for example to the authorizations array in there, you could this role definition ID, you will just navigate back to the role definition that I just showed you, right? Which is this. You would pick up the definition and then you would insert that definition back in here. And that way the PIM group will now have the privilege to delete away those resources. So that's literally it. You could obviously separate that into a parameters file which is kind of what we've done in our GitHub repository. And our repository samples already have this role. So if you're using it out of the box and just changing the principal IDs, the delete role should be included by default. Okay, perfect. Because as I mentioned earlier that those companies that I've done business with I wish I could just go into their directory and delete my guest appearance there, but I can't and I no longer have any contact with that company. Right. Absolutely. That's great. Awesome, yep. That's all I had today for onboarding. But again, let me pull up my resources slide here. Okay, so hopefully you all are pumped up about Azure Lighthouse. And if you have multiple tenants you will consider using it for managing your multi-tenant environment or if you're a customer who engages partners and menders, definitely consider Azure Lighthouse. And of course, if you're a service provider partner we purpose built this for you. So hopefully you are already using Azure Lighthouse. But here are a few resources today. We've kind of just gone deep on the onboarding scenario. But obviously there's a lot more you can do in terms of actual management that scale with Lighthouse. Here are a few resources that can really help you learn more. We've got a couple of levels to 100 to 100 modules and we've got a self-learn lab that's coming up in February. So please watch out for that. And our docs is our most up to date and we updated like literally every day and week. So please refer to our docs. We would absolutely love to hear from you. We've got both a partner community as well as a product feedback channel. And really our product and experiences are shaped by your feedback. So please take your time and give us feedback and have fun, enjoy Azure Lighthouse. That was perfect, Arcana. And of course, the viewers during this event if you have any question you can ask them at the Discord channel that with the link below. And we'll make sure that we get to use some answers and Arcana and our team are going to address those. And thank you very much Arcana. That was very, very informative. I think it does address several issues that I've heard both from customers and from independent consultants that are managing multiple other customers. And this will absolutely fit the bill as far as I can tell. Thank you, Arcana. This was very informative. And for you at home watching, make sure to visit aka.ms slash itops talks to get to view the other wonderful sessions that we've had throughout this event. And of course, if you've liked this and you're watching us on YouTube make sure to like and subscribe below to see a lot more content like this. Thank you for having me Pura. Thank you everybody. All right, cheers. Okay, perfect. Cheers.