Documentation
System StatusPortal Login
Start typing to search…

Azure Lighthouse

Rackspace uses Azure Lighthouse to streamline onboarding processes, enforce consistent governance policies, and deliver high-quality managed services.

Rackspace also assigns specific roles and permissions to its teams to ensure secure and targeted access, enhancing both efficiency and security. Azure Lighthouse’s activity logs further enable Rackspace to provide transparency and accountability to its customers, fostering trust and long-term partnerships. Azure Lighthouse ensures adherence to stringent security standards, making it ideal for industries such as healthcare, finance, and government sectors, as well as large enterprise organizations.

Benefits of Azure Lighthouse

Centralized Management

Azure Lighthouse provides a single-pane-of-glass experience to manage resources across different Azure tenants. This reduces operational complexity and increases visibility, enabling service providers and enterprises to monitor, operate, and automate tasks effectively.

Enhanced Automation

With Azure Resource Manager (ARM) templates and automation scripts, Azure Lighthouse supports advanced deployment and management scenarios. This allows for:

Streamlined onboarding of new customers.

Automation of repetitive tasks.

Scalability to manage multiple customers or business units effortlessly.

Cost Efficiency

Azure Lighthouse reduces overhead by eliminating the need for duplicate administrative accounts or manual management processes. Organizations can achieve significant cost savings by:

  • Utilizing existing roles and permissions.
  • Leveraging shared services across multiple tenants.

Improved Collaboration

Azure Lighthouse facilitates seamless collaboration between service providers and their customers. Customers maintain full control over their data and resources, while service providers gain the necessary permissions to manage them efficiently. This collaboration model ensures that service providers can perform tasks such as monitoring, patching, and updates without compromising the security or autonomy of customer environments. Additionally, customers can define specific access scopes and time frames for service providers, ensuring a controlled and transparent partnership. The built-in activity logs provide a real-time audit trail, fostering trust and accountability between parties.

Visibility and Transparency

Customers have full visibility of the actions performed by service providers, ensuring transparency. Activity logs and monitoring features help track changes and manage accountability. These logs can be accessed directly through the Azure Portal under the 'Activity Log' section of each subscription, or by using Azure Monitor to set up alerts and analyze log data. This ensures that customers have a centralized view of all operations performed within their environments.

Security Features of Azure Lighthouse

Least Privilege Access

Azure Lighthouse adheres to the principle of the least privilege by granting access to specific roles and permissions only as needed. This minimizes the risk of unauthorized access and ensures secure operations.

Role-Based Access Control (RBAC)

Azure Lighthouse leverages Azure’s robust RBAC system to define granular permissions. Service providers can only perform actions explicitly allowed by the assigned roles, ensuring controlled and secure management.

Multi-Tenant Security

Azure Lighthouse is designed to securely handle operations across multiple tenants. It uses delegated resource management to provide access without compromising the customer’s tenant security.

Comprehensive Auditing and Logging

Every action performed through Azure Lighthouse is logged in Azure Monitor and Activity Logs. This ensures:

  • Full traceability of operations.
  • Improved compliance with regulatory requirements.
  • Quick identification and resolution of security incidents.

Secure Onboarding

The onboarding process via ARM templates ensures that the permissions granted to service providers are secure and compliant with organizational policies.

Customer Oversight

Customers retain control of their data and resources at all times. Azure Lighthouse’s architecture ensures that service providers cannot access data or resources beyond their specified roles.

Rackspace Permission Details and Requirements

Azure Lighthouse uses ARM templates to define and manage the roles and permissions granted to service providers. Below are the key permission details and their specific requirements for a Rackspace Modern Operations Customer:

Managed Service Provider (MSP) Offer Details

  1. Offer Name: "Rackspace Technology Inc."
  2. Offer Description: Default Value: "Rackspace Technology Inc. Lighthouse for Managed Services."

Authorizations for Service Accounts

In Azure Lighthouse, authorizations are used to define and grant specific permissions to service accounts in the managing tenant (Rackspace) to manage resources in the customer's tenant. Here's a breakdown of how authorizations work:

Elements of an Authorization:

  1. User: The Principal ID for a service account in the Rackspace managing tenant.
  2. Role: The specific Azure built-in role that defines the permissions granted to the service account.

Creating Authorizations:

Azure Resource Manager Templates: Authorizations are created when onboarding customers using ARM templates and performed during the enrollment process in the Rackspace Portal.

Eligible Authorizations for Rackspace Employees

What are Eligible Authorizations:

  1. Role Assignment: Authorizations define role assignments that require users to activate the role when they need to perform privileged tasks.
  2. Just-in-Time Access: Users gain access to critical resources only when needed, minimizing the attack surface.
  3. Temporary Access: Users have elevated permissions for a pre-configured time period.
  4. Audit Logs: Administrators can review all Privileged Identity Management activities by viewing the audit log.

How does Rackspace use Eligible Authorizations:

These roles require just-in-time access and are assigned to Rackspace Employees determined by their role within the company. Access is granted through Privileged Identity Management (PIM) in Entra ID (see below), ensuring enhanced security and control. Roles require just-in-time access and additional policies:

  • PIM - Azure Support Contributor
    • Role Definition ID: b24988ac-6180-42f4-a55d-6e525e11384b
    • Role Name: Support Contributor
    • Policy: Requires multi-factor authentication (MFA) and a maximum activation duration of 8 hours.

What is Microsoft Privileged Identity Management (PIM)

Overview:

Microsoft Privileged Identity Management (PIM) is a service within Microsoft Entra ID that enables Rackspace to manage, control, and monitor access to customer environments. It provides just-in-time privileged access to resources in Azure for all Azure support personnel, billing operations, and automation services.

Key Benefits:

  1. Minimize Risk: PIM reduces the risk of excessive, unnecessary, or misused access permissions by providing time-based and approval-based role activation.
  2. Just-in-Time Access: Users gain access to critical resources only when needed, minimizing the attack surface for potential malicious actors.
  3. Enhanced Security: PIM enforces multifactor authentication (MFA) for role activation, ensuring that only authorized users can access sensitive resources.
  4. Audit and Compliance: PIM provides detailed audit logs and justifications for role activations, enabling organizations to meet internal and external compliance requirements.
  5. Access Reviews: Organizations can conduct regular access reviews to ensure that users still require their privileged roles, helping to maintain a least-privilege environment.
  6. Centralized Management: PIM offers a centralized platform for managing privileged access across Microsoft Entra ID and Azure resources, simplifying administrative tasks.

Microsoft Privileged Identity Management (PIM) provides a robust solution for managing and securing privileged access to critical resources. By implementing PIM, Rackspace can minimize risks, enhance security, and ensure compliance with regulatory requirements.

Where do I see my Service Provider details?

Customers can see Azure Lighthouse in their environment through the Azure portal. Here's how:

  1. Service Providers Page: Customers can navigate to the Service Providers page in the Azure portal to view and manage their service providers who use Azure Lighthouse. They can enter "Service providers" in the search box or select All services and search for "Azure Lighthouse".
  2. Delegations Section: On the Service Provider page, customers can see details about their service providers, including the number of delegated subscriptions and resource groups.

By accessing these pages, customers can have greater visibility and control over their resources and the actions taken by their service providers.

Best Practices

Least Privilege: Rackspace assigns the minimum necessary permissions to reduce security risks to provide the contracted services and perform necessary functions.

Regular Password Rotations: Conduct periodic password rotations for the service accounts to maintain security and compliance requirements.

By using authorizations in Azure Lighthouse, service providers can efficiently manage customer resources while maintaining security and compliance.

The following authorizations define the roles and permissions granted to service providers:

Azure Reader

  1. Role Definition ID: acdd72a7-3385-48ef-bd42-f606fba81ae7
  2. Role Name: Reader
  3. Description: Provides read-only access to Azure resources.

Azure Billing Reader

  1. Role Definition ID: fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64
  2. Role Name: Billing Reader
  3. Description: Allows read-only access to billing information.

Azure Automation Contributor

  1. Role Definition ID: b24988ac-6180-42f4-a55d-6e525e11384b
  2. Role Name: Contributor
  3. Description: Grants permissions to manage Azure Automation resources, including creating and managing policies, remediation tasks, and monitoring and alerting configuration.

Azure Automation Lighthouse Management

  1. Role Definition ID: 91c1777a-f3dc-4fae-b103-61d183457e46
  2. Role Name: Managed Identity Operator
  3. Description: Allows Rackspace to remove the Lighthouse delegation.

Azure Automation Managed Identity Operator

  1. Role Definition ID: e40ec5ca-96e0-45a2-b4ff-59039f2c2b59
  2. Role Name: Managed Identity Operator
  3. Description: Allows Rackspace to create a user-assigned managed identity to manage all policies, monitors, and alerts in the environment.

Azure Automation Policy Contributor

  1. Role Definition ID: 36243c78-bf99-498c-9df9-86d9f8d28608
  2. Role Name: Policy Contributor
  3. Description: Allows Rackspace to create Azure Policy definitions and assign policies to Azure Subscriptions

Updated about 1 hour ago