Added capabilities to manage DFC Plan Policy Assignments via EPAC

apybar · apybar · commit 80419c01010c · 2025-08-27T09:14:43.000-05:00
diff --git a/Docs/guidance-lighthouse.md b/Docs/guidance-lighthouse.md
@@ -0,0 +1,108 @@
+# Lighhouse Subscription Management with EPAC
+
+## Overview
+
+While EPAC is not currently able to handle all use cases for lighthouse integration, there are twe specific use cases requested through GH issues that have been accounted for.  The following is offered as guidance around those use cases.  It is possible that the work done to account for these use cases does allow for other, untested, functionality; so trying different permutations of below mentioned pacEnv settings may result in additional, undocumented functionality.
+
+## Use-case 1: Additional role assignment from managing tenant to managed subscriptions
+
+There are some instances where you may need to make additional role assignments to managed subscriptions while assigning policy at your managing tenant.  The guidance below will cover a specific use case and all EPAC configurations necessary to achieve this use case.
+
+### Use-case
+
+When assigning Deploy Diagnostics Settings type policies at a scope in your managing tenant, you want to write the diagnostics data to a managed (lighhouse joined) subscription.
+
+### Configurations
+
+1. pacSelector Configuration.
+
+In your global settings file find the specific pagEnvironments that will have diagnostic settings policy deployed to them where the diagnostics data needs to be written to lighthouse managed subscription.  Add the following to that pacSelector in the global settings file:
+
+                "managedTenant": {
+                    "managedTenantId": "00000000-1111-2222-3333-444444444444",
+                    "managedTenantScopes": [
+                        "/subscriptions/00000000-1111-2222-3333-444444444444",
+                        "/subscriptions/00000000-1111-2222-3333-444444444444"
+                    ]
+                },
+
+managedTenantId - The tenant containing the lighthouse managed (joined) subsciptions.
+managedTenantScopes - A list of all subscriptions that may need "remote" role assignments made to them.  These would be the subscriptions that contain, for example, the Log Analytics Workspace or Storage Account that your are writing diagnostics data to across tenants.  Every subscription where this pacEnvironment may need to make a role assignment to must be listed.
+
+1. In the assignment file add an additionalRoleAssignments section for the file or node so that the assignment knows that for assigning this policy, at this (managing) pacEnvironment, it needs to perform and additional role assignment at the remote (managed) scope.  The scope of the assignment must be included in the managedTenantScopes for the pacEnvironment in the globalSettings file.
+
+                "additionalRoleAssignments": {
+                    "managingTenantScopeEnv": [
+                        {
+                            "roleDefinitionId": "/providers/microsoft.authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
+                            "scope": "/subscriptions/00000000-1111-2222-3333-444444444444",
+                            "crossTenant": true
+                        }
+                    ]
+                },
+        
+## Use-case 2: Make role assignments at lighthouse managed scopes while deploying to the cast instance of that subscription in your tenant.
+
+This feature is primarily meant for MSPs managing customer subscriptions.  While the complete implementation is not perfiect, this is due to a deficiency in lighthouse functionality and guidance on the best way to work around that with EPAC is provided.  
+
+### Use-case
+
+This feature allows users to assign policies with role assignments to managed subscriptions without direct access to the customer tenant.
+
+### Configurations
+
+1. Lighthouse Setup  - Before any of the EPAC functionality can work, you must first provide the service principal executing EPAC (in the managing tenant) the appropriate access in the managed (lighthouse invited) subscriptions.  There are two components to this.  Because you can configure EPAC to run plans, policy deployments, and role deployments with different service principals or use the same service principal for all of these actions, the guidance here will be written for an implementation using a singular service principal to perform all 3 actions.  If you are using a different service principal for each of these stages, adjust the lighthouse template accordingly.  
+    1. Determing which roles and permissions are needed for basic EPAC functionality.  The combined required roles are Reader, Resource Policy Contributor, and User Access Administrator.
+    1. Determine which roles will be need to be assigned to your policies (DINE/Modify).  This is likely a dynamic list and will change over time.  Be as proactive and forward thinking as you can in developing this list as any changes to this list will require a re-invite for each lighthouse subscription.
+
+Once These two lists have been developed create your lighthouse invite template.
+
+1. Open Lighthouse in your managing tenant
+1. Click "Manage your Customers"
+1. Click "Create ARM Template"
+1. Give the offer a name and description.
+1. Choose the scopt your will request to manage
+1. Click "+ Add authorization"
+    1. Choose "Principal type" (Service Principal for EPAC)
+    1. Select your principal
+    1. Add Display name
+    1. Select your role (from the list developed in item 1 above e.g. Reader, Resource Policy Contributor, and User Access Administrator)
+    1. Add authorization for all roles that need to be assigned to your principal
+    1. Click "View template"
+    1. Download the template and open it to edit
+    1. In the "authorizations" section, find all instances where you are assigning the User Access Administrator (18d7d88d-d35e-4fb5-a5c3-7773c20a72d9)
+    1. Add the roles determined above in item 2 in a "delegatedRoleDefinitionIds" array, the delegated roles that your User Access Administrator will be able to add and remove.
+
+        Example:
+
+        "delegatedRoleDefinitionIds": [
+            "b24988ac-6180-42a0-ab88-20f7382dd24c",   <----Contributor
+            "f353d9bd-d4a6-484e-a77a-8050b599b867",   <----Automation Contributor
+            "91c1777a-f3dc-4fae-b103-61d183457e46"    <----Managed Services Registration assignment Delete Role
+        ]
+
+    Once this is completed send this file to your customer to be executed in each of their subscriptions where you will need to manage policies.  It will take between 30 seconds and 30 minutes for the registration to comnplete (usually closere to 30 seconds).  To view your customers go to lighthouse in your tenant and view customers.  If you are not seeing all of them you need to change your global filters.
+
+    After the Lighthouse portion is complete you will need to set things up in EPAC for each target subscription.  Below is an example with explanation of the relevant properties.
+
+            {
+                "pacSelector": "epac-ManagedCustomerSubscription1",
+                "cloud": "AzureCloud",
+                "tenantId": "00000000-1111-2222-3333-444444444444",                                <----My Tenant
+                "deploymentRootScope": "/subscriptions/999999-8888-7777-6666-555555555555",        <----Customer subscription
+                "managedSubscription": true,                                                       <----Indicates this is a managed subscription
+                "managedIdentityLocation": "eastus2",
+                "managedTenant": {
+                    "managedTenantId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",                     <----Customer tenant ID
+                    "managedTenantScopes": [
+                        "/subscriptions/999999-8888-7777-6666-555555555555"                        <----Customer subscription
+                    ]
+                },
+                "desiredState": {
+                    "strategy": "full",
+                    "keepDfcSecurityAssignments": false
+                },
+                "deployedBy": "My Org Admins"                                                      <----Friendly name to indicate who is deploying policy
+            },
+
+NOTE:  Because Lighthouse does not allow grouping of "cast" lighthouse subscriptions to be grouped in the managing tenant, and does not allow for management groups to be cast, each unique subscription must be a unique pacEnvironment.  The best way to perform "mass" deployments is through custom pipelines that will create multiples plans with unique names and then run multiple deployments.  It is recommended to use Self-hosted agents in this scenario as you can create larger SKU agents that will allow for parallelism.
diff --git a/Docs/index.md b/Docs/index.md
@@ -4,10 +4,12 @@ Enterprise Azure Policy as Code (EPAC for short) is a number of PowerShell scrip
 
 ## Latest Updates
 
-For all EPAC changes and newest updates, please visit our [GitHub Releases Page](https://github.com/Azure/enterprise-azure-policy-as-code/releases).
+### v11.0.0 is Coming!
 
 > [!CAUTION]
-> Review the Breaking changes in v10.0.0 carefully to avoid issues with your EPAC instance. The changes are [documented here](start-changes.md#breaking-changes-in-v1000).
+> Review the Breaking changes in v11.0.0 carefully to avoid issues with your EPAC instance. The changes are [documented here](start-changes.md).
+
+For all EPAC changes and newest updates, please visit our [GitHub Releases Page](https://github.com/Azure/enterprise-azure-policy-as-code/releases).
 
 > [!IMPORTANT]
 > Starting with v8.0.0, Enterprise Policy as Code (EPAC) is tracking the usage using [Customer Usage Attribution](https://learn.microsoft.com/en-us/partner-center/marketplace/azure-partner-customer-usage-attribution). In accordance with Microsoft's privacy policies, you have the right to **opt-out** of this tracking. Please review [Telemetry below](#telemetry-tracking-using-customer-usage-attribution-pid) and [Microsoft Privacy](https://privacy.microsoft.com/en-US/) for more information.
diff --git a/Docs/start-changes.md b/Docs/start-changes.md
@@ -1,8 +1,22 @@
-# Changes in v10.0.0
+# Upcoming changes in v11.0.0
 
 > [!CAUTION]
 > Read the **breaking changes** below carefully and adjust your environment accordingly.
 
+## Breaking Changes in v11.0.0
+
+### Changes in Lighthouse Deployments
+
+EPAC is introducing updates that affect how role assignments are handled across managing and managed (Lighthouse) tenants. While EPAC does not yet support all Lighthouse scenarios, two specific use cases have been implemented based on GitHub issue feedback. These changes will break existing configurations that do not follow the new guidance detailed in [Lighhouse Subscription Management with EPAC](guidance-lighthouse.md)
+
+Use Case 1:
+- Role Assignments from Managing Tenant to Managed Subscriptions
+Scenario: Deploying diagnostics policies in the managing tenant that write data to resources in Lighthouse-managed subscriptions.
+
+Use Case 2
+- Role Assignments Within Managed Subscriptions (Cast Instances)
+Scenario: MSPs deploying policies with role assignments to customer subscriptions without direct access to their tenant.
+
 ## Breaking Changes in v10.0.0
 
 ### Changes in `globalSettings.jsonc`
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -31,7 +31,7 @@ nav:
       - Extracting Policy Resources: start-extracting-policy-resources.md
       - Forking GitHub Repo: start-forking-github-repo.md
       - Advanced Configuration: advanced-configuration.md
-      - Changes in v10.0.0: start-changes.md
+      - Upcoming Changes in v11.0.0: start-changes.md
   - Settings and Desired State:
       - Global Settings: settings-global-setting-file.md
       - Desired State: settings-desired-state.md
@@ -60,6 +60,7 @@ nav:
       - Remediation Enforcement: guidance-remediation.md
       - Exclusion Management: guidance-scope-exclusions.md
       - Exemption Updates: guidance-exemptions.md
+      - Lighhouse Subscription Management: guidance-lighthouse.md
 
 markdown_extensions:
   - admonition
