You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -13,7 +13,7 @@ As a service provider, you may want to be aware when customer subscriptions or r
13
13
14
14
In the managing tenant, the [Azure activity log](../../azure-monitor/essentials/platform-logs-overview.md) tracks delegation activity at the tenant level. This logged activity includes any added or removed delegations from customer tenants.
15
15
16
-
This topic explains the permissions needed to monitor delegation activity to your tenant (across all of your customers). It also includes a sample script that shows one method for querying and reporting on this data.
16
+
This topic explains the permissions needed to monitor delegation activity to your tenant across all of your customers. It also includes a sample script that shows one method for querying and reporting on this data.
17
17
18
18
> [!IMPORTANT]
19
19
> All of these steps must be performed in your managing tenant, rather than in any customer tenants.
@@ -65,7 +65,7 @@ After you've assigned the Monitoring Reader role at root scope to the desired ac
65
65
66
66
## View delegation changes in the Azure portal
67
67
68
-
Users who has been assigned the Monitoring Reader role at root scope can view delegation changes directly in the Azure portal.
68
+
Users who have been assigned the Monitoring Reader role at root scope can view delegation changes directly in the Azure portal.
69
69
70
70
1. Navigate to the **My customers** page, then select **Activity log** from the left-hand navigation menu.
71
71
1. Ensure that **Directory Activity** is selected in the filter near the top of the screen.
@@ -180,5 +180,5 @@ else {
180
180
## Next steps
181
181
182
182
- Learn how to [onboard customers to Azure Lighthouse](onboard-customer.md).
183
-
- Learn about [Azure Monitor](../../azure-monitor/index.yml) and the [Azure activity log](../../azure-monitor/essentials/platform-logs-overview.md).
183
+
- Learn about [Azure Monitor](../../azure-monitor/index.yml) and the [Azure activity log](../../azure-monitor/essentials/activity-log.md).
184
184
- Review the [Activity Logs by Domain](https://github.com/Azure/Azure-Lighthouse-samples/tree/master/templates/workbook-activitylogs-by-domain) sample workbook to learn how to display Azure Activity logs across subscriptions with an option to filter them by domain name.
Copy file name to clipboardExpand all lines: articles/lighthouse/how-to/partner-earned-credit.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,21 +1,21 @@
1
1
---
2
2
title: Link your partner ID to track your impact on delegated resources
3
3
description: Associate your partner ID to receive partner earned credit (PEC) on customer resources you manage through Azure Lighthouse.
4
-
ms.date: 12/16/2021
4
+
ms.date: 06/22/2022
5
5
ms.topic: how-to
6
6
---
7
7
8
8
# Link your partner ID to track your impact on delegated resources
9
9
10
-
If you're a member of the [Microsoft Partner Network](https://partner.microsoft.com/), you can link your partner ID with the credentials used to manage delegated customer resources, allowing Microsoft to identify and recognize partners who drive Azure customer success. This link also allows [CSP (Cloud Solution Provider)](/partner-center/csp-overview) partners to receive [partner earned credit for managed services (PEC)](/partner-center/partner-earned-credit) for customers who have [signed the Microsoft Customer Agreement (MCA)](/partner-center/confirm-customer-agreement) and are [under the Azure plan](/partner-center/azure-plan-get-started).
10
+
If you're a member of the [Microsoft Partner Network](https://partner.microsoft.com/), you can link your partner ID with the credentials used to manage delegated customer resources. This link allows Microsoft to identify and recognize partners who drive Azure customer success. It also allows [CSP (Cloud Solution Provider)](/partner-center/csp-overview) partners to receive [partner earned credit for managed services (PEC)](/partner-center/partner-earned-credit) for customers who have [signed the Microsoft Customer Agreement (MCA)](/partner-center/confirm-customer-agreement) and are [under the Azure plan](/partner-center/azure-plan-get-started).
11
11
12
12
To earn recognition for Azure Lighthouse activities, you'll need to [link your MPN ID](../../cost-management-billing/manage/link-partner-id.md) with at least one user account in your managing tenant, and ensure that the linked account has access to each of your onboarded subscriptions.
13
13
14
14
## Associate your partner ID when you onboard new customers
15
15
16
16
Use the following process to link your partner ID (and enable partner earned credit, if applicable). You'll need to know your [MPN partner ID](/partner-center/partner-center-account-setup#locate-your-mpn-id) to complete these steps. Be sure to use the **Associated MPN ID** shown on your partner profile.
17
17
18
-
For simplicity, we recommend creating a service principal account in your tenant, linking it to your **Associated MPN ID**, then granting it access to every customer you onboard with an [Azure built-in role that is eligible for PEC](/partner-center/azure-roles-perms-pec).
18
+
For simplicity, we recommend creating a service principal account in your tenant, linking it to your **Associated MPN ID**, then granting it an [Azure built-in role that is eligible for PEC](/partner-center/azure-roles-perms-pec) to every customer that you onboard.
19
19
20
20
1.[Create a service principal user account](../../active-directory/develop/howto-authenticate-service-principal-powershell.md) in your managing tenant. For this example, we'll use the name *Provider Automation Account* for this service principal account.
21
21
1. Using that service principal account, [link to your Associated MPN ID](../../cost-management-billing/manage/link-partner-id.md#link-to-a-partner-id) in your managing tenant. You only need to do this one time.
Copy file name to clipboardExpand all lines: articles/lighthouse/how-to/publish-managed-services-offers.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ You need to have a valid [account in Partner Center](../../marketplace/create-ac
15
15
16
16
Per the [Managed Service offer certification requirements](/legal/marketplace/certification-policies#700-managed-services), you must have a [Silver or Gold Cloud Platform competency level](/partner-center/learn-about-competencies) or be an [Azure Expert MSP](https://partner.microsoft.com/membership/azure-expert-msp) in order to publish a Managed Service offer. You must also [enter a lead destination that will create a record in your CRM system](../../marketplace/plan-managed-service-offer.md#customer-leads) each time a customer deploys your offer.
17
17
18
-
If you don't want to publish an offer to Azure Marketplace, or don't meet all the requirements, you can onboard customers manually by using Azure Resource Manager templates. For more info, see [Onboard a customer to Azure Lighthouse](onboard-customer.md).
18
+
If you don't want to publish an offer to Azure Marketplace, or if you don't meet all the requirements, you can onboard customers manually by using Azure Resource Manager templates. For details, see [Onboard a customer to Azure Lighthouse](onboard-customer.md).
19
19
20
20
The following table can help determine whether to onboard customers by publishing a Managed Service offer or by using Azure Resource Manager templates.
21
21
@@ -42,17 +42,17 @@ To learn about the general publishing process, review the [commercial marketplac
42
42
Once a customer adds your offer, they will be able to delegate one or more subscriptions or resource groups, which will then be [onboarded to Azure Lighthouse](#the-customer-onboarding-process).
43
43
44
44
> [!IMPORTANT]
45
-
> Each plan in a Managed Service offer includes a **Manifest Details** section, where you define the Azure Active Directory (Azure AD) entities in your tenant that will have access to the delegated resource groups and/or subscriptions for customers who purchase that plan. It's important to be aware that any group (or user or service principal) that you include will have the same permissions for every customer who purchases the plan. To assign different groups to work with each customer, you can publish a separate [private plan](../../marketplace/private-offers.md) that is exclusive to each customer. Keep in mind that private plans are not supported with subscriptions established through a reseller of the Cloud Solution Provider (CSP) program.
45
+
> Each plan in a Managed Service offer includes a **Manifest Details** section, where you define the Azure Active Directory (Azure AD) entities in your tenant that will have access to the delegated resource groups and/or subscriptions for customers who purchase that plan. It's important to be aware that any group (or user or service principal) that you include will have the same permissions for every customer who purchases the plan. To assign different groups to work with each customer, you can publish a separate [private plan](../../marketplace/private-offers.md) that is exclusive to each customer. These private plans are not supported with subscriptions established through a reseller of the Cloud Solution Provider (CSP) program.
46
46
47
47
## Publish your offer
48
48
49
49
Once you've completed all of the sections, your next step is to publish the offer. After you initiate the publishing process, your offer will go through several validation and publishing steps. For more information, see [Review and publish an offer to the commercial marketplace](../../marketplace/review-publish-offer.md)
50
50
51
-
You can [publish an updated version of your offer](../../marketplace/update-existing-offer.md) at any time. For example, you may want to add a new role definition to a previously-published offer. When you do so, customers who have already added the offer will see an icon in the [**Service providers**](view-manage-service-providers.md) page in the Azure portal that lets them know an update is available. Each customer will be able to [review the changes and update to the new version](view-manage-service-providers.md#update-service-provider-offers).
51
+
You can [publish an updated version of your offer](../../marketplace/update-existing-offer.md) at any time. For example, you may want to add a new role definition to a previouslypublished offer. When you do so, customers who have already added the offer will see an icon in the **Service providers** page in the Azure portal that lets them know an update is available. Each customer will be able to [review the changes and update to the new version](view-manage-service-providers.md#update-service-provider-offers).
52
52
53
53
## The customer onboarding process
54
54
55
-
After a customer adds your offer, they can [delegate one or more specific subscriptions or resource groups](view-manage-service-providers.md#delegate-resources), which will be onboarded to Azure Lighthouse. If a customer has accepted an offer but has not yet delegated any resources, they'll see a note at the top of the **Provider offers** section of the [**Service providers**](view-manage-service-providers.md) page in the Azure portal.
55
+
After a customer adds your offer, they can [delegate one or more specific subscriptions or resource groups](view-manage-service-providers.md#delegate-resources), which will be onboarded to Azure Lighthouse. If a customer has accepted an offer but has not yet delegated any resources, they'll see a note at the top of the **Service provider offers** section of the **Service providers** page in the Azure portal.
56
56
57
57
> [!IMPORTANT]
58
58
> Delegation must be done by a non-guest account in the customer's tenant who has a role with the `Microsoft.Authorization/roleAssignments/write` permission, such as [Owner](../../role-based-access-control/built-in-roles.md#owner), for the subscription being onboarded (or which contains the resource groups that are being onboarded). To find users who can delegate the subscription, a user in the customer's tenant can select the subscription in the Azure portal, open **Access control (IAM)**, and [view all users with the Owner role](../../role-based-access-control/role-assignments-list-portal.md#list-owners-of-a-subscription).
Copy file name to clipboardExpand all lines: articles/lighthouse/how-to/update-delegation.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Update a delegation
3
3
description: Learn how to update a delegation for a customer previously onboarded to Azure Lighthouse.
4
-
ms.date: 09/08/2021
4
+
ms.date: 06/22/2022
5
5
ms.topic: how-to
6
6
---
7
7
@@ -14,18 +14,18 @@ After you have onboarded a subscription (or resource group) to Azure Lighthouse,
14
14
15
15
If you [onboarded your customer through Azure Resource Manager templates (ARM templates)](onboard-customer.md), a new deployment must be performed for that customer. Depending on what you are changing, you may want to update the original offer, or remove the original offer and create a new one.
16
16
17
-
-**If you are changing authorizations only**: You can update your delegation by changing only the **authorizations** section of the ARM template.
17
+
-**If you are changing authorizations only**: You can update your delegation by changing the **authorizations** section of the ARM template.
18
18
-**If you are changing the managing tenant**: You must create a new ARM template using with a different **mspOfferName** than your previous offer.
19
19
20
20
## Update your ARM template
21
21
22
22
To update your delegation, you will need to deploy an ARM template that includes the changes you'd like to make.
23
23
24
-
If you are only updating authorizations (such as adding a new user group with a role you hadn't previously included, or changing the role for an existing user), you can use the same **mspOfferName** as in the [ARM template](onboard-customer.md#create-an-azure-resource-manager-template) that you used for the previous delegation. You can use your previous template as a starting point. Then, make the changes you need, such as replacing one Azure built-in role with another, or adding a completely new authorization to the template.
24
+
If you are only updating authorizations (such as adding a new user group with a role you hadn't previously included, or changing the role for an existing user), you can use the same **mspOfferName** as in the [ARM template](onboard-customer.md#create-an-azure-resource-manager-template) that you used for the previous delegation. Use your previous template as a starting point. Then, make the changes you need, such as replacing one Azure built-in role with another, or adding a completely new authorization to the template.
25
25
26
26
If you change the **mspOfferName**, this will be considered a new, separate offer. This is required if you are changing the managing tenant.
27
27
28
-
It's not necessary to change the **mspOfferName** if the managing tenant remains the same. In most cases, we recommend having only one **mspOfferName** in use by the same customer and managing tenant. If you choose to change it anyway, be sure that the customer's previous delegation is removed before deploying the new one.
28
+
You don't need to change the **mspOfferName** if the managing tenant remains the same. In most cases, we recommend having only one **mspOfferName** in use by the same customer and managing tenant. If you do choose to create a new **mspOfferName** for your template, be sure that the customer's previous delegation is removed before deploying the new one.
29
29
30
30
## Remove the previous delegation
31
31
@@ -43,7 +43,7 @@ If you are updating the offer to adjust authorizations only, and keeping the sam
43
43
Removing access to the delegation can be done by any user in the managing tenant who was granted the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) in the original delegation. If no user in your managing tenant has this role, you can ask the customer to [remove access to the offer in the Azure portal](view-manage-service-providers.md#remove-service-provider-offers).
44
44
45
45
> [!TIP]
46
-
> If you have removed the previous delegation following the steps above, and are still unable to deploy the new ARM template, you may need to [remove the registration definition completely](/powershell/module/az.managedservices/remove-azmanagedservicesdefinition). This can be done by any user with a role that has the `Microsoft.Authorization/roleAssignments/write` permission, such as [Owner](../../role-based-access-control/built-in-roles.md#owner), in the customer tenant.
46
+
> If you have removed the previous delegation but are unable to deploy the new ARM template, you may need to [remove the registration definition completely](/powershell/module/az.managedservices/remove-azmanagedservicesdefinition). This can be done by any user with a role that has the `Microsoft.Authorization/roleAssignments/write` permission, such as [Owner](../../role-based-access-control/built-in-roles.md#owner), in the customer tenant.
47
47
48
48
## Deploy the ARM template
49
49
@@ -53,12 +53,12 @@ After the deployment has been completed, [confirm that it was successful](onboar
53
53
54
54
## Updating Managed Service offers
55
55
56
-
If you onboarded your customer through a Managed Service offer published to Azure Marketplace, and you want to update authorizations, you can do so by [publishing a new version of your offer](../../marketplace/update-existing-offer.md) with the [authorizations](../../marketplace/create-managed-service-offer-plans.md#authorizations) that you want to use updated in the plan for that customer. The customer will then be able to [review the changes in the Azure portal and accept the new version](view-manage-service-providers.md#update-service-provider-offers).
56
+
If you onboarded your customer through a Managed Service offer published to Azure Marketplace, and you want to update authorizations, you can do so by [publishing a new version of your offer](../../marketplace/update-existing-offer.md) with updates to the [authorizations](../../marketplace/create-managed-service-offer-plans.md#authorizations) in the plan for that customer. The customer will then be able to [review the changes in the Azure portal and accept the new version](view-manage-service-providers.md#update-service-provider-offers).
57
57
58
58
If you want to change the managing tenant, you will need to [create and publish a new Managed Service offer](publish-managed-services-offers.md) for the customer to accept.
59
59
60
60
> [!IMPORTANT]
61
-
> As mentioned earlier, we recommend that you avoid using multiple offers for the same customer and managing tenant. If you do publish a new offer for the same customer which uses the same managing tenant, be sure that the earlier offer is removed before the customer accepts the newer offer.
61
+
> We recommend that you avoid using multiple offers between the same customer and managing tenant. If you publish a new offer for a current customer that uses the same managing tenant, be sure that the earlier offer is removed before the customer accepts the newer offer.
0 commit comments