moving removal info to new topic

Author: JnHs

articles/lighthouse/how-to/remove-delegation.md

@@ -0,0 +1,86 @@
+---
+title: Remove access to a delegation
+description: Learn how to onboard a customer to Azure delegated resource management, allowing their resources to be accessed and managed through your own tenant.
+ms.date: 04/23/2020
+ms.topic: conceptual
+---
+
+# Remove access to a delegation
+
+This article explains how you, as a service provider, can remove access to a subscription or resource group that was previously delegated to Azure delegated resource management.
+
+By default, users in the customer's tenant who have the appropriate permissions can remove service provider access to delegated resources in the [Service providers page](view-manage-service-providers.md#add-or-remove-service-provider-offers) of the Azure portal. When they do so, no users in the service provider's tenant will be able to access the resources that had been previously delegated.
+
+If you have onboarded users with the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) when onboarding a customer for Azure delegated resource management, those users will also be able to remove the delegation.
+
+> [!TIP]
+> We recommend assigning the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) when onboarding a customer, so that users in your tenant can [remove access to the delegation](#remove-access-to-a-delegation) later if needed. If this role is not assigned, delegated resources can only be removed by a user in the customer's tenant.
+
+The example below shows an assignment granting the **Managed Services Registration Assignment Delete Role** that can be included in a parameter file:
+
+```json
+    "authorizations": [ 
+        { 
+            "principalId": "cfa7496e-a619-4a14-a740-85c5ad2063bb", 
+            "principalIdDisplayName": "MSP Operators", 
+            "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46" 
+        } 
+    ] 
+```
+
+A user with this permission can remove a delegation in one of the following ways.
+
+### Azure portal
+
+1. Navigate to the [My customers page](view-manage-customers.md).
+2. Select **Delegations**.
+3. Find the delegation you want to remove, then select the trash can icon that appears in its row.
+
+### PowerShell
+
+```azurepowershell-interactive
+# Log in first with Connect-AzAccount if you're not using Cloud Shell
+
+# Sign in as a user from the managing tenant directory 
+
+Login-AzAccount
+
+# Select the subscription that is delegated - or contains the delegated resource group(s)
+
+Select-AzSubscription -SubscriptionName "<subscriptionName>"
+
+# Get the registration assignment
+
+Get-AzManagedServicesAssignment -Scope "/subscriptions/{delegatedSubscriptionId}"
+
+# Delete the registration assignment
+
+Remove-AzManagedServicesAssignment -ResourceId "/subscriptions/{delegatedSubscriptionId}/providers/Microsoft.ManagedServices/registrationAssignments/{assignmentGuid}"
+```
+
+### Azure CLI
+
+```azurecli-interactive
+# Log in first with az login if you're not using Cloud Shell
+
+# Sign in as a user from the managing tenant directory
+
+az login
+
+# Select the subscription that is delegated – or contains the delegated resource group(s)
+
+az account set -s <subscriptionId/name>
+
+# List registration assignments
+
+az managedservices assignment list
+
+# Delete the registration assignment
+
+az managedservices assignment delete --assignment <id or full resourceId>
+```
+
+## Next steps
+
+- Learn about [cross-tenant management experiences](../concepts/cross-tenant-management-experience.md).
+- [View and manage customers](view-manage-customers.md) by going to **My customers** in the Azure portal.

articles/lighthouse/overview.md

@@ -1,7 +1,7 @@
 ---
 title: What is Azure Lighthouse?
 description: Azure Lighthouse lets service providers deliver managed services for their customers with higher automation and efficiency at scale.
-ms.date: 11/11/2019
+ms.date: 04/23/2020
 ms.topic: overview
 ---
 # What is Azure Lighthouse?
@@ -15,7 +15,7 @@ Azure Lighthouse offers service providers a single control plane to view and man
 Azure Lighthouse helps you to profitably and efficiently build and deliver managed services for your customers. The benefits include:
 
 - **Management at scale**: Customer engagement and life-cycle operations to manage customer resources are easier and more scalable.
-- **Greater visibility and precision for customers**: Customers whose resources you're managing will have greater visibility into your actions and precise control over the scope they delegate for management, while your IP is preserved.
+- **Greater visibility and precision for customers**: Customers will have greater visibility into your actions and precise control over the scope they delegate for management, including the ability to remove access completely, while your IP is preserved.
 - **Comprehensive and unified platform tooling**: Our tooling experience addresses key service provider scenarios, including multiple licensing models such as EA, CSP and pay-as-you-go. The new capabilities work with existing tools and APIs, licensing models, and partner programs such as the [Cloud Solution Provider program (CSP)](https://docs.microsoft.com/partner-center/csp-overview). The Azure Lighthouse options you choose can be integrated into your existing workflows and applications, and you can track your impact on customer engagements by [linking your partner ID](../billing/billing-partner-admin-link-started.md).
 
 There are no additional costs associated with using Azure Lighthouse to manage your customers' Azure resources.
@@ -24,7 +24,7 @@ There are no additional costs associated with using Azure Lighthouse to manage y
 
 Azure Lighthouse includes multiple ways to help streamline customer engagement and management:
 
-- **Azure delegated resource management**: Manage your customers' Azure resources securely from within your own tenant, without having to switch context and control planes. For more info, see [Azure delegated resource management](concepts/azure-delegated-resource-management.md).
+- **Azure delegated resource management**: Manage your customers' Azure resources securely from within your own tenant, without having to switch context and control planes. Subscriptions and resource groups can be delegated to specified users and roles in the managing tenant, with the ability to remove access as needed. For more info, see [Azure delegated resource management](concepts/azure-delegated-resource-management.md).
 - **New Azure portal experiences**: View cross-tenant info in the new **My customers** page in the [Azure portal](https://portal.azure.com). A corresponding **Service providers** blade lets your customers view and manage service provider access. For more info, see [View and manage customers](./how-to/view-manage-customers.md) and [View and manage service providers](how-to/view-manage-service-providers.md).
 - **Azure Resource Manager templates**: Perform management tasks more easily, including onboarding customers for Azure delegated resource management. For more info, see our [samples repo](https://github.com/Azure/Azure-Lighthouse-samples/tree/master/templates) and [Onboard a customer to Azure delegated resource management](how-to/onboard-customer.md).
 - **Managed Services offers in Azure Marketplace**: Offer your services to customers through private or public offers, and have them automatically onboarded to Azure delegated resource management, as an alternate to onboarding using Azure Resource Manager templates. For more info, see [Managed services offers in Azure Marketplace](concepts/managed-services-offers.md).

articles/lighthouse/toc.yml

@@ -44,6 +44,9 @@
   - name: View and manage customers 
     displayName: my customers
     href: ./how-to/view-manage-customers.md
+  - name: Remove access to a delegation
+    displayName: delete, undelegate
+    href: ./how-to/remove-delegation.md
   - name: Azure Monitor integration
     items:
     - name: Use Azure Monitor Logs at scale