You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/lighthouse/concepts/cloud-solution-provider.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Cloud Solution Provider program considerations
3
3
description: For CSP partners, Azure delegated resource management helps improve security and control by enabling granular permissions.
4
-
ms.date: 06/09/2022
4
+
ms.date: 11/28/2022
5
5
ms.topic: conceptual
6
6
---
7
7
@@ -28,7 +28,7 @@ Using Azure Lighthouse, you can assign different groups to different customers o
28
28
29
29
Azure Lighthouse helps improve security by limiting unnecessary access to your customers' resources. It also gives you more flexibility to manage multiple customers at scale, using the [Azure built-in role](tenants-users-roles.md#role-support-for-azure-lighthouse) that's most appropriate for each user's duties, without granting a user more access than necessary.
30
30
31
-
To further minimize the number of permanent assignments, you can [create eligible authorizations](../how-to/create-eligible-authorizations.md)(currently in public preview) to grant additional permissions to your users on a just-in-time basis.
31
+
To further minimize the number of permanent assignments, you can [create eligible authorizations](../how-to/create-eligible-authorizations.md) to grant additional permissions to your users on a just-in-time basis.
32
32
33
33
Onboarding a subscription that you created through the CSP program follows the steps described in [Onboard a subscription to Azure Lighthouse](../how-to/onboard-customer.md). Any user who has the Admin Agent role in the customer's tenant can perform this onboarding.
Copy file name to clipboardExpand all lines: articles/lighthouse/concepts/recommended-security-practices.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Recommended security practices
3
3
description: When using Azure Lighthouse, it's important to consider security and access control.
4
-
ms.date: 06/09/2022
4
+
ms.date: 11/28/2022
5
5
ms.topic: conceptual
6
6
---
7
7
@@ -41,10 +41,10 @@ Once you've created these groups, you can assign users as needed. Only add the u
41
41
Keep in mind that when you [onboard customers through a public managed service offer](../how-to/publish-managed-services-offers.md), any group (or user or service principal) that you include will have the same permissions for every customer who purchases the plan. To assign different groups to work with each customer, you'll need to publish a separate private plan that is exclusive to each customer, or onboard customers individually by using Azure Resource Manager templates. For example, you could publish a public plan that has very limited access, then work with the customer directly to onboard their resources for additional access using a customized Azure Resource Template granting additional access as needed.
42
42
43
43
> [!TIP]
44
-
> You can also create *eligible authorizations* that let users in your managing tenant temporarily elevate their role. By using eligible authorizations, you can minimize the number of permanent assignments of users to privileged roles, helping to reduce security risks related to privileged access by users in your tenant. This feature is currently in public preview and has specific licensing requirements. For more information, see [Create eligible authorizations](../how-to/create-eligible-authorizations.md).
44
+
> You can also create *eligible authorizations* that let users in your managing tenant temporarily elevate their role. By using eligible authorizations, you can minimize the number of permanent assignments of users to privileged roles, helping to reduce security risks related to privileged access by users in your tenant. This feature has specific licensing requirements. For more information, see [Create eligible authorizations](../how-to/create-eligible-authorizations.md).
45
45
46
46
## Next steps
47
47
48
-
- Review the [security baseline information](/security/benchmark/azure/baselines/lighthouse-security-baseline) to understand how guidance from the Microsoft clou security benchmark applies to Azure Lighthouse.
48
+
- Review the [security baseline information](/security/benchmark/azure/baselines/lighthouse-security-baseline) to understand how guidance from the Microsoft cloud security benchmark applies to Azure Lighthouse.
49
49
-[Deploy Azure AD Multi-Factor Authentication](../../active-directory/authentication/howto-mfa-getstarted.md).
50
50
- Learn about [cross-tenant management experiences](cross-tenant-management-experience.md).
Copy file name to clipboardExpand all lines: articles/lighthouse/how-to/create-eligible-authorizations.md
+1-6Lines changed: 1 addition & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
title: Create eligible authorizations
3
3
description: When onboarding customers to Azure Lighthouse, you can let users in your managing tenant elevate their role on a just-in-time basis.
4
-
ms.date: 02/14/2022
4
+
ms.date: 11/28/2022
5
5
ms.topic: how-to
6
6
---
7
7
@@ -13,11 +13,6 @@ Creating eligible authorizations lets you minimize the number of permanent assig
13
13
14
14
This topic explains how eligible authorizations work and how to create them when [onboarding a customer to Azure Lighthouse](onboard-customer.md).
15
15
16
-
> [!IMPORTANT]
17
-
> Eligible authorizations are currently in public preview.
18
-
> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
19
-
> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
20
-
21
16
## License requirements
22
17
23
18
Creating eligible authorizations requires an Enterprise Mobility + Security E5 (EMS E5) or Azure AD Premium P2 license. To find the right license for your requirements, see [Comparing generally available features of the Free, Basic, and Premium editions](https://azure.microsoft.com/pricing/details/active-directory/).
@@ -55,7 +55,7 @@ When defining your authorizations, be sure to follow the principle of least priv
55
55
To track your impact across customer engagements and receive recognition, associate your Microsoft Cloud Partner Program ID with at least one user account that has access to each of your onboarded subscriptions. You'll need to perform this association in your service provider tenant. We recommend creating a service principal account in your tenant that is associated with your partner ID, then including that service principal every time you onboard a customer. For more info, see [Link your partner ID to enable partner earned credit on delegated resources](partner-earned-credit.md).
56
56
57
57
> [!TIP]
58
-
> You can also create *eligible authorizations* that let users in your managing tenant temporarily elevate their role. This feature is currently in public preview and has specific licensing requirements. For more information, see [Create eligible authorizations](create-eligible-authorizations.md).
58
+
> You can also create *eligible authorizations* that let users in your managing tenant temporarily elevate their role. This feature has specific licensing requirements. For more information, see [Create eligible authorizations](create-eligible-authorizations.md).
59
59
60
60
## Create an Azure Resource Manager template
61
61
@@ -89,7 +89,7 @@ Finally, create your authorizations by selecting **+ Add authorization**. For ea
89
89
1. Select the **+ Select user** link to open the selection pane. You can use the search field to find the user you'd like to add. Once you've done so, click **Select**. The user's **Principal ID** will be automatically populated.
90
90
1. Review the **Display name** field (populated based on the user you selected) and make changes, if desired.
91
91
1. Select the **Role** to assign to this user.
92
-
1. For **Access** type, select **Permanent** or **Eligible**. If you choose **Eligible**, you will need to specify options for maximum duration, multifactor authentication, and whether or not approval is required. For more information about these options, see [Create eligible authorizations](create-eligible-authorizations.md). The eligible authorizations feature is currently in public preview, and can't be used with service principals.
92
+
1. For **Access** type, select **Permanent** or **Eligible**. If you choose **Eligible**, you will need to specify options for maximum duration, multifactor authentication, and whether or not approval is required. For more information about these options, see [Create eligible authorizations](create-eligible-authorizations.md). The eligible authorizations feature can't be used with service principals.
93
93
1. Select **Add** to create your authorization.
94
94
95
95
:::image type="content" source="../media/add-authorization.png" alt-text="Screenshot of the Add authorization section in the Azure portal.":::
@@ -114,7 +114,7 @@ The template you choose will depend on whether you are onboarding an entire subs
114
114
|Multiple resource groups within a subscription |[multi-rg.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management/rg/multi-rg.json)|[multiple-rg.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management/rg/multiple-rg.parameters.json)|
115
115
|Subscription (when using an offer published to Azure Marketplace) |[marketplaceDelegatedResourceManagement.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/marketplace-delegated-resource-management/marketplaceDelegatedResourceManagement.json)|[marketplaceDelegatedResourceManagement.parameters.json](https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/marketplace-delegated-resource-management/marketplaceDelegatedResourceManagement.parameters.json)|
116
116
117
-
If you want to include [eligible authorizations](create-eligible-authorizations.md#create-eligible-authorizations-using-azure-resource-manager-templates) (currently in public preview), select the corresponding template from the [delegated-resource-management-eligible-authorizations section of our samples repo](https://github.com/Azure/Azure-Lighthouse-samples/tree/master/templates/delegated-resource-management-eligible-authorizations).
117
+
If you want to include [eligible authorizations](create-eligible-authorizations.md#create-eligible-authorizations-using-azure-resource-manager-templates), select the corresponding template from the [delegated-resource-management-eligible-authorizations section of our samples repo](https://github.com/Azure/Azure-Lighthouse-samples/tree/master/templates/delegated-resource-management-eligible-authorizations).
118
118
119
119
> [!TIP]
120
120
> While you can't onboard an entire management group in one deployment, you can deploy a policy to [onboard each subscription in a management group](onboard-management-group.md). You'll then have access to all of the subscriptions in the management group, although you'll have to work on them as individual subscriptions (rather than taking actions on the management group resource directly).
@@ -102,7 +102,7 @@ Provide the following information for each **Authorization**. Select **+ Add aut
102
102
-**Principal ID**: The Azure AD identifier of a user, user group, or service principal that will be granted certain permissions (as defined by the **Role** you specify) to your customers' resources.
103
103
-**Access type**:
104
104
-**Active** authorizations have the privileges assigned to the role at all times. Each plan must have at least one Active authorization.
105
-
-**Eligible** authorizations are time-limited and require activation by the user. If you select **Eligible**, you must select a maximum duration that defines the total length of time for which the user will have the eligible role after it's activated. The minimum value is 30 minutes and the maximum is 8 hours. You can also select whether to require multifactor authentication in order to activate the role. Note that eligible authorizations are currently in public preview and have specific licensing requirements. For more information, see [Create eligible authorizations](../lighthouse/how-to/create-eligible-authorizations.md).
105
+
-**Eligible** authorizations are time-limited and require activation by the user. If you select **Eligible**, you must select a maximum duration that defines the total length of time for which the user will have the eligible role after it's activated. The minimum value is 30 minutes and the maximum is 8 hours. You can also select whether to require multifactor authentication in order to activate the role. This feature has specific licensing requirements. For more information, see [Create eligible authorizations](../lighthouse/how-to/create-eligible-authorizations.md).
106
106
-**Role**: Select one of the available Azure AD built-in roles from the list. This role will determine the permissions that the user in the **Principal ID** field will have on your customers' resources. For descriptions of these roles, see [Built-in roles](../role-based-access-control/built-in-roles.md) and [Role support for Azure Lighthouse](../lighthouse/concepts/tenants-users-roles.md#role-support-for-azure-lighthouse).
107
107
> [!NOTE]
108
108
> As applicable new built-in roles are added to Azure, they will become available here, although there may be some delay before they appear.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments