This chapter covers Azure Lighthouse, a critical capability for managed service providers and enterprises managing multi-tenant environments. For the AZ-500 exam, Azure Lighthouse appears in approximately 5-10% of questions within Domain 1 (Identity and Access Management), specifically under objective 1.2: 'Configure Azure Active Directory for managed identities and service principals.' You must understand how Lighthouse enables cross-tenant management without creating user accounts in customer tenants, the delegation model, and how to secure the service provider tenant. This chapter provides the deep technical knowledge needed to answer exam questions accurately and to implement Lighthouse securely in production.
Jump to a section
Imagine a large hotel chain (the Managed Service Provider, MSP) that owns no buildings but manages hundreds of independently owned hotels (customer tenants). Each hotel has its own owner (tenant admin), but the chain provides centralized booking, maintenance, and security. The chain's employees need access to each hotel's systems—but only for specific tasks like inspecting fire alarms or updating software. Instead of giving each employee a separate keycard for every hotel (creating hundreds of accounts), the chain uses a master key system (Azure Lighthouse). The master key is issued once to the chain's headquarters (the service provider tenant). When an employee needs to access a specific hotel, they present their master key, and the hotel's lock system checks a delegation agreement: 'This chain employee can enter only the maintenance closet, not the guest rooms.' The hotel owner retains full control—they can revoke the master key's permissions at any time without affecting other hotels. Crucially, the master key itself never stores hotel-specific credentials; it simply authorizes access based on pre-defined roles. This mirrors Azure Lighthouse: the service provider authenticates in its own tenant, and Azure AD issues a token that includes delegated permissions scoped to the customer's subscription or resource group. The customer's tenant never creates a user account for the provider; instead, it uses Azure RBAC role assignments tied to the provider's tenant ID. If the customer revokes the delegation, the provider's access is immediately terminated—no password changes needed.
What is Azure Lighthouse and Why Does It Exist?
Azure Lighthouse is a Microsoft service that enables service providers (or enterprises managing multiple tenants) to manage customer environments at scale using their own Azure Active Directory (Azure AD) tenant. It eliminates the need to create individual user accounts in each customer tenant, reducing administrative overhead and security risks. Instead, Lighthouse uses a delegated resource management model where the customer grants the service provider's tenant access to specific subscriptions, resource groups, or resources via Azure RBAC role assignments. The service provider's users authenticate in their home tenant, and Azure AD issues tokens that include delegated permissions scoped to the customer's resources.
How Azure Lighthouse Works Internally
Azure Lighthouse operates on a delegation model. The customer (also called the managing tenant) must first onboard a subscription or resource group for management by the service provider. This is done by deploying an Azure Resource Manager (ARM) template in the customer's tenant that defines the delegation. The template specifies:
The service provider's tenant ID (the 'managing tenant')
The Azure RBAC role assignments to be granted to the service provider's users or groups
The scope (subscription, resource group, or specific resource)
Once the template is deployed, Azure AD in the customer's tenant creates a service principal for the service provider's tenant. This service principal is a representation of the provider tenant within the customer tenant. The RBAC role assignments are then applied to that service principal. When a service provider user authenticates to Azure, they receive a token from their home tenant. That token includes a claim that indicates they are acting on behalf of the managing tenant. Azure Resource Manager (ARM) checks the token and then looks up the delegation in the customer tenant. If the user's home tenant ID matches the managing tenant ID in the delegation, and the user has an applicable RBAC role assignment (via group membership), access is granted.
Key technical details:
The service provider tenant is identified by its Azure AD tenant ID (a GUID).
Delegations are stored as Azure Lighthouse delegation resources within the customer's subscription (under the Microsoft.ManagedServices resource provider).
The service provider's users authenticate using their existing credentials; no new accounts are created in the customer tenant.
Authorization is evaluated at runtime: ARM checks both the user's token and the delegation's RBAC assignments.
The customer retains full control and can revoke the delegation at any time by deleting the ARM template deployment.
Key Components, Defaults, and Limits
Managing Tenant: The Azure AD tenant belonging to the service provider. Must be a valid Azure AD tenant (not a B2C directory).
Customer Tenant: The Azure AD tenant containing the resources to be managed. Can be any Azure AD tenant.
Delegation: An ARM template deployment that grants the managing tenant access to a specific scope. Multiple delegations can exist per customer subscription.
Role Assignments: Standard Azure RBAC roles (e.g., Contributor, Reader, Custom Roles). The service provider can assign roles to its own users or groups via the delegation template.
Limits:
A single customer subscription can have up to 2000 role assignments from delegations (including built-in roles).
A managing tenant can have up to 5000 delegations across all customers.
Each delegation can include up to 400 role assignments.
Authentication: Uses Azure AD OAuth 2.0. Tokens are valid for 1 hour by default (configurable via conditional access).
Logging: All actions performed by the service provider are logged in the customer's Azure Activity Log, attributed to the service principal of the managing tenant.
Configuration and Verification Commands
To onboard a subscription using Azure Lighthouse, the customer deploys an ARM template. Here is a simplified example:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mspOfferName": {
"type": "string",
"metadata": {
"description": "Name of the MSP offer"
}
},
"mspOfferDescription": {
"type": "string",
"metadata": {
"description": "Description of the MSP offer"
}
},
"managedByTenantId": {
"type": "string",
"metadata": {
"description": "Tenant ID of the managing tenant"
}
},
"authorizations": {
"type": "array",
"metadata": {
"description": "Array of authorization objects"
}
}
},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationDefinitions",
"apiVersion": "2020-02-01-preview",
"name": "[guid(parameters('mspOfferName'))]",
"properties": {
"registrationDefinitionName": "[parameters('mspOfferName')]",
"description": "[parameters('mspOfferDescription')]",
"managedByTenantId": "[parameters('managedByTenantId')]",
"authorizations": "[parameters('authorizations')]"
}
}
]
}To verify delegations, use Azure CLI:
az managedservices definition list
az managedservices assignment listOr in PowerShell:
Get-AzManagedServicesDefinition
Get-AzManagedServicesAssignmentInteraction with Related Technologies
Azure Policy: Service providers can use Azure Policy within delegated subscriptions to enforce compliance. Policies are applied at the customer scope and are visible in the customer's Azure Policy dashboard.
Azure Blueprints: Can be used to deploy consistent environments across multiple customer tenants via Lighthouse.
Azure Sentinel: The service provider can use Lighthouse to manage Sentinel workspaces in customer tenants, enabling cross-tenant security monitoring.
Azure AD Conditional Access: Service provider users are subject to their home tenant's Conditional Access policies when accessing customer resources. However, the customer can also enforce Conditional Access on the service principal (though this is less common).
Azure AD Privileged Identity Management (PIM): Can be used by the service provider to add just-in-time (JIT) activation for roles assigned via Lighthouse, reducing standing access.
Security Considerations
Least Privilege: Assign only the minimum required roles (e.g., Reader instead of Contributor). Use custom roles if built-in roles are too broad.
Multi-Factor Authentication (MFA): Enforce MFA for all service provider users who access customer environments. This is configured in the service provider's tenant.
Monitor Delegations: Regularly audit delegations using Azure Activity Log and Azure Monitor. The customer should review who has access.
Separation of Duties: Use PIM to require approval for high-privilege roles.
Data Residency: Customer data remains in the customer tenant. The service provider only sees metadata and resource configurations, not data unless granted specific data-plane roles (e.g., Storage Blob Data Reader).
Exam-Relevant Details
The exam tests the difference between Azure Lighthouse and Azure AD B2B. Lighthouse does not create guest user accounts; B2B does.
Delegations are created via ARM template deployments, not through the Azure portal directly (though the portal provides a guided experience).
The service provider must have an Azure AD tenant (not a Microsoft account).
The customer must be the owner of the subscription they are delegating.
The exam may ask about the maximum number of delegations or role assignments.
Logging: Service provider actions appear in the customer's Activity Log with the caller as 'Microsoft.ManagedServices' and the service principal object ID.
Common Pitfalls
Assuming Lighthouse creates user accounts: It does not. It uses a service principal representation.
Confusing Lighthouse with Azure AD B2B: B2B is for individual user guest access; Lighthouse is for tenant-wide delegated management.
Forgetting that the service provider tenant must be Azure AD: Not a B2C directory.
Thinking that the customer loses control: The customer can revoke the delegation at any time.
Customer Onboards Subscription
The customer (resource tenant) decides to delegate management of an Azure subscription or resource group to a service provider. They obtain the service provider's tenant ID and a list of required role assignments. The customer then deploys an ARM template (or uses the Azure portal's guided experience) that creates a registration definition under the Microsoft.ManagedServices resource provider. This definition specifies the managing tenant ID and the authorizations (role assignments). The deployment must be done by a user with Owner role on the subscription. Once deployed, the delegation is active. The customer can review the delegation in the Azure portal under 'Service providers' or via CLI.
Service Provider Authenticates
A service provider user (e.g., a security engineer) signs in to the Azure portal using their credentials in the service provider's Azure AD tenant. The user authenticates via standard OAuth 2.0 flow. Their home tenant issues an access token that includes claims about the user's identity and group memberships. The token does not yet contain any information about the customer tenant. The user then navigates to the Azure portal and selects the customer's directory from the directory switcher. At this point, Azure AD performs a cross-tenant authorization check.
Azure AD Cross-Tenant Authorization
When the user attempts to access a resource in the customer tenant, Azure Resource Manager (ARM) receives the user's token from the service provider tenant. ARM then queries the customer tenant's Azure AD to find a service principal representing the service provider tenant (the 'managed by' service principal). This service principal was created during the onboarding step. ARM checks if the user's tenant ID matches the managing tenant ID in the delegation. If it does, ARM then evaluates the user's role assignments: it checks the user's group memberships in the service provider tenant and matches them against the authorizations defined in the delegation. If there is a match (e.g., the user is a member of a group that has been granted Contributor role), ARM issues an access token scoped to the customer's resources.
User Performs Management Actions
With the delegated token, the service provider user can now perform authorized actions on the customer's resources. For example, they can deploy VMs, configure networking, or monitor security alerts. All actions are logged in the customer's Azure Activity Log. The log entries show the caller as the service principal of the managing tenant (e.g., 'Microsoft.ManagedServices/registrationDefinitions/...'). The user's identity is not directly visible in the customer's logs unless the customer has enabled Azure AD diagnostic settings to capture the user's UPN. The service provider can also use tools like Azure CLI or PowerShell with the delegated token.
Customer Revokes Delegation
If the customer decides to end the relationship, they can revoke the delegation at any time. This is done by deleting the registration definition (the ARM template deployment) from the customer's subscription. Once deleted, the service principal representing the service provider tenant is removed from the customer's Azure AD. Any existing tokens issued to service provider users become invalid immediately (though there may be a brief propagation delay of up to 30 minutes). The customer can verify revocation by checking the 'Service providers' blade in the Azure portal. After revocation, the service provider users lose all access to the customer's resources. No further action is needed from the service provider side.
Enterprise Scenario 1: Managed Security Service Provider (MSSP)
A large MSSP manages security for 500+ customers, each with their own Azure subscription. Without Lighthouse, the MSSP would need to create a dedicated Azure AD user account in each customer tenant for each of its 50 security analysts—resulting in 25,000 accounts to manage. Password rotations, MFA enforcement, and offboarding become a nightmare. With Lighthouse, the MSSP onboards each customer subscription using an ARM template that grants the MSSP's 'SecurityAnalysts' group the Reader role (for monitoring) and a custom 'SecurityResponder' role (for taking actions like shutting down VMs). The analysts authenticate in the MSSP's own tenant, where MFA and PIM are enforced. The customer retains full control: they can revoke access immediately if the contract ends. The MSSP uses Azure Sentinel to aggregate security events across all customer tenants, leveraging Lighthouse to manage the Sentinel workspaces centrally. A common misconfiguration is granting Contributor instead of Reader to analysts, leading to accidental deletions. The MSSP mitigates this by using custom roles and PIM for elevated access.
Enterprise Scenario 2: Multi-National Enterprise with Subsidiaries
A global corporation has multiple subsidiaries, each with its own Azure AD tenant (for isolation). The central IT team needs to manage compliance policies (Azure Policy) across all subsidiaries. Instead of creating guest accounts in each subsidiary, the central IT team uses Lighthouse. They deploy delegations in each subsidiary's subscription, granting the central 'PolicyAdmin' group the 'Resource Policy Contributor' role. The central team can then assign Azure Policy initiatives across all subsidiaries from their home tenant. A challenge is that each subsidiary must approve the delegation, which can be slow. To scale, the enterprise uses Azure Blueprints to automate the onboarding of new subsidiaries. They also monitor delegations using Azure Monitor to detect unauthorized changes. A common issue is that the central team accidentally assigns roles at the wrong scope (e.g., management group instead of subscription), which Lighthouse does not support (delegations must be at subscription or resource group level).
Scenario 3: Software Vendor with Managed Environments
An ISV provides a SaaS solution that requires managing Azure infrastructure for each customer. They use Lighthouse to give their DevOps team Contributor access to customer resource groups containing the application. This allows them to deploy updates and fix issues without exposing the entire subscription. They implement PIM with approval workflows for any role that can modify resources. A frequent problem is that the customer's IT team inadvertently revokes the delegation while troubleshooting, causing the ISV to lose access and triggering a support call. The ISV educates customers to use the 'Service providers' blade to check delegations before making changes. They also set up Azure Alerts to notify them if a delegation is deleted.
What AZ-500 Tests on Azure Lighthouse
AZ-500 objective 1.2 includes Azure Lighthouse under 'Configure Azure Active Directory for managed identities and service principals.' The exam expects you to:
Understand the delegation model and how it differs from Azure AD B2B.
Know that Lighthouse uses ARM template deployments to grant access.
Identify that the service provider tenant must be an Azure AD tenant.
Recognize that the customer retains control and can revoke access.
Understand that role assignments are evaluated using Azure RBAC.
Know the limits: 2000 role assignments per subscription, 5000 delegations per managing tenant.
Be able to interpret exam scenarios where Lighthouse is the correct solution vs. B2B or other methods.
Common Wrong Answers and Why Candidates Choose Them
'Azure Lighthouse creates guest user accounts in the customer tenant.' Candidates confuse Lighthouse with Azure AD B2B collaboration. B2B creates guest user objects; Lighthouse creates a service principal, not user accounts. The exam often presents a scenario where a service provider needs to manage multiple customers, and one of the options is 'Create guest users in each customer tenant.' The correct answer is Lighthouse.
'The service provider must log in directly to the customer tenant.' Candidates think the provider needs credentials in the customer tenant. Actually, the provider authenticates in their own tenant and uses directory switching. The exam may describe a scenario where the provider is prompted for credentials; the correct answer is that they use their home tenant credentials.
'Lighthouse requires Azure AD B2C.' This is incorrect. B2C is for customer-facing identity, not cross-tenant management. Lighthouse uses standard Azure AD.
'The customer cannot revoke access once delegated.' This is false. The customer can delete the registration definition at any time. The exam may present a scenario where a provider is concerned about losing control; the correct answer is that the customer retains full control.
Specific Numbers and Terms
Maximum delegations per managing tenant: 5000
Maximum role assignments per subscription: 2000 (includes delegations)
Maximum authorizations per delegation: 400
API version for registration definitions: 2020-02-01-preview (as of exam date; may change)
Resource provider: Microsoft.ManagedServices
CLI commands: az managedservices definition list, az managedservices assignment list
Edge Cases the Exam Loves
What if the service provider tenant is deleted? The delegations remain but become inaccessible. The customer must revoke and re-delegate to a new tenant.
Can Lighthouse manage resources across different Azure regions? Yes, it's a global service.
Can Lighthouse manage Azure AD itself? No, it only manages Azure resources (subscriptions/resource groups).
Does Lighthouse support management groups? No, delegations must be at subscription or resource group level.
How to Eliminate Wrong Answers
If an option mentions creating users or guest accounts, it's likely wrong (use Lighthouse or B2B? Evaluate: is it per-user or per-tenant? Lighthouse is per-tenant).
If an option says the provider needs to be an admin in the customer tenant, it's wrong. The provider only needs to deploy the template (as owner) once.
If an option suggests that the customer loses control, it's wrong. The customer always retains the ability to revoke.
If an option mentions Azure AD B2C, it's almost certainly a distractor.
Azure Lighthouse enables cross-tenant management without creating user accounts in the customer tenant.
Delegations are implemented via ARM template deployments that create registration definitions under Microsoft.ManagedServices.
The service provider tenant must be an Azure AD tenant (not B2C).
Maximum of 5000 delegations per managing tenant; maximum 2000 role assignments per subscription.
The customer retains full control and can revoke access at any time by deleting the registration definition.
All actions by the service provider are logged in the customer's Azure Activity Log.
Lighthouse supports Azure RBAC roles, including custom roles, and can be integrated with PIM for JIT access.
Lighthouse cannot manage Azure AD directory objects; it only manages Azure resources.
The exam distinguishes Lighthouse from Azure AD B2B: B2B creates guest users, Lighthouse does not.
Common exam scenario: a service provider needs to manage multiple customer subscriptions; correct answer is Lighthouse.
These come up on the exam all the time. Here's how to tell them apart.
Azure Lighthouse
Manages entire subscription/resource group scope via delegated RBAC.
No user accounts created in customer tenant; uses service principal.
Service provider users authenticate in their home tenant.
Customer revokes by deleting delegation template.
Best for multi-tenant management by MSPs or enterprises.
Azure AD B2B Collaboration
Grants access to individual users via guest accounts.
Creates guest user objects in customer's Azure AD.
Guest users authenticate in the customer tenant (or use home tenant with federation).
Customer revokes by removing guest user from directory or group.
Best for collaboration with external individuals (e.g., consultants).
Mistake
Azure Lighthouse creates user accounts in the customer's Azure AD.
Correct
Lighthouse does not create any user objects. It creates a service principal representing the managing tenant. Users authenticate in their home tenant and access resources via delegated RBAC.
Mistake
The service provider must log in with a username and password from the customer tenant.
Correct
The service provider uses their own credentials from their home Azure AD tenant. They switch directories in the Azure portal to access the customer's resources.
Mistake
Once delegated, the customer cannot revoke access without the service provider's consent.
Correct
The customer can revoke access at any time by deleting the registration definition (the ARM template deployment). No consent from the provider is needed.
Mistake
Azure Lighthouse is the same as Azure AD B2B collaboration.
Correct
B2B creates guest user objects for individual users. Lighthouse creates a cross-tenant delegation for an entire tenant, without creating user accounts. B2B is for per-user access; Lighthouse is for tenant-wide management.
Mistake
Lighthouse can manage Azure AD directory objects like users and groups.
Correct
Lighthouse only manages Azure resources (subscriptions, resource groups, resources). It cannot manage Azure AD objects. To manage Azure AD, you need Azure AD administrative roles (e.g., Global Admin) which cannot be delegated via Lighthouse.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Lighthouse is designed for cross-tenant management of Azure resources at scale, allowing a service provider to manage multiple customer subscriptions without creating user accounts. It uses a delegation model where the customer grants the provider's tenant access via ARM templates. Azure AD B2B is for inviting external users as guests to access specific applications or resources; it creates guest user objects in the customer's directory. For AZ-500, remember: Lighthouse = tenant-wide, no user accounts; B2B = per-user, guest accounts.
Yes, the customer can revoke access at any time by deleting the registration definition (the ARM template deployment) from their subscription. This immediately removes the service principal representing the provider tenant, and all delegated access is terminated. The customer does not need the provider's approval. This is a key security feature: the customer always retains control.
Yes, Azure Lighthouse supports both built-in and custom RBAC roles. When creating the delegation, the customer can specify custom roles as long as they exist in the customer's tenant. The service provider can then assign those roles to their users or groups. This is useful for implementing least-privilege access.
There is no hard limit on the number of subscriptions a service provider can manage, but there is a limit of 5000 delegations per managing tenant. Each delegation can cover one subscription (or resource group). So a provider can manage up to 5000 subscriptions, assuming one delegation per subscription. However, performance may degrade with very large numbers, so Microsoft recommends staying below 5000.
No. Azure Lighthouse only manages Azure resources (subscriptions, resource groups, and resources). It cannot manage Azure AD directory objects like users, groups, or policies. To manage Azure AD, you need Azure AD administrative roles (e.g., Global Administrator) which cannot be delegated via Lighthouse. For cross-tenant Azure AD management, consider Azure AD B2B or Azure AD administrative units.
If the service provider's Azure AD tenant is deleted, the delegations in customer tenants remain but become inaccessible because the service principal no longer exists. The customer must revoke the delegations (delete the registration definitions) and, if needed, re-delegate to a new provider tenant. The provider's users will no longer be able to authenticate.
All actions are logged in the customer's Azure Activity Log. The log entries show the caller as the service principal of the managing tenant (e.g., 'Microsoft.ManagedServices/registrationDefinitions/...'). To identify the specific user, the customer needs to enable Azure AD diagnostic settings to capture the user's UPN from the provider tenant (this requires the provider to share that information). Alternatively, the provider can use their own Activity Log to track user actions.
You've just covered Azure Lighthouse for Managed Security Services — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?