normalian blog

Let's talk about Microsoft Azure, ASP.NET and Java!

Tips to onboard for Azure Lighthouse

Azure Lighthouse is really cool feature to retrieve all Azure resources across Azure AD tenants who have owned by your customers or departments. It's sometimes required to retrieve Azure resources across Azure AD tenants especially if you're a Microsoft partner, because CSP contract requires to setup each Azure AD tenants per your customer. This official document is definitely useful to get started with Azure Lighthouse, but some tips are needed to know before following this.

Assign "Owner" role explicitly to your subscription on customer side

Azure Lighthouse requires RBAC(Role Based Access Control) roles, but your fresh Azure subscriptions might not be assigned "Owner" role among RBAC - you might be assigned as "classic Administrators". You will get "The user needs Microsoft.Authorization's Owner role on the subscription to create managed services resources" error below if you would run command without "Owner" role.

It's quite easy to solve this issue. You just need to assign "Owner" role on customer side like below. Please note it takes a few minutes to be effective your role assignment.