Azure Lighthouse provides centralised management capabilities for service providers and enterprise IT organizations across multiple tenants.
See Microsoft's documentation What is Azure Lighthouse? for more details.
Dashboard Server Azure Edition has been tested and is supported for use with Azure Lighthouse. You are advised to apply suitable naming conventions to resource groups and their resources.
You can enable Open Access in one of two ways:
- The Dashboard Server Enterprise Application must be included in a group in the Cloud Solution Provider's (CSP's) tenant which has been delegated a role which can perform the necessary actions (e.g. the Reader role).
- The Dashboard Server Enterprise Application must be delegated to directly under a role which can perform the necessary actions (e.g. the Reader role).
For example, to enable Open Access using the 2nd method, your subscription Azure Resource Manager (ARM) template (delegatedResourceManagement.parameters.json) might use the following authorizations value:
principalId is the object ID of the Dashboard Server enterprise application, and
principalIdDisplayName is the name to label the delegation of your Dashboard Server enterprise application.
The Cost tile (How to use the Cost Management tile) is able to display cost information provided the resource group(s)/subscription(s) have been delegated under a role which has the necessary actions (e.g. the Cost Management Reader role).
Enable Resource providers on both CSP and Customer tenants
Resource providers (such as microsoft.insights) may need to be enabled on both the customer's and the CSP's tenants, otherwise an error may be thrown.
The Subscription name and limited information is visible to end users when a resource group has been delegated.
Scope - Filter by tenant
By default results are shown across all tenants. In Dashboard Server 4.7 and above a user who has access to multiple tenants will see a filter by tenant option.
In a multi-tenant environment a user who does not have access to all tenants will see the following message if they attempt to edit a scope containing tenants that they do not have access to:
You may find it useful to add the tenantName to the sublabel template using the custom label option (How to use Custom Labels):
The tenant name will only display in a custom label in Open Access if it’s not the primary tenant.