- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe to Topic
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Partner Center - Lighthouse / Multi tenant Arc
Hi All,
Currently we have 2 tenants - 1 corp tenant and 1 Lighthouse/Direct CSP tenant.
We want to use the AD credentials for our engineers under our Corp tenant to access Lighthouse and Direct CSP operational services (ie. utilising Admin Agent or Helpdesk Agent roles). However if you create the user as a guest you cannot add a customer role to that user.
Would something like Azure AD B2B be a good solution for this? Or is any user not native to the tenant in PC not able to have a customer role applied?
@JanoschUlmer do you have any insights re this? 🙂
Solved! Go to Solution.
- Labels:
-
CSP
-
Partner to Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @Shandley
It is not possible to assign B2B guest users the agent roles to do end customer management as CSP. For Azure Lighthouse it might work.
While I can understand that it would be convenient for users to use the same credentials for doing the day-to-day work and managing customers, do you think it would be a good security practice if the user account a person uses to browse the internet and receives emails has admin permissions on customer environments?
For a global admin role it is common practice that users do not have this role applied to their normal account, but use an extra account - in my opinion the same should be true for the global admin role applied to end customers via delegated admin.
When the concern is that would want to do central identity governance for both tenants I would suggest to look at solutions like Identity Manager where you could automate user creation and onboarding/offboarding in different tenants.
Receive consultations via Technical Presales and Deployment Services team
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
We have experienced the same frustration with trying to separate CSP and daily-user functionality but allowing for a single account with the needed security. Microsoft's vision for the level of security requirements needed by CSPs is lacking, even with Lighthouse.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
thanks for the quick response - much appreciated!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @Shandley
It is not possible to assign B2B guest users the agent roles to do end customer management as CSP. For Azure Lighthouse it might work.
While I can understand that it would be convenient for users to use the same credentials for doing the day-to-day work and managing customers, do you think it would be a good security practice if the user account a person uses to browse the internet and receives emails has admin permissions on customer environments?
For a global admin role it is common practice that users do not have this role applied to their normal account, but use an extra account - in my opinion the same should be true for the global admin role applied to end customers via delegated admin.
When the concern is that would want to do central identity governance for both tenants I would suggest to look at solutions like Identity Manager where you could automate user creation and onboarding/offboarding in different tenants.
Receive consultations via Technical Presales and Deployment Services team
