Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Shandley
Level 2 Contributor

Partner Center - Lighthouse / Multi tenant Arc

Hi All,

 

Currently we have 2 tenants - 1 corp tenant and 1 Lighthouse/Direct CSP tenant.

 

We want to use the AD credentials for our engineers under our Corp tenant to access Lighthouse and Direct CSP operational services (ie. utilising Admin Agent or Helpdesk Agent roles). However if you create the user as a guest you cannot add a customer role to that user.

 

Would something like Azure AD B2B be a good solution for this? Or is any user not native to the tenant in PC not able to have a customer role applied?

 

@JanoschUlmer do you have any insights re this? 🙂

1 ACCEPTED SOLUTION
JanoschUlmer
Microsoft

Hi @Shandley 

It is not possible to assign B2B guest users the agent roles to do end customer management as CSP. For Azure Lighthouse it might work.

 

While I can understand that it would be convenient for users to use the same credentials for doing the day-to-day work and managing customers, do you think it would be a good security practice if the user account a person uses to browse the internet and receives emails has admin permissions on customer environments? 

For a global admin role it is common practice that users do not have this role applied to their normal account, but use an extra account - in my opinion the same should be true for the global admin role applied to end customers via delegated admin.

When the concern is that would want to do central identity governance for both tenants I would suggest to look at solutions like Identity Manager where you could automate user creation and onboarding/offboarding in different tenants.

 

 

 

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices

View solution in original post

3 REPLIES 3
acmprentice
Level 1 Contributor

We have experienced the same frustration with trying to separate CSP and daily-user functionality but allowing for a single account with the needed security. Microsoft's vision for the level of security requirements needed by CSPs is lacking, even with Lighthouse.

Shandley
Level 2 Contributor

thanks for the quick response - much appreciated!

JanoschUlmer
Microsoft

Hi @Shandley 

It is not possible to assign B2B guest users the agent roles to do end customer management as CSP. For Azure Lighthouse it might work.

 

While I can understand that it would be convenient for users to use the same credentials for doing the day-to-day work and managing customers, do you think it would be a good security practice if the user account a person uses to browse the internet and receives emails has admin permissions on customer environments? 

For a global admin role it is common practice that users do not have this role applied to their normal account, but use an extra account - in my opinion the same should be true for the global admin role applied to end customers via delegated admin.

When the concern is that would want to do central identity governance for both tenants I would suggest to look at solutions like Identity Manager where you could automate user creation and onboarding/offboarding in different tenants.

 

 

 

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices

View solution in original post