Azure-docs: Are Azure Delegated Resource Management and Lighthouse Offers synonymous within the broader discussion to include AOBO?

Created on 30 Jul 2020 · 4Comments · Source: MicrosoftDocs/azure-docs

Role assignments must use role-based access control (RBAC) built-in roles. All built-in roles are currently supported with Azure delegated resource management except for Owner or any built-in roles with DataActions permission.

In the context of Azure Delegated Resource Management wouldn't the Owner role still be supported, the exclusion being that it is not supported for specifically Lighthouse Offers?

I could be misunderstanding the scope of Azure Delegated Resource Management when the scope includes other concepts like the requirements of Admin On-Behalf Of. My understanding was that any role assignments with a foreign principal would be utilizing the concept of Azure Delegated Resource Management, so AOBO and Lighthouse are both dependent on Azure Delegated Resource Management.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: e6c2d942-cc8b-ea0e-5112-919d2f4b2593
Version Independent ID: c0c2b12b-4326-f483-d086-9c3c4d37a230
Content: Cross-tenant management experiences - Azure Lighthouse
Content Source: articles/lighthouse/concepts/cross-tenant-management-experience.md
Service: lighthouse
GitHub Login: @JnHs
Microsoft Alias: jenhayes

Pri2 assigned-to-author in-progress lighthoussvc product-question triaged

Source

Snozzberries

All 4 comments

Hi @Snozzberries - AOBO is different than Azure delegated resource management (which only applies to Azure Lighthouse). This topic explains more about how they both work: https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cloud-solution-provider
Let us know if you have further questions on this!

JnHs on 30 Jul 2020

👍1

Thank you for the clarification! What would be the functional concept AOBO uses then, would it just simply be considered foreign principal role assignments? Apologies if it is outside of scope of this issue as well.

Thinking in the context of an indirect CSP or even in a non-CSP relationship, foreign principals can be assigned roles in the local tenant.

Snozzberries on 30 Jul 2020

assigning to @JnHs to address followup question.

femsulu on 30 Jul 2020

@Snozzberries With AOBO, any user with the Admin Agent role in the partner tenant has RBAC owner access to Azure subscriptions created through the CSP program. More about AOBO and how it works can be found at the video linked near the top of the topic I mentioned https://docs.microsoft.com/en-us/azure/lighthouse/concepts/cloud-solution-provider

As it seems that the question related to this particular topic has been addressed, I'm going to close this GitHub issue now - however if that is not the case and you still have questions about that, please respond here again so we can try and help. We appreciate your feedback!