While I was doing a implementation in a customer, I faced a weird thing, I created a new Site Collection, and when I was trying to invite people that I had in the B2B tenant, I was not able to find them.
If I tried with an internal users, I was able to find them, so I was sure that the problem was with the external users.
The first thing that I checked, was the properties of the SC to be sure that I can invite external users, and of course I checked this parameter at tenant level, was with no luck.
So, I started to check commands in Docs, and I found a command very interesting: ShowpeoplepickerSuggestionForGuestUsers
So I decided to give it a shot:
Once executed the last command, I was able to find guest users
After trying Azure Lighthouse for a couple of days, we have extracted a series of conclusions:
- It’s a great solution to manage customer subscriptions
- It can be based on Security AzureAD Groups or users, not Office365 groups
- Provide a single point of access to all the resources, it is not necessary to use guest users to access to customer subscriptions or even to switch subscriptions when we need to manage the subscription
Beside the above points, what you will need to be aware is with the subscription filters, we have been struggling with this for a couple of hours, until we realized that the subscription filters were the responsible for this behavior. Let me resume the case:
We configured a customer subscription to be listed into my customers:
So we are able to list all the resources into the customer, so the next thing it was to try to create a resource inside the customer, but for our surprise, the subscription customer was not listed inside the drop down menu:
At first glance, we thought that it was a limitation of Azure Lighthouse, but after struggling a little bit with it, we realized that inside the filters of Azure subscription, the managed subscription was not checked in…
If you make focus into the image, you will realize that it says current + delegated directory, so… once this checkbox is checked in, we are able to check in the subscription
And finally, we can create new resources inside this subscription with Azure Lighthouse
Once again, lesson learned
After holidays, we have been trying one of the new features that Microsoft launched before summer: Azure Lighthouse
As many of you probably know, Azure Lighthouse provide delegated resource management, where service providers (like me) can simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision.
Let’s say, imagine that your company provide resource management to multiple companies, one of the main problems of doing that, is that you need to give access to all to the support users in each one of your clients, being an administrative task for you or the manager. The same happens when a user leaves the company, you will need to go to each subscription to delete the user access that has before, being an overload of tasks.
Azure Lighthouse will help us centralizing the management in Azure thanks to give access to a Security group which resides in our directory, so we can control which users have access to the subscription in real time, so we can save a lot of time.
In resume, what need to do is to register a provider in the destination tenant, check our tenant ID, group object ID (or even user) and the role definition id.
With these three parameters, we can configure the management of our clients without problem
You can find more information in the following link
If you want to configure Azure Lighthouse and maintain the least permission privilege, Microsoft has a table where you can check the recommended permissions