Restricting Tenant Delegation for Azure Lighthouse using Azure Policy

Recently I discovered an Azure Policy that can be used to restrict delegating tenants through Azure Lighthouse. This means that only the allowed tenants will be allowed to manage your resources via Azure Lighthouse.

There are currently only 2 policies under the lighthouse category in Azure Policy.

The policy we are after is "Allow managing tenant ids to onboard through Azure Lighthouse". The default state is in deny so I recommend putting into audit before rolling out in deny, we can do this by duplicating the definition:

Lets audit what happens when no tenants are selected in the parameters, in this example I have scoped it to a resource group:

After some time we can view the compliance state of our policy:

These are both managed by the same tenant, I then change my parameter to include the managing tenant ID to my service provider:

If you don't know what the managing tenant ID is but know what domain name they use you can use the following URL, replacing microsoft.com with your provider's domain name:

https://login.microsoftonline.com/microsoft.com/.well-known/openid-configuration        

Note: Many Service Providers use a separate tenant for delegation (as they should) so finding their website online may not yield the correct tenant ID.

Recall that due to Oauth, tenant ID is NOT considered a secret in Azure.

Waiting some time for compliance state to update we can see we are now compliant:

We can then modify our policy back to deny, this ensures that no other tenant can be on boarded for azure lighthouse for this particular resource group and only my service provider can be delegated to it.

We can then get clever and set-up alerting for non-compliance states using Azure Event Grid to then push to Log Analytics and fire an alert off with Azure Monitor (see https://blog.tyang.org/2021/12/06/monitoring-azure-policy-compliance-states-2021-edition/), Azure monitor does not directly work for Azure Policy anymore due to not logging under AzureActivity.

Reference:

John Savill provides a very good overview of Azure Lighthouse and Azure Policy