You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm struggling to understand how deployment to Azure Lighthouse delegated subscriptions can be done. I've used the code from the example and adjusted according to my environment:
For authentication, I used a service principal with the role assignment of contributor on the delegated Azure subscriptions. That service principal belongs to my tenant (Managing tenant). Since Azure Lighthouse doesn't support management groups my only option is to scope deployment at the subscription level. So the question is, how the policy assignment json should look like. The documentation doesn't provide this information. (or at least I have not seen it).
What I'd like to achieve is the following:
I deploy any variation of ALZ to the customer tenant.
Delegate subscriptions through Azure Lighthouse to the managing tenant (my tenant).
Deploy Azure Policies to these delegated subscriptions through a service principal created in the managing tenant. (If you ask why policies cannot be deployed at the management group, the answer is, that you won't see them from the managing tenant even though they are inherited.
Is this a supported scenario? If yes, can anyone post an example of global-settings.jsonc and policy assignment file? Would be great to understand if EPAC covers the following use case. If yes, then how the configuration should look like.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello All,
I'm struggling to understand how deployment to Azure Lighthouse delegated subscriptions can be done. I've used the code from the example and adjusted according to my environment:
{
"schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/global-settings-schema.json",
"pacOwnerId" : "06c75b24-7ae6-4b95-a644-4b6c7ebb7968",
"pacEnvironments": [
{
"pacSelector": "DEMO-TENANT",
"cloud": "AzureCloud",
"tenantId": "customer tenant ID",
"managingTenant": {
"managingTenantId": "my tenant ID",
"managingTenantRootScope": [
"/subscriptions/I put customer delegated subscription id that require additional role assignment"
]
},
"deploymentRootScope": "/providers/Microsoft.Management/managementGroups/intermediate MG group",
"desiredState": {
"strategy": "full",
"keepDfcSecurityAssignments": false,
"doNotDisableDeprecatedPolicies" : false
},
"managedIdentityLocation": "swedencentral"
}
]
}
For authentication, I used a service principal with the role assignment of contributor on the delegated Azure subscriptions. That service principal belongs to my tenant (Managing tenant). Since Azure Lighthouse doesn't support management groups my only option is to scope deployment at the subscription level. So the question is, how the policy assignment json should look like. The documentation doesn't provide this information. (or at least I have not seen it).
What I'd like to achieve is the following:
Is this a supported scenario? If yes, can anyone post an example of global-settings.jsonc and policy assignment file? Would be great to understand if EPAC covers the following use case. If yes, then how the configuration should look like.
Many thanks.
Beta Was this translation helpful? Give feedback.
All reactions