Azure Lighthouse provides Deft with delegated access to support and manage your Azure environment, while leaving you in control. Lighthouse removes the need to create administrator accounts for Deft teams in your company’s tenant and establishes a secure partner relationship, providing greater visibility into Deft access and actions.
Deft strives to reduce risk through the principles of "just enough" and "just in time" access. Deft leverages Azure AD Privileged Identity Management to provide our teams with the minimum level of permissions required to support your environment along with a secure method of temporarily elevating access when necessary.
Below you will find instructions for deploying Azure Lighthouse (it's simple!) as well as a list of authorizations, or role-based access control assignments that will be provided to Deft. As always, please reach out to us if you have any questions!
-
Click the Deploy to Azure button above
-
Be sure to be signed in with an Azure AD account that has Microsoft.Authorization/roleAssignments/write permissions (typically a user assigned to Owner role for the Azure subscription)
-
On the Custom Deployment page, select the appropriate Subscription from the dropdown and then verify that the correct Region is populated
-
Click Review + Create at the bottom of the screen
-
After automatic deployment validation is complete, click Create
mspOfferName: Deft Azure Support
mspOfferDescription: Deft is your trusted Azure advisor, deftly delivering on the promise of technology.
managedByTenantId: b8483a09-f3e5-4681-8a64-16000e26ed41
| Deft Authorization Display Name | Azure Built-in RBAC Role | RBAC Role ID |
|---|---|---|
| Deft Read-Only Support | Reader | acdd72a7-3385-48ef-bd42-f606fba81ae7 |
| Deft Backup Support | Backup Operator | 00c29273-979b-4161-815c-10b084fb9324 |
| Deft Operations Readers | Log Analytics Reader | 73c42c96-874c-492b-b04d-ab87d138a893 |
| Deft Operations Readers | Azure Sentinel Reader | 8d289c81-5878-46d4-8554-54e1e3d8b5cb |
| Deft Backup Operations | Backup Operator | 00c29273-979b-4161-815c-10b084fb9324 |
| Deft Automation Operations | Automation Operator | d3881f73-407a-4167-8283-e981cbba0404 |
| Deft Cost Management | Cost Management Contributor | 434105ed-43f6-45c7-a02f-909b2ba83430 |
| Deft Tag Operations | Tag Contributor | 4a9ae827-6dc8-4573-8ac7-8239d42aa03f |
| Deft Elevated Operations | Contributor | b24988ac-6180-42a0-ab88-20f7382dd24c |
| Deft Elevated Management | Contributor | b24988ac-6180-42a0-ab88-20f7382dd24c |
| Deft Policy Management | Resource Policy Contributor | 36243c78-bf99-498c-9df9-86d9f8d28608 |
| Deft Policy Remediation Management | User Access Administrator* | 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 |
| Deft Blueprint Management | Blueprint Contributor | 41077137-e803-4205-871c-5a86e6a753b4 |
| Deft Blueprint Assignements | Blueprint Operator | 437d2ced-4a38-4302-8479-ed2bcb43d090 |
| Deft Billing Integration | Billing Reader | fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 |
*Deft Policy Remediation Management, delegated the User Access Administrator role, is limited to assigning managed identities the following RBAC roles (Learn more):
| Assignable Role | RBAC Role ID |
|---|---|
| Log Analytics Contributor | 92aaf0da-9dab-42b6-94a3-d43ce8d16293 |
| Virtual Machine Contributor | 9980e02c-c2be-4d73-94e8-173b1dc7cf3c |
| Backup Contributor | 5e467623-bb1f-42f4-a55d-6e525e11384b |
| Monitoring Contributor | 749f88d5-cbae-40b8-bcfc-e573ddc772fa |
| Security Admin | fb1c8493-542b-48eb-b624-b4c8fea62acd |
| Contributor | b24988ac-6180-42a0-ab88-20f7382dd24c |