Lighthouse

Tristano,G,Giuseppe,JBP12 R 91 Reputation points
2024-06-19T10:07:04.94+00:00

Hello All,

I gave Contributor role (on a subscription) to users via Lighthouse to manage a customer. The users get access with no problem to the customer subscription, can start and stop VM, create a resource group, start and stop backup, etc.

The problem arises when I want to create for instance a storage account (or a new VM). The portal goes to marketplace and then I am not able to add anything else as if I couldn't contact the subscriptions.

Can you please advise.

Thank you in advance for your reply

giuseppe

Azure Lighthouse
Azure Lighthouse
An Azure service that provides secure managed services and access control for partners and customers.
80 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
852 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Stanislav Zhelyazkov 25,321 Reputation points MVP
    2024-06-20T08:21:52.6466667+00:00

    I am not experiencing this problem so my conclusion is either you do not have Contributor access, you haven't correctly logged or there are some restrictions on the subscription. You need to login to your own tenant, not the customer one. You can create resources from any blade for example if you search for Virtual machines and open that blade you can create VMs from there by just choosing the subscription of your customer. That is of course if all of the above are correct.

    1 person found this answer helpful.
    0 comments No comments

  2. Tristano,G,Giuseppe,JBP12 R 91 Reputation points
    2024-07-09T09:34:41.31+00:00

    Hello there,

    and thank you both. I am now able to correctly operate even when creating things.

    One interesting matter to remark in my opinion is the follow.

    I granted Contributor access to customer's subscription through a group called SYS.

    SYS is of course in the ManagedBy tenant in which I invite guest users. I invited my work account which is name.surname@bt.com and two private account one namesurmane@yahoo.it and the second is namesurname@gmail.com.

    Only my work account which is on a Microsoft ExtraID works. This is, anyhow, my desired behaviour hence I will mark your last reply as a successful answer.

    Thank you once again and best regards

    giuseppe

    1 person found this answer helpful.
    0 comments No comments

  3. AnuragSingh-MSFT 21,466 Reputation points
    2024-07-08T07:32:10.2033333+00:00

    @Tristano,G,Giuseppe,JBP12 R, thank you for posting this question. As Stanislav mentioned, this could be only related to insufficient permissions assigned to the user of the ManagedBy tenant to access resources in Managed tenant. I got confirmation from the product team that there is no difference related to whether the user is a Guest user added to ManagedBy tenant. As long as the correct role has been assigned, they should be able to perform the operation - even to create resources.

    I even tested it with 2 subscriptions and there was no issue observed. The Guest user was given Contributor access at subscription level in my case to test whether it was able to create the storage account.

    Hope this helps.

    If the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.