I need support for an Azure Lighthouse environment. I set up a test environment with two Azure accounts—one as a service provider and the other as a customer. The Azure Lighthouse environment was successfully set up on both accounts.
I have two security groups in the service provider account, which are used in the template for delegation:
- Storm Internet Support L1
- Storm Internet Support L2
I created a role assignment in the delegation for L2 as Contributor and L1 as Virtual Machine Contributor at the subscription level.
I need to prevent the service provider team from deleting anything on the customer side while still allowing them to create resources. However, even a custom role is not allowed in the Lighthouse environment to enforce this restriction.
I tried using locks, but I encountered strange behavior:
- Locks created by the customer (Owner) are not visible on the service provider side.
- Locks created by the service provider (Contributor) are not visible on the customer side.
- Even if a lock is applied by a Contributor (L2) on a resource group created in the customer account, the customer (Owner) can still delete the resource group because the lock does not appear on their side.
- Similarly, a service provider (Contributor) can delete resources that were locked by the customer (Owner) because the lock does not appear on the service provider side.
- This behavior seems unexpected and inconsistent.
One more thing—I want to edit the directory name on the service provider side. If I have multiple customers, how can I easily recognize them?
Please provide guidance on these issues.
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 28.999999999999996%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETN%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 47%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 63%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 79%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)