Azure Lighthouse usage in Azure landing zones multitenant scenarios

Azure Lighthouse enables multitenant management with scalability, higher automation, and enhanced governance across resources. Azure Lighthouse can be adopted in Azure landing zone scenarios in single or multitenant architectures.

The following considerations and recommendations describe common scenarios for Azure Lighthouse in Azure landing zone deployments.

Considerations

Recommendations

  • See Azure Lighthouse in enterprise scenarios.
  • If you're an ISV, see Azure Lighthouse in ISV scenarios.
  • Use Azure Lighthouse in both directions between Microsoft Entra tenants to simplify management activities and reduce complex authentication and authorization scenarios. This action removes the reliance on Microsoft Entra B2B (Guest) accounts for user and workload identities, and it removes the need to have separate accounts for some activities.
  • Use Microsoft Entra Privileged Identity Management (PIM) as part of your Azure Lighthouse delegations. For more information, see Create eligible authorizations.
    • This feature requires Microsoft Entra ID P2 licensing but only from the source or managing Microsoft Entra tenant.

Azure landing zones scenario - Azure Lighthouse and Private DNS at scale

The following diagram is an Azure landing zone scenario where Azure Lighthouse is used across multiple Microsoft Entra tenants to assist with Private Link and DNS integration.

When you use Azure Lighthouse, Azure Policy for Private Endpoints Private DNS Zone is automatically linked in spoke Microsoft Entra tenants to the centralized Private DNS Zones in the hub Microsoft Entra tenant. For more information, see Private Link and DNS integration at scale.

Diagram of multiple Microsoft Entra tenants with Azure landing zones deployed using Azure Lighthouse in the Private DNS at scale scenario.

When you use this architecture, application landing zone owners have access to make changes to Private DNS Zone via Azure Lighthouse delegation authorizations. This access is useful if a different approach is used to manage the Private Endpoints DNS configuration, rather than Azure Policy. For more information, see Private Link and DNS integration at scale.

Next steps