Edit

Share via

View and manage customers and delegated resources in the Azure portal

  • Article

Service providers using Azure Lighthouse can visit My customers in the Azure portal to view delegated customer resources and subscriptions.

To view information about a customer, you must have been granted the Reader role (or another built-in role that includes Reader access) when that customer was onboarded.

Tip

Though we refer to service providers and customers here, enterprises managing multiple tenants can use the same process to consolidate their management experience.

To access My customers in the Azure portal, enter "My customers" in the search box in the Azure portal page header. You can also navigate to Azure Lighthouse in the Azure portal, then select Manage your customers.

The Customers section of My customers only shows information about customers who have delegated subscriptions or resource groups to your Microsoft Entra tenant through Azure Lighthouse. If you work with other customers (such as through the Cloud Solution Provider (CSP) program), you won't see those customers in the Customers section unless you onboarded their resources to Azure Lighthouse. However, you may see details about certain CSP customers in the Cloud Solution Provider (Preview) section.

Note

Your customers can view details about service providers by navigating to Service providers in the Azure portal. For more information, see View and manage service providers.

View and manage customer details

To view customer details, select Customers from the service menu of My customers.

For each customer, you'll see the customer's name and customer ID (tenant ID), along with the Offer ID and Offer version associated with the engagement. In the Delegations column, you'll see the number of delegated subscriptions and/or resource groups.

Options at the top of the pane let you sort, filter, and group your customer information by specific customers, offers, or keywords.

For additional details, use the following options:

  • To see all of the subscriptions, offers, and delegations associated with a customer, select the customer's name.
  • To see details about an offer and its delegations, select the offer name.
  • To see details about role assignments for delegated subscriptions or resource groups, select the entry in the Delegations column.

Note

If a customer renames a subscription after it was delegated, you'll see the updated subscription name. However, if they rename their tenant, you might still see the older tenant name in some places in the Azure portal.

View and manage delegations

Delegations show the subscription or resource group that's been delegated, along with the users and permissions that have access to it. To view this info, select Delegations from the service menu.

Options at the top of the pane let you sort, filter, and group this information by specific customers, offers, or keywords.

View role assignments

The users and permissions associated with each delegation appear in the Role assignments column. Select an entry to view more details. After you do so, select Role assignments to see the full list of users, groups, and service principals that have been granted access to the subscription or resource group. From there, you can select a particular user, group, or service principal name to see more information.

Remove delegations

If you included users with the Managed Services Registration Assignment Delete Role when onboarding a customer to Azure Lighthouse, those users can remove delegations by selecting the trash can icon that appears in the row for that delegation. When you remove a delegation, users in the service provider's tenant lose the access that had previously been granted through that delegation.

For more information, see Remove access to a delegation.

View delegation change activity

The Activity log section of My customers keeps track of every time that a customer subscription or resource group is delegated to your tenant. It also records whenever any previously delegated resources are removed. To view this information, users must be assigned the Monitoring Reader role at root scope.

For more information, see View delegation changes in the Azure portal.

Work in the context of a delegated subscription

You can work directly in the context of a delegated subscription within the Azure portal, without switching the directory you're signed in to. To do so:

  1. Select the Settings icon from the global controls in the Azure portal page header.
  2. In Directories + subscriptions, ensure that the Advanced filters toggle is turned off.
  3. In the Default subscription filter section, select the appropriate directory and subscription. If you were granted access to a resource group rather than to an entire subscription, select the subscription to which that resource group belongs. You'll work in the context of that subscription, but will only be able to access the designated resource group(s) to which you have access.

Screenshot of the default subscription filter with one delegated subscription selected.

When you access an Azure service that supports cross-tenant management experiences, the service defaults to the context of the delegated subscription that you included in your filter.

You can change the default subscription at any time by following the steps above and choosing a different subscription, or multiple subscriptions. If you want the filter to include all of the subscriptions to which you have access, select All directories, then check the Select all box.

Screenshot of the default subscription filter with all directories and subscriptions selected

Important

Checking the Select all box sets the filter to show all of the subscriptions to which you currently have access. If you later gain access to more subscriptions—for example, if you onboard a new customer to Azure Lighthouse—these subscriptions aren't automatically added to your filter. To include them, return to Directories + subscriptions and select the additional subscriptions (or uncheck and then recheck Select all again).

You can also work on delegated subscriptions or resource groups by selecting the subscription or resource group from within an individual service that supports cross-tenant management experiences. If you don't see the subscription, check to make sure it's not excluded from your Default subscription filter.

Cloud Solution Provider (Preview)

A separate Cloud Solution Provider (Preview) section of My customers shows billing information and resources for your CSP customers who have signed the Microsoft Customer Agreement (MCA) and are under the Azure plan. For more information, see Get started with your Microsoft Partner Agreement billing account.

These CSP customers appear in this section whether or not you also onboarded them to Azure Lighthouse. Similarly, a CSP customer doesn't have to appear in the Cloud Solution Provider (Preview) section of My customers in order for you to onboard them to Azure Lighthouse.

Next steps