Every couple of years since 2007 I have been fortunate to be able to teach a 3 credit-hour 400/500 level class in computer and network management for the University of Arkansas Little Rock campus (UALR). Now in our seventh iteration of the class, the course content has evolved over the years from (1) an all on-premises, physical server model, to (2) an on-premises private cloud model, then (3) to a hybrid on-premises/cloud model, now (4) to a fully cloud-based approach.
The business goal is managing the availability, performance, and security of computing resources in any location or any cloud. A new Microsoft Azure feature Azure Lighthouse, originally designed for service providers and their customers, has proved an amazing and no-cost asset to facilitate the teaching of cloud management concepts.
Teaching the cloud from the cloud
This is a pro-bono engagement, where my company donates my time to the community as an educational and economic development resource. Many class graduates in the past have gone on to employment in the IT sector and are regional leaders in our industry today. We are 3 weeks into the Fall 2021 semester of our course titled Cloud Management. Being the first post-quarantine teaching of the class, we are accommodating students that want to join the classroom in-person, and for those preferring an all-remote experience, classes are streamed and recorded with Microsoft Teams.
- Each student signed up for the Free Azure trial. This allows for a $200 credit that must be used in 30 days, then free Azure services are available for a total of 12 months. We are front-loading the course to perform tasks in the cloud that consume resources (like deploying virtual machines) in the first month. There are sufficient Azure services–like Azure Logic Apps and Azure Security Center–that have free tiers we will make use of after the credit is expired.
- Once each student had their Azure subscription provisioned, the first thing we did was enable a Service Provider -> Customer connection using Azure Lighthouse inside each student subscription. After that, the instructor can view all the students’ Azure subscriptions combined in the Azure portal.
- The ability to provide instant feedback to the instructor from many students’ cloud infrastructures simultaneously–while class group tasks are in progress–has been a huge accelerator for learning cloud management concepts.
Using new tools in new ways
This is novel use of a security role delegation feature not originally designed for the classroom, but one which is in fact a very high value tool in the academic scenario that costs essentially nothing. There is no charge for Azure Lighthouse, it’s a built-in and free feature of the Azure control plane.
- Figure 1 shows at a high level how the Azure AD user account of the instructor is first added to an Azure AD security group.
- Then an Azure Lighthouse deployment occurs that maps the Azure AD security group containing the instructor account to security roles in the student subscriptions.
- The instructor can view the resources inside all the student subscriptions at once, such as Azure Policy that enables Azure Monitor for VMs.
Figure 1 – Azure Lighthouse in an academic role.
Azure Lighthouse provides free 1:many federation
Very quickly students were able to connect their free trial Azure subscriptions to my ‘instructor’ Azure subscription. In this case the ‘instructor subscription’ is an Azure Sponsorship subscription I get with my Microsoft MVP award.
Tip: There’s no reason the ‘instructor’ subscription could not also be a free Azure subscription, but remember the free subscriptions are time-limited to 30 days for billing functions. More likely, use an Azure subscription from your school or company as the ‘instructor’ subscription that has some funding to keep going between classes.
Here are the steps we followed to build out our classroom environment:
1 – Register Microsoft.ManagedServices resource provider
In all Azure subscriptions to participate (instructor and student), the resource provider “Microsoft.ManagedServices” needs to be registered in order to use Azure Lighthouse. In the Azure Portal:
- Navigate to Subscriptions -> Settings -> Resource providers
- Type “ManagedServices” in the search bar and see Microsoft.ManagedServices listed
- Select Microsoft.ManagedServices and push the “Register” button
2 – Create a Security group in the Azure Active Directory tenant of the instructor
This can be done using the O365 Admin portal or the Azure Portal Active Directory blade.
- Add the instructor user account to the security group
- After creating the group, take note of the group’s name and object ID
3 – Author two JSON files to deploy Azure Lighthouse
Normally, Azure Lighthouse delegations occur using the Azure Marketplace where the deployment actions are hidden from the user. However Azure Lighthouse delegations can also be made immediately and manually using Azure Resource Manager (ARM) templates, and this is what we use in our academic scenario.
- These templates take the form of text files with the JSON extension. There are two JSON documents to prepare: The template file itself and the template parameters file.
- The template file is the same for everyone and never changes, while the parameters file contains the unique values for that deployment of the ARM template.
Prepare two text files as follows:
- Download and stage the template file from this URL: delegatedResourceManagement.json: https://github.com/Azure/Azure-Lighthouse-samples/blob/master/templates/delegated-resource-management/subscription/subscription.json. This file is provided without modification to students.
- Copy and adapt the below delegatedResourceManagement.parameters.json parameters file. Modify this file and provide each student with a copy.
delegatedResourceManagement.parameters.json file contents
{
“$schema”: “https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#”,
“contentVersion”: “1.0.0.0”,
“parameters”: {
“mspOfferName”: {
“value”: “Azure Management Offer (Academic Mode)”
},
“mspOfferDescription”: {
“value”: “Remotely manage student Azure subscriptions from instructor tenant”
},
“managedByTenantId”: {
“value”: “<Azure AD Tenant ID of the instructor tenant>”
},
“authorizations”: {
“value”: [
{
“principalId”: “<ID of a security group in the instructor tenant for Contributor role>”,
“principalIdDisplayName”: “Instructor-Contributor-Group”,
“roleDefinitionId”: “b24988ac-6180-42a0-ab88-20f7382dd24c”
},
{
“principalId”: “<ID of a security group in the instructor tenant for Managed Services Registration assignment Delete role>”,
“principalIdDisplayName”: “Instructor-Registrar-Group”,
“roleDefinitionId”: “36243c78-bf99-498c-9df9-86d9f8d28608”
}
]
}
}
}
Notes on template deployment
- The same parameters file can be used by all students without additional modification.
- This version of the template delegates the entire subscription automatically (no separate delegation action is required in Azure Lighthouse).
- The OfferName and OfferDescription can be any meaningful text.
- The principalIdDisplayname fields can be any text but should match the name of the group in the instructor’s Azure AD tenant.
- The roleDefinitionId fields in this example map to the Contributor and Managed Services Registration assignment Delete roles. To learn the correct ID to use with other roles, consult https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list
4 – Students deploy the Azure Lighthouse templates
- Zip up the two .JSON files and email them to each student.
- Have students activate an Azure Cloud Shell instance in their subscriptions and upload each of the two .JSON files.
- This line of PowerShell completes the deployment: (use any text you like for the “Name” value, change the “Location” to your Azure region)
New-AzSubscriptionDeployment -Name UALR4399Lighthouse1 -Location eastus -TemplateFile delegatedResourceManagement.json -TemplateParameterFile delegatedResourceManagement.parameters.json -Verbose
5 – Instructor adds student subscriptions to Azure Portal view
Within about 30 minutes of each student executing the deployment, the instructor will see the student’s subscription become available to select when clicking Switch directory anywhere in the portal. By selecting all the students’ subscriptions, the instructor achieves a multi-tenant view of all the students’ resources effortlessly. Figure 2 shows how the instructor can keep tabs on student progress with assignments at a glance using Azure Policy compliance blade.
Figure 2 – Instructor view of student policy compliance.
In this screenshot, students who have completed the lab to Enable Azure Monitor for VMs using Azure Policy are in Compliant status, while non-compliant students have some homework to do.
Azure Lighthouse in Enterprise scenarios
The use of Azure Lighthouse in an academic scenario is a variation of a supported use of Azure Lighthouse in the enterprise scenario where multiple Azure AD tenants interoperate. The terms ‘managing tenant’, ‘service provider’, and ‘instructor tenant’ are interchangeable in this context. Via Azure Lighthouse, users in one managing tenant can perform cross-tenant management functions in a centralized, scalable manner in any applicable scenario. Learn more at this URL: https://docs.microsoft.com/en-us/azure/lighthouse/concepts/enterprise
Tags: #MVPBuzz #AzureLighthouse #AzureSentinel #AzureMonitor #AzureAcademic #CloudComputing #AzureResourceManager #UALR