-
Notifications
You must be signed in to change notification settings - Fork 0
Lighthouse
lighthouse shows Azure Lighthouse delegated management in the current scope.
Use it when you need to know whether another tenant already has management authority over the subscription or resource groups you are reviewing.
- Is Azure Lighthouse present here?
- Which outside tenant has delegated management authority?
- Which delegation changes the control picture most?
ho-azure lighthouse --output tableFor saved structured review:
ho-azure lighthouse --output json| scope | managing tenant | managed tenant | access | state |
|---|---|---|---|---|
subscription::...2222 |
Contoso Corp. |
HarrierOps Azure Lab Tenant |
strongest=Owner; auth=2; eligible=1 |
assignment=Succeeded |
resource-group::rg-platform |
Fabrikam Ops |
HarrierOps Azure Lab Tenant |
strongest=Contributor; auth=1 |
assignment=Succeeded |
resource-group::rg-logging |
Northwind MSP |
HarrierOps Azure Lab Tenant |
strongest=Reader; auth=1 |
assignment=Succeeded |
- when the environment may be managed by a service provider or another tenant
- when local RBAC does not fully explain who can operate in the subscription
- when cross-tenant management authority could matter more than local principal inventory
- subscription-scope delegation before narrower scopes
- strong delegated roles
- standing access that matters immediately
- managed-by tenant context that changes who really controls operations here
Azure Lighthouse changes the trust boundary.
A subscription may look locally understandable while still being materially controlled by identities
from another tenant. lighthouse makes that delegated-management story visible early enough that
you do not misread the real administrative picture.
- subscription-scope delegations before resource-group-scope delegations
- strong delegated roles near the top
- standing access before lighter or eligible-only posture
- unusual or failed state cues that deserve validation
- If you see subscription-scope delegation with
has_owner_role=trueorhas_user_access_administrator=true, go next to Permissions because it helps you compare that delegated management path against the strongest local Azure control paths. - If you see a narrower resource-group delegation that still looks important, go next to RBAC because it helps separate the delegated scope from the local tenant's direct assignment evidence.
- Treat broad strong delegations as priority review items.
- Pair this output with Permissions and RBAC if you need to compare local and delegated control.
- If an outside tenant has meaningful standing access, include that trust boundary in the rest of your identity assessment.
Loot currently keeps the top-ranked rows for this command. That ordering is useful, but it is not
yet a shipped semantic high / medium / low analyst contract unless the command explicitly
labels rows with a defended priority contract.
lighthouse is a delegated-management triage command.
It should show where outside-tenant management already exists. It is not a full tenant-to-tenant explorer or a workflow for changing delegated access.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to HarrierOps Azure: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)