-
Notifications
You must be signed in to change notification settings - Fork 0
Lighthouse
lighthouse shows Azure Lighthouse delegated management in the current scope.
Use it when you need to know whether another tenant already has management authority over the subscription or resource groups you are reviewing.
- Is Azure Lighthouse present here?
- Which outside tenant has delegated management authority?
- Which delegation changes the control picture most?
azurefox lighthouse --output tableFor saved structured review:
azurefox lighthouse --output json| scope | managing tenant | managed tenant | access | state |
|---|---|---|---|---|
subscription::...2222 |
Contoso Corp. |
AzureFox Lab Tenant |
strongest=Owner; auth=2; eligible=1 |
assignment=Succeeded |
resource-group::rg-platform |
Fabrikam Ops |
AzureFox Lab Tenant |
strongest=Contributor; auth=1 |
assignment=Succeeded |
resource-group::rg-logging |
Northwind MSP |
AzureFox Lab Tenant |
strongest=Reader; auth=1 |
assignment=Succeeded |
- when the environment may be managed by a service provider or another tenant
- when local RBAC does not fully explain who can operate in the subscription
- when cross-tenant management authority could matter more than local principal inventory
- subscription-scope delegation before narrower scopes
- strong delegated roles
- standing access that matters immediately
- managed-by tenant context that changes who really controls operations here
Azure Lighthouse changes the trust boundary.
A subscription may look locally understandable while still being materially controlled by identities
from another tenant. lighthouse makes that delegated-management story visible early enough that
you do not misread the real administrative picture.
- subscription-scope delegations before resource-group-scope delegations
- strong delegated roles near the top
- standing access before lighter or eligible-only posture
- unusual or failed state cues that deserve validation
- If you see subscription-scope delegation with
has_owner_role=trueorhas_user_access_administrator=true, go next to Permissions because it helps you compare that delegated management path against the strongest local Azure control paths. - If you see a narrower resource-group delegation that still looks important, go next to RBAC because it helps separate the delegated scope from the local tenant's direct assignment evidence.
- Treat broad strong delegations as priority review items.
- Pair this output with Permissions and RBAC if you need to compare local and delegated control.
- If an outside tenant has meaningful standing access, include that trust boundary in the rest of your identity assessment.
lighthouse is a delegated-management triage command.
It should show where outside-tenant management already exists. It is not a full tenant-to-tenant explorer or a workflow for changing delegated access.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)