Azure Contributor role

Azure Lighthouse limitations

So we tried to implement by the book the recently released Azure Lighthouse in order to centrally manage multiple Azure customers. The recommended Contributor role that is highest Azure role you can use with Lighthouse, has some very interesting limitations, especially around what you can do with the Azure Policies: Microsoft.Authorization/*/Delete and Microsoft.Authorization/*/Write operations are actually prohibited, so you cannot actually deploy any Azure Policies to a customer subscriptions.

Azure Contributor role
Azure Contributor role

There is a way to bypass this limitation of the Contributor role, by adding another role to the on-boarding process: Security Admin.

Azure Security Admin role
Azure Security Admin role