Azure Lighthouse: the standing access that never shows in your IAM blade
Azure Lighthouse lets a managing tenant act on your resources without a guest account, and the grant never shows in your IAM blade. Here is how that hides over-broad access and how to find it.
A principal is changing your Azure resources, but you cannot find it anywhere in Access control. That is not a logging gap. It is Azure Lighthouse working as designed, and it is exactly why over-broad delegations stay hidden.
How the attack works
A managing tenant, an MSP or an attacker who registered a rogue managed-services offer, holds an Azure Lighthouse delegation over your subscription that is far broader than it should be. Principals in that tenant act on your resources with standing access, often Contributor-equivalent across the whole subscription. The Activity Log records the writes and stamps the caller’s home tenant as the managing tenant, yet the principal never appears in your Access control (IAM) role assignments because the grant lives in the delegation, not in a local role. In ATT&CK terms this is T1199, Trusted Relationship, paired with T1078.004, Valid Accounts: Cloud Accounts.
Why it works
Lighthouse delegated access is invisible to the access reviews most teams run. You audit IAM role assignments, the delegation is not there, and the standing over-broad authority sails through every review untouched.
How to fix it
Delegated access is managed where it lives, not in IAM. Go to Service providers (delegations) and remove or scope down the registration assignment for the managing tenant. Editing the IAM blade or adding a deny role there does nothing, because the grant is not in IAM. Then enumerate what actually happened: filter your own Activity Log for operations whose caller home tenant is the managing tenant across the delegation’s lifetime. To stop recurrence, review delegations on a schedule, scope each to least-privilege roles and minimal resource groups, restrict which offers can be onboarded, and alert on any new registration assignment.
Practice it
We built this as a GraphLattice Range scenario so teams can rehearse finding and cutting a hidden Lighthouse delegation under Service providers instead of hunting fruitlessly in the IAM blade.