Lighthouse - Deploy a Policy that can be remediated with Managed Identity
Can someone confirm if I'm understanding the Managed Identity part of Azure policy remediation from this article?
https://zcusa.951200.xyz/en-us/azure/lighthouse/how-to/deploy-policy-remediation#create-a-user-who-can-assign-roles-to-a-managed-identity-in-the-customer-tenant
Do we actually need to create a managed identity inside the customer's subscription to use when we remediate a policy?
OR does the remediation create a managed identity in the process to use for remediation?
I just want to make sure we don't make this more difficult than it needs to be by adding a managed identity to all the existing customer subscriptions we manage in lighthouse.
Currently, the only way I've been able to get an assigned policy to remediate in a customer's subscription, from lighthouse, is to use a "user assigned" managed identity that I manually created inside the customer's subscription.
Am I missing something here, or is this exactly how this is supposed to work?
Thank you in advance!