Hi guys, Basil is here again 😊
Azure Sentinel is a great cloud Security information and event manager (SIEM), using AI and ML Azure Sentinel can detects and hunts security threats after collecting logs from various data sources. Also, Sentinel provides data visualization for better monitoring and other features.
You can read more about Azure Sentinel here:
https://docs.microsoft.com/en-us/azure/sentinel/overview
Natively, Azure Sentinel can provide its services to one tenant only, so if you’re an enterprise company with multiple tenants or you’re an MSP and you need to monitor your customers’ security logs and incidents, you might find it hard to do that as you need to always switch between tenants.
With Azure Lighthouse we now have the ability to manage and monitor multiple Sentinel instances from one portal or one tenant, this will make MSP and enterprise companies life so much easier as it does centralize all Sentinel instances in one place, in this article we’re going to demonstrate how that can be done.
Assumptions:
- In this guide we’re using two tenants, but the same applied if you had more.
- Each tenant should have an Azure Sentinel instance provisioned, up and running.
1-Verify current setup
Our two tenants, each one has its own Sentinel and its workspace.
Each tenant has an up and running Azure Sentinel Instance
If you go to Directory and Subscriptions in the upper right corner, it would look like this
You can only have data for one and only one tenant, this will change once you go through with this guide, so keep an eye on the above image and how it will change once we finish.
2-Onboard tenants to master tenant
I will call it here a master tenant, where you will be managing all other tenants from, it might also be your MSP tenant and you need to onboard you customers to it.
We need to collect the below:
- Master (MSP) tenant ID
- Slave (Customer) tenant ID
- Subscription ID from Slave (Customer tenant)
After the above information is gathered, we are going to use a simple deployment template and run in in the Slave tenant
https://github.com/Azure/Azure-Lighthouse-samples/
You can choose any template you feel is better for your needs but in this guide I’m going to choose onboard a subscription and click Deploy to Azure
Then you will be redirected to Azure, and ensure you’re logged in to the Slave tenant not the Master
- Msp offer name and description can be anything you want
- Managed by Tenant ID: is your Master (MSP) Tenant ID
- Authorization: Here you’re basically giving a user or a group from the master tenant and access to the slave tenant
So, let’s say you’re giving access to one user for now, the input will look like this
[{“principalId”:”ee8f6d35-15f2-4252-b1b8-591358e8a244″,”
“,”roleDefinitionId”:”acdd72a7-3385-48ef-bd42-f606fba81ae7
“,”principalIdDisplayName”:”PIM_Group”}
The principalId in red shall be changed to the ID of user or group object your giving accessing to in the master tenant, every user and group in the master tenant has and object id, right? This ID shall be provided here for the user or group you want them to have access on the slave tenant.
roleDefinitionId this is static and shall be changed depends on the role you want the user or group be, here’s a list of all roles and their ids:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
finally, the principalIdDisplayName can be what you want.
Then click Create and wait till the deployment is completed
3-How to know if it’s works?
Sign into the Master (MSP) Tenant, and click on Directory + Subscriptions
You can see that now you have ability to choose multiple directories (tenants) and subscriptions to show, choose all directories and all subscriptions
Go to Azure Sentinel in the Master Tenant
Now you are able to see all Sentinel Instances from different tenants, you can also select multiple ones and view incidents for all of them at once
So, that’s it! Thank you and stay tuned for more 😊
Be First to Comment