Forum Discussion
Permissions required to grant Sentinel acccess
Hello,
I am troubleshooting Sentinel access issues on Azure portal - i can access log analytics workspace but not Sentinel workspace.
So far the setup is such:
- Group "Sentinel Users" to which all Sentinel users belong
- Dedicated Resource Group "RG_Sentinel"; Sentinel Users have Owner level access.
- At Subscription level (Sub1), Sentinel Users have "Reader" and "Azure Sentinel Contributor"
The selection for "Azure Sentinel Workspaces" (https://portal.azure.com/#blade/Microsoft_Azure_Security_Insights/WorkspaceSelectorBlade) is empty.
But Log Analytics workspace which belongs to the dedicated resource group "RG_Sentinel" and is associated with sentinel is readily visible and I can use it as you'd expect.
I've checked that Sentinel Workspace belongs to the Sub1 group and the user I'm testing belongs to "Sentinel Users" . The user is an external user.
5 Replies
- UPDATE: after a fairly extended period of time - several days; this issue resovled itself without anyone doing anything about it. Very annoying but glad it works
truekonrads what did you end up doing
truekonrads I am not sure about why you don't see the workspace but I have a question as to why you are using an external user like that rather than using Lighthouse? If I were to hazard a guess I would think there is something about the user being external that is causing issues.
GaryBusheygood call on Lighthouse, we'll look to transition to this. That said, the person who was adding permissions and had Sub Owner permissions also was an external user.
truekonradshowever, Lighthouse isn't the solution in principle I think, because while Sentinel can collect most data, some things in Microsoft security suite don't blend into Lighthouse - such as Win Def ATP, Azure ATA and others. If you have Senitnel and WD ATP, you still need login on customer tenant.
