Forum Discussion
Sentinel RBAC in the Unified portal: who has activated Unified RBAC, and how did it go?
MicrosoftIf interested in GDAP Public preview: Configure delegated access with governance relationships for multitenant organizations - Unified security operations | Microsoft Learn. If you are interested in moving to defender - The Unified SecOps Transition — Why It Is a Security Architecture Decision, Not Just a Portal Change | Microsoft Community Hub
Mohit, thank you for these. Both links are directly relevant, and the governance relationships documentation fills in detail the article needed.
A few points I want to confirm before updating the article:
The three‑step handshake I described is directionally correct, but the documentation makes it clear that the governed tenant must first enable receiving governance invitations. That setting is off by default in Tenant Governance settings, and it is an important prerequisite I had not included.
The role requirements are also more specific. The governing tenant needs a Tenant Governance Relationship Administrator to manage the relationship. The governed tenant needs a Tenant Governance Administrator to send the initial invitation. Assigning permissions to a remote tenant group in the governed tenant requires either User Access Administrator in Azure RBAC or User Administrator in Entra RBAC. In environments where those roles are tightly controlled, this becomes a meaningful pre‑migration step.
The security group constraints are also important. Groups used in the relationship template must have SecurityEnabled set to true, IsAssignableToRole set to true, and cannot be Microsoft 365 unified groups. That last point will catch teams who default to M365 groups.
On the Unified SecOps transition blog post, the framing of this as a security architecture decision rather than a portal change is exactly the positioning I have been aiming for. The two‑tier data architecture table is something I plan to reference in later parts, especially Part 5 on the MSSP migration playbook.
One question for you: the documentation describes assigning remote tenant groups to Azure Resource Manager resources in the governed tenant to enable Sentinel management. Is the expectation that this ARM role assignment is required in addition to the Defender portal governance relationship, or does the Defender portal relationship handle Sentinel RBAC once the remote tenant groups are synchronised? The documentation suggests both are needed, but I want to confirm before writing it into the article.
