Feb 28 2019 10:55 AM
We are interested in knowing when a Managed Security Service Provider can use Azure Sentinel to manage multiple customer environments. Is this MSSP scenario something the engineering team is committed to?
Feb 28 2019 02:52 PM
@Eliav Levi or @Koby Koren: Is this something you can elaborate on at this time?
Apr 30 2020 05:06 AM
Apr 30 2020 05:34 AM - edited Apr 30 2020 05:35 AM
I just saw this old question by @Joe Stocker and @Vartan_Andreev. The answer to your question is 'yes'. The engineers were focussed on allowing MSSP's to manage multiple customers.
We are an MSSP in the NL and we use Azure Lighthouse (https://azure.microsoft.com/en-us/services/azure-lighthouse/) to establish the connection between our Azure Sentinel workspace/tenant with the workspace/tenant of our customer. After our customer deploys the ARM template that we send to them, our Analysts and Engineers have 'Azure Sentinel Contributor' (built-in RBAC) among others permission in their workspace/tenant. From that moment we can define the monitoring rules, connect those to playbooks, create dashboards, ... There are still a couple of challenges for MSSP's for example, the intellectual property, but this is another question.