cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Home

Multiple Subscriptions in Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-390080%22%20slang%3D%22en-US%22%3EMultiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390080%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20I%20set%20up%20a%20central%20Azure%20Sentinel%20to%20monitor%20multiple%20subscriptions%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20is%20one%20Azure%20Sentinel%20recommended%20per%20subscription%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EBest%3C%2FP%3E%3CP%3EChristian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392176%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392176%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F43003%22%20target%3D%22_blank%22%3E%40Andrea%20Fisher%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20'Segoe%20UI'%2C%20'Helvetica%20Neue'%2C%20'Apple%20Color%20Emoji'%2C%20'Segoe%20UI%20Emoji'%2C%20Helvetica%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%22%3EWe%20don't%20have%20multi-tenant%20support%20at%20this%20point.%20If%20all%20subs%20are%20on%20the%20same%20tenant%2C%20than%20it%20should%20work.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392139%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392139%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%26nbsp%3B%20Does%20it%20work%20across%20multiple%20subscriptions%3F%20Maybe%20I%20don't%20understand%20what%20you%20mean%20by%20that%20but%20I%20would%20like%20to%20bring%20in%20MCAS%20data%20from%20multiple%20tenants%20and%20that%20doesn't%20seem%20to%20be%20possible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390480%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390480%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F308742%22%20target%3D%22_blank%22%3E%40christian-knipping%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20this%20time%20it's%20one%20Azure%20Sentinel%20Workspace%20per%20Tenant%2C%20Azure%20Sentinel%20works%20across%20subscriptions.%20Microsoft%20is%20in%20the%20process%20of%20looking%20into%20MSP%20(Managed%20Service%20Provider%20)%20solutions%20but%20nothing%20has%20been%20publicly%20released%20at%20this%20time.%20Please%20feel%20free%20to%20reach%20out%20if%20you%20have%20any%20more%20questions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390479%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F308742%22%20target%3D%22_blank%22%3E%40christian-knipping%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECC%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F16203%22%20target%3D%22_blank%22%3E%40Shalini%20Pasupneti%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482844%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482844%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%26nbsp%3Bis%20there%20any%20beta%20program%20an%20MSP%20could%20take%20part%20in%20to%20assist%20in%20trialing%20features%20%3A)%3C%2Fimg%3E%20Any%20idea%20of%20when%20something%20public%20may%20be%20released%3F%20For%20now%20if%20we%20set%20up%20a%20Azure%20tenant%20for%20the%20customer%20will%20there%20be%20a%20migration%20tool%20to%20bring%20into%20multi-tenant%20when%20that%20option%20is%20available%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-483030%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-483030%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F49469%22%20target%3D%22_blank%22%3E%40Jarrod%20Winsor%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe'll%20most%20likely%20make%20the%20announcement%20within%20this%20communities%20page%20for%20the%20preview%20functionality%2C%20you're%20already%20looking%20in%20the%20best%20location%20at%20this%20time%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20don't%20have%20an%20answer%20at%20this%20time%20on%20the%20migration%20path%20if%20it'll%20just%20be%20a%20connection%20between%20workspaces%20with%20the%20key%20or%20if%20it'll%20be%20a%20different%20interface%20to%20integrate%20them.%20I'm%20sure%20we'll%20announce%20the%20details%20whenever%20they've%20been%20established.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGreat%20question!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-799556%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-799556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%26nbsp%3Bis%20there%20any%20further%20update%20on%20multi%20tenant%20support%20for%20Sentinel%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-802288%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-802288%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F506%22%20target%3D%22_blank%22%3E%40Rob%20Ellis%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDevelopment%20is%20already%20in%20process%3B%20if%20you%20haven't%20looked%20into%20it%20we're%20using%20Azure%20Lighthouse%20for%20the%20MSSP%20solution%3A%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fservices%2Fazure-lighthouse%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fservices%2Fazure-lighthouse%2F%3C%2FA%3E%3C%2FFONT%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-802365%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-802365%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%26nbsp%3Bthanks%20-%20I%20saw%20Lighthouse%20mentioned%20recently%20-%20I%20did%20wonder%20if%20it%20was%20related%2C%20so%20good%20to%20know.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803607%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803607%22%20slang%3D%22en-US%22%3ECould%20you%20elaborate%20on%20%22across%20subscription%22%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803923%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803923%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20is%20using%20Log%20Analytics%20within%20one%20tenant%20with%20one%20to%20multiple%20subscriptions.%20If%20you%20have%20multiple%20subscriptions%20they%20can%20interact%20with%20each%20other%20with%20RBAC%20permissions%20of%20data%20when%20pulling%20into%20a%20sentinel%20workspace.%20If%20you're%20wanting%20to%20know%20how%20to%20do%20%E2%80%9Ccross-tenant%E2%80%9D%20data%20monitoring%20you%E2%80%99re%20required%20to%20use%20the%20MSSP%20solution%20%E2%80%9CAzure%20Lighthouse%E2%80%9D%20with%20Azure%20Sentinel.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20a%20specific%20question%20to%20subscriptions%20that%E2%80%99s%20not%20clear%20in%20our%20documentation%20that%20we%20can%20improve%20upon%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-807348%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20Subscriptions%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-807348%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3EIs%20there%20an%20aggregation%20capability%20to%20provide%20a%20%22single%20pane%20of%20glass%22%20for%20all%20CSP%20tenants%3F%20From%20the%20documentation%2C%20it%20appears%20that%20the%20CSP%20can%20gain%20delegated%20access%20to%20each%20individual%20tenant%20for%20Log%20Analytics%20and%20ASC.%26nbsp%3B%20This%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flighthouse%2Fconcepts%2Fcross-tenant-management-experience%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Earticle%3C%2FA%3Ementions%20%22cross-tenant%20visibility%22%20for%20ASC%2C%20but%20does%20not%20show%20what%20the%20user%20experience%20is%20like.%20It%20would%20be%20nice%20to%20see%20a%20screen-shot%20showing%20multiple%20subscriptions%20from%20multiple%20Azure%20AD%20tenants%20in%20a%20centralized%20view%20in%20Sentinel%20and%20ASC.%3C%2FP%3E%3C%2FLINGO-BODY%3E
christian-knipping
christian-knipping
Visitor

‎03-28-2019 06:13 AM

‎03-28-2019 06:13 AM

Multiple Subscriptions in Sentinel

Hello all,

 

Can I set up a central Azure Sentinel to monitor multiple subscriptions?

 

Or is one Azure Sentinel recommended per subscription?


Best

Christian

1,718 Views
2 Likes
12 Replies
Reply
12 Replies
Ryan Heffernan

‎03-28-2019 04:09 PM

‎03-28-2019 04:09 PM

Re: Multiple Subscriptions in Sentinel

@christian-knipping 

 

CC: @Chris Boehm and @Shalini Pasupneti 

0 Likes
Reply
Chris Boehm

‎03-28-2019 04:24 PM - edited ‎04-01-2019 05:15 AM

‎03-28-2019 04:24 PM - edited ‎04-01-2019 05:15 AM

Re: Multiple Subscriptions in Sentinel

@christian-knipping 

 

At this time it's one Azure Sentinel Workspace per Tenant, Azure Sentinel works across subscriptions. Microsoft is in the process of looking into MSP (Managed Service Provider ) solutions but nothing has been publicly released at this time. Please feel free to reach out if you have any more questions.

2 Likes
Reply
Andrea Fisher

‎04-01-2019 01:21 PM

‎04-01-2019 01:21 PM

Re: Multiple Subscriptions in Sentinel

@Chris Boehm  Does it work across multiple subscriptions? Maybe I don't understand what you mean by that but I would like to bring in MCAS data from multiple tenants and that doesn't seem to be possible.

0 Likes
Reply
Chris Boehm

‎04-01-2019 01:59 PM

‎04-01-2019 01:59 PM

Re: Multiple Subscriptions in Sentinel

@Andrea Fisher 

We don't have multi-tenant support at this point. If all subs are on the same tenant, than it should work.
0 Likes
Reply
Jarrod Winsor

‎04-25-2019 09:41 AM

‎04-25-2019 09:41 AM

Re: Multiple Subscriptions in Sentinel

@Chris Boehm is there any beta program an MSP could take part in to assist in trialing features :) Any idea of when something public may be released? For now if we set up a Azure tenant for the customer will there be a migration tool to bring into multi-tenant when that option is available?

 

 

0 Likes
Reply
Chris Boehm

‎04-25-2019 01:59 PM

‎04-25-2019 01:59 PM

Re: Multiple Subscriptions in Sentinel

@Jarrod Winsor 

 

We'll most likely make the announcement within this communities page for the preview functionality, you're already looking in the best location at this time :)

 

I don't have an answer at this time on the migration path if it'll just be a connection between workspaces with the key or if it'll be a different interface to integrate them. I'm sure we'll announce the details whenever they've been established.

 

Great question!

 

Thanks,

0 Likes
Reply
Rob Ellis

‎08-12-2019 01:42 AM

‎08-12-2019 01:42 AM

Re: Multiple Subscriptions in Sentinel

@Chris Boehm is there any further update on multi tenant support for Sentinel?

0 Likes
Reply
Chris Boehm

‎08-13-2019 03:20 AM - edited ‎08-13-2019 03:20 AM

‎08-13-2019 03:20 AM - edited ‎08-13-2019 03:20 AM

Re: Multiple Subscriptions in Sentinel

@Rob Ellis 

 

Development is already in process; if you haven't looked into it we're using Azure Lighthouse for the MSSP solution: https://azure.microsoft.com/en-us/services/azure-lighthouse/ 

0 Likes
Reply
Rob Ellis

‎08-13-2019 04:39 AM

‎08-13-2019 04:39 AM

Re: Multiple Subscriptions in Sentinel

@Chris Boehm thanks - I saw Lighthouse mentioned recently - I did wonder if it was related, so good to know.

0 Likes
Reply
Thuan Ng

‎08-13-2019 04:48 PM

‎08-13-2019 04:48 PM

Re: Multiple Subscriptions in Sentinel

Could you elaborate on "across subscription"?
0 Likes
Reply
Chris Boehm

‎08-13-2019 11:42 PM

‎08-13-2019 11:42 PM

Re: Multiple Subscriptions in Sentinel

Azure Sentinel is using Log Analytics within one tenant with one to multiple subscriptions. If you have multiple subscriptions they can interact with each other with RBAC permissions of data when pulling into a sentinel workspace. If you're wanting to know how to do “cross-tenant” data monitoring you’re required to use the MSSP solution “Azure Lighthouse” with Azure Sentinel.

Is there a specific question to subscriptions that’s not clear in our documentation that we can improve upon?
0 Likes
Reply
dean-h

‎08-15-2019 01:11 PM

‎08-15-2019 01:11 PM

Re: Multiple Subscriptions in Sentinel

@Chris BoehmIs there an aggregation capability to provide a "single pane of glass" for all CSP tenants? From the documentation, it appears that the CSP can gain delegated access to each individual tenant for Log Analytics and ASC.  This article mentions "cross-tenant visibility" for ASC, but does not show what the user experience is like. It would be nice to see a screen-shot showing multiple subscriptions from multiple Azure AD tenants in a centralized view in Sentinel and ASC.

0 Likes
Reply
Related Conversations
Tabs and Dark Mode
 cjc2112 in Discussions on 09-18-2019
46 Replies
Security Community Webinars
 Valon_Kolica in Security, Privacy & Compliance on 10-22-2019
13 Replies
flashing a white screen while open new tab
 Deleted in Discussions on 10-05-2019
14 Replies
How to Prevent Teams from Auto-Launch
 chenrylee in Microsoft Teams on 06-27-2019
29 Replies
Stable version of Edge insider browser
 HotCakeX in Discussions on 10-12-2019
35 Replies
Extentions Synchronization
 Deleted in Discussions on 11-13-2019
3 Replies