Limiting access to Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-364281%22%20slang%3D%22en-US%22%3ELimiting%20access%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-364281%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20would%2C%20for%20now%2C%20be%20the%20minimum%20set%20of%20roles%2Fpermissions%20required%20to%20get%20access%20to%20Sentinel%3F%3C%2FP%3E%0A%3CP%3EI've%20played%20around%20with%20granting%20access%20as%20a%20Security%20Reader%20some%20additional%20ones%20(Contributor)%20on%20the%20Workspace%2C%20but%20no%20joy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20permission%20are%20(minimally)%20required%20and%20should%20we%20apply%20them%20on%20the%20Subscription%2C%20RG%2C%20Workspace%20or%20elsewhere%3F%20Couldn't%20find%20any%20relevant%20information%20so%20far%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMichael%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-366648%22%20slang%3D%22en-US%22%3ERe%3A%20Limiting%20access%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-366648%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Michael%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20will%20need%20a%20subscription%20contributor%20permission%20to%20onboard.%20After%20that%2C%20you%20will%20need%20a%20contributor%20or%20reader%20on%20the%20RG%2C%20depending%20on%20what%20you%20want%20to%20do.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EConnecting%20to%20different%20sources%20may%20require%20additional%20permissions%2C%20which%20is%20documented%20on%20the%20specific%20connectors%20pages%20when%20you%20connect.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E~%20Ofer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1326783%22%20slang%3D%22en-US%22%3ERe%3A%20Limiting%20access%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1326783%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20Ofer%2C%20i%20just%20tested%20this%20in%20our%20environment%20%3A).%20I%20took%20quite%20a%20lot%20of%20time%20figuring%20this%20out%20from%20the%20documentation%20its%20never%20mentioned%20in%20the%20Sentinel%20permissions%20doc%20very%20clearly%20where%20to%20apply%20the%20permission.%3C%2FP%3E%3CP%3EWith%20your%20trick%20it%20works%20!!%3C%2FP%3E%3CP%3Eso%20yes%20in%20my%20case%20reader%20permissions%20on%20RG%20seems%20to%20work%20fine.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1746956%22%20slang%3D%22en-US%22%3ERe%3A%20Limiting%20access%20to%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1746956%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F570807%22%20target%3D%22_blank%22%3E%40arshad80%3C%2FA%3E%26nbsp%3BThe%20documentation%20%5B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Froles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Froles%3C%2FA%3E%5D%20is%20very%20clear%20about%20that%20by%20stating%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3E%3CEM%3EFor%20best%20results%2C%20these%20roles%20should%20be%20assigned%20on%20the%26nbsp%3B%3CSTRONG%3Eresource%20group%3C%2FSTRONG%3E%26nbsp%3Bthat%20contains%20the%20Azure%20Sentinel%20workspace.%20This%20way%2C%20the%20roles%20will%20apply%20to%20all%20the%20resources%20that%20are%20deployed%20to%20support%20Azure%20Sentinel%2C%20as%20those%20resources%20should%20also%20be%20placed%20in%20that%20same%20resource%20group.%3C%2FEM%3E%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3E%3CEM%3EAnother%20option%20is%20to%20assign%20the%20roles%20directly%20on%20the%20Azure%20Sentinel%26nbsp%3B%3CSTRONG%3Eworkspace%3C%2FSTRONG%3E%26nbsp%3Bitself.%20If%20you%20do%20this%2C%20you%20must%20also%20assign%20the%20same%20roles%20on%20the%20SecurityInsights%26nbsp%3B%3CSTRONG%3Esolution%20resource%3C%2FSTRONG%3E%26nbsp%3Bin%20that%20workspace.%20You%20may%20need%20to%20assign%20them%20on%20other%20resources%20as%20well%2C%20and%20you%20will%20need%20to%20be%20constantly%20managing%20role%20assignments%20on%20resources.%3C%2FEM%3E%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
MVP

Hi all,

 

What would, for now, be the minimum set of roles/permissions required to get access to Sentinel?

I've played around with granting access as a Security Reader some additional ones (Contributor) on the Workspace, but no joy.

 

What permission are (minimally) required and should we apply them on the Subscription, RG, Workspace or elsewhere? Couldn't find any relevant information so far :)

 

Thanks,

 

Michael

3 Replies

Hi Michael,

 

You will need a subscription contributor permission to onboard. After that, you will need a contributor or reader on the RG, depending on what you want to do. 

 

Connecting to different sources may require additional permissions, which is documented on the specific connectors pages when you connect.

 

~ Ofer

@Ofer_Shezaf 

 

Thanks Ofer, i just tested this in our environment :). I took quite a lot of time figuring this out from the documentation its never mentioned in the Sentinel permissions doc very clearly where to apply the permission.

With your trick it works !!

so yes in my case reader permissions on RG seems to work fine. 

@arshad80 The documentation [https://docs.microsoft.com/en-us/azure/sentinel/roles] is very clear about that by stating:

 

  • For best results, these roles should be assigned on the resource group that contains the Azure Sentinel workspace. This way, the roles will apply to all the resources that are deployed to support Azure Sentinel, as those resources should also be placed in that same resource group.

  • Another option is to assign the roles directly on the Azure Sentinel workspace itself. If you do this, you must also assign the same roles on the SecurityInsights solution resource in that workspace. You may need to assign them on other resources as well, and you will need to be constantly managing role assignments on resources.