Need Help With Azure Onboarding

%3CLINGO-SUB%20id%3D%22lingo-sub-2189618%22%20slang%3D%22en-US%22%3ENeed%20Help%20With%20Azure%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2189618%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20need%20assistance%20with%20Azure%20onboarding.%20So%20in%20my%20organization%20different%20team%20manages%20azure%20so%20they%20are%20the%20owners.%20I%20will%20be%20only%20working%20on%20Sentinel%20part.%20We%20do%20have%20the%20license%20which%20includes%20Sentinel%20but%20I%20was%20asked%20to%20find%20out%20pre-requisite%20for%20Sentinel.%20Based%20on%20the%20documentation%20I%20do%20see%20dedicated%20workspace%20is%20needed%20%26amp%3B%20also%20need%20contributor%20access%20for%20that%20workspace%20but%20as%20I%20am%20not%20the%20admin%20%26amp%3B%20have%20currently%20no%20access%20to%20azure%20so%20I%20am%20just%20wondering%20what%20will%20be%20the%20best%20option%20for%20me%20to%20ask%20the%20other%20team%20member%20in%20order%20to%20activate%20Sentinel.%3CBR%20%2F%3ESo%20is%20it%20the%20best%20option%20to%20get%20temporary%20admin%20access%20of%20azure%20so%20I%20can%20create%20workspace%20by%20myself%20or%20if%20I%20have%20to%20give%20instruction%20to%20other%20team%20to%20enable%20Sentinel%20then%20what%20are%20the%20steps%20I%20can%20follow%3F%20Any%20suggestion%20would%20be%20appreciated%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190085%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20Help%20With%20Azure%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190085%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F988869%22%20target%3D%22_blank%22%3E%40pirate280%3C%2FA%3E%26nbsp%3BYou%20do%20not%20necessarily%20need%20a%20dedicated%20workspace%20but%20it%20is%20better%20to%20use%20one%20to%20avoid%20excess%20charges.%26nbsp%3B%20%26nbsp%3BIf%20your%20company%20already%20has%20a%20Log%20Analytics%20workspace%20that%20it%20is%20using%2C%20and%20you%20want%20all%20the%20data%20to%20be%20in%20Azure%20Sentinel%2C%20you%20can%20use%20that.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOtherwise%2C%20you%20need%20to%20look%20at%20all%20the%20regions%20your%20company%20will%20be%20using%20and%20if%20there%20will%20be%20data%20produced%20in%20those%20regions%20that%20need%20to%20go%20into%20Azure%20Sentinel.%26nbsp%3B%20%26nbsp%3BTake%20into%20account%20the%20egress%20charges%20and%20determine%20if%20it%20will%20be%20better%20to%20use%20one%20workspace%20or%20multiple%20workspaces.%26nbsp%3B%20Take%20a%20look%20at%20this%20post%20for%20more%20information%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fbest-practices-for-designing-an-azure-sentinel-or-azure-security%2Fba-p%2F832574%22%20target%3D%22_blank%22%3EBest%20practices%20for%20designing%20an%20Azure%20Sentinel%20or%20Azure%20Security%20Center%20Log%20Analytics%20workspace%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20keep%20in%20mind%2C%20that%20even%20if%20you%20get%20the%20rights%20to%20create%20Azure%20Sentinel%2C%20you%20will%20need%20to%20have%20either%20Security%20Administrator%20or%20Global%20Administrator%20to%20setup%20some%20of%20the%20data%20connectors.%26nbsp%3B%20A%20lot%20companies%20will%20not%20allow%20anyone%20outside%20of%20the%20IT%20department%20to%20have%20those%20rights%20so%20you%20will%20need%20to%20work%20with%20someone%20who%20has%20them%20to%20get%20everything%20setup.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20also%20take%20a%20look%20at%20the%20Azure%20Sentinel%20All-in-one%20deployment%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FTools%2FSentinel-All-In-One%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel%2FTools%2FSentinel-All-In-One%20at%20master%20%C2%B7%20Azure%2FAzure-Sentinel%20(github.com)%3C%2FA%3E%2C%20as%20a%20way%20to%20get%20your%20Azure%20Sentinel%20environment%20started.%26nbsp%3B%20%26nbsp%3BYou%20can%20then%20add%20the%20additional%20data%20connectors%20you%20need%20later.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2191886%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20Help%20With%20Azure%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2191886%22%20slang%3D%22en-US%22%3EHi%20Gary%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20a%20lot%20for%20the%20response.%20So%20if%20I%20don't%20have%20any%20access%20at%20all%20to%20Azure%20%26amp%3B%20my%20other%20members%20basically%20managing%20it%20then%20what%20should%20be%20the%20best%20approach%20from%20my%20side.%20So%20basically%20what%20i%20want%20is%20to%20activate%20azure%20sentinel%20but%20I%20want%20to%20do%20it%20by%20myself.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2194104%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20Help%20With%20Azure%20Onboarding%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2194104%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F988869%22%20target%3D%22_blank%22%3E%40pirate280%3C%2FA%3E%26nbsp%3B%3A%20the%20challenge%20is%20that%20there%20is%20no%20such%20thing%20as%20a%20Sentinel%20license.%20The%20cost%20is%20based%20on%20actual%20use.%20As%20a%20result%2C%20we%20obviously%20need%20someone%20with%20the%20right%20permissions%20to%20onboard%20Sentinel%20and%20essentially%20approve%20the%20charges.%20Same%20as%20for%20example%20creating%20a%20VM%20on%20Azure%3A%20it%20costs%2C%20so%20someone%20with%20the%20right%20permissions%20is%20needed%20to%20create%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Team,

I need assistance with Azure onboarding. So in my organization different team manages azure so they are the owners. I will be only working on Sentinel part. We do have the license which includes Sentinel but I was asked to find out pre-requisite for Sentinel. Based on the documentation I do see dedicated workspace is needed & also need contributor access for that workspace but as I am not the admin & have currently no access to azure so I am just wondering what will be the best option for me to ask the other team member in order to activate Sentinel.
So is it the best option to get temporary admin access of azure so I can create workspace by myself or if I have to give instruction to other team to enable Sentinel then what are the steps I can follow? Any suggestion would be appreciated 

3 Replies

@msef280 You do not necessarily need a dedicated workspace but it is better to use one to avoid excess charges.   If your company already has a Log Analytics workspace that it is using, and you want all the data to be in Azure Sentinel, you can use that.   

 

Otherwise, you need to look at all the regions your company will be using and if there will be data produced in those regions that need to go into Azure Sentinel.   Take into account the egress charges and determine if it will be better to use one workspace or multiple workspaces.  Take a look at this post for more information: Best practices for designing an Azure Sentinel or Azure Security Center Log Analytics workspace - Mi...

 

Also, keep in mind, that even if you get the rights to create Azure Sentinel, you will need to have either Security Administrator or Global Administrator to setup some of the data connectors.  A lot companies will not allow anyone outside of the IT department to have those rights so you will need to work with someone who has them to get everything setup.

 

I would also take a look at the Azure Sentinel All-in-one deployment, Azure-Sentinel/Tools/Sentinel-All-In-One at master · Azure/Azure-Sentinel (github.com), as a way to get your Azure Sentinel environment started.   You can then add the additional data connectors you need later.

Hi Gary,

Thanks a lot for the response. So if I don't have any access at all to Azure & my other members basically managing it then what should be the best approach from my side. So basically what i want is to activate azure sentinel but I want to do it by myself.

@msef280 : the challenge is that there is no such thing as a Sentinel license. The cost is based on actual use. As a result, we obviously need someone with the right permissions to onboard Sentinel and essentially approve the charges. Same as for example creating a VM on Azure: it costs, so someone with the right permissions is needed to create it.