Permissions required to grant Sentinel acccess

Highlighted
Occasional Contributor

Hello,

 

I am troubleshooting Sentinel access issues on Azure portal - i can access log analytics workspace but not Sentinel workspace.

 

So far the setup is such:

  • Group "Sentinel Users" to which all Sentinel users belong
  • Dedicated Resource Group "RG_Sentinel"; Sentinel Users have Owner level access.
  • At Subscription level (Sub1), Sentinel Users have "Reader" and "Azure Sentinel Contributor"

The selection for "Azure Sentinel Workspaces" (https://portal.azure.com/#blade/Microsoft_Azure_Security_Insights/WorkspaceSelectorBlade) is empty.

 

But Log Analytics workspace which belongs to the dedicated resource group "RG_Sentinel" and is associated with sentinel is readily visible and I can use it as you'd expect.

 

I've checked that Sentinel Workspace belongs to the Sub1 group and the user I'm testing belongs to "Sentinel Users" . The user is an external user.

4 Replies
Highlighted

@truekonrads  I am not sure about why you don't see the workspace but I have a question as to why you are using an external user like that rather than using Lighthouse?   If I were to hazard a guess I would think there is something about the user being external that is causing issues.

Highlighted

@Gary Busheygood call on Lighthouse, we'll look to transition to this. That said, the person who was adding permissions and had Sub Owner permissions also was an external user.

 

Highlighted

@truekonradshowever, Lighthouse isn't the solution in principle I think, because while Sentinel can collect most data, some things in Microsoft security suite don't blend into Lighthouse - such as Win Def ATP, Azure ATA and others. If you have Senitnel and WD ATP, you still need login on customer tenant.

Highlighted
UPDATE: after a fairly extended period of time - several days; this issue resovled itself without anyone doing anything about it. Very annoying but glad it works