Permissions required to grant Sentinel acccess

%3CLINGO-SUB%20id%3D%22lingo-sub-1528326%22%20slang%3D%22en-US%22%3EPermissions%20required%20to%20grant%20Sentinel%20acccess%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528326%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20troubleshooting%20Sentinel%20access%20issues%20on%20Azure%20portal%20-%20i%20can%20access%20log%20analytics%20workspace%20but%20not%20Sentinel%20workspace.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20far%20the%20setup%20is%20such%3A%3C%2FP%3E%3CUL%3E%3CLI%3EGroup%20%22Sentinel%20Users%22%20to%20which%20all%20Sentinel%20users%20belong%3C%2FLI%3E%3CLI%3EDedicated%20Resource%20Group%20%22RG_Sentinel%22%3B%20Sentinel%20Users%20have%20Owner%20level%20access.%3C%2FLI%3E%3CLI%3EAt%20Subscription%20level%20(Sub1)%2C%20Sentinel%20Users%20have%20%22Reader%22%20and%20%22Azure%20Sentinel%20Contributor%22%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThe%20selection%20for%20%22Azure%20Sentinel%20Workspaces%22%20(%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_Azure_Security_Insights%2FWorkspaceSelectorBlade%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_Azure_Security_Insights%2FWorkspaceSelectorBlade%3C%2FA%3E)%20is%20empty.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20Log%20Analytics%20workspace%20which%20belongs%20to%20the%20dedicated%20resource%20group%20%22RG_Sentinel%22%20and%20is%20associated%20with%20sentinel%20is%20readily%20visible%20and%20I%20can%20use%20it%20as%20you'd%20expect.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20checked%20that%20Sentinel%20Workspace%20belongs%20to%20the%20Sub1%20group%20and%20the%20user%20I'm%20testing%20belongs%20to%20%22Sentinel%20Users%22%20.%20The%20user%20is%20an%20external%20user.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1528883%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20required%20to%20grant%20Sentinel%20acccess%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1528883%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F520442%22%20target%3D%22_blank%22%3E%40truekonrads%3C%2FA%3E%26nbsp%3B%20I%20am%20not%20sure%20about%20why%20you%20don't%20see%20the%20workspace%20but%20I%20have%20a%20question%20as%20to%20why%20you%20are%20using%20an%20external%20user%20like%20that%20rather%20than%20using%20Lighthouse%3F%26nbsp%3B%20%26nbsp%3BIf%20I%20were%20to%20hazard%20a%20guess%20I%20would%20think%20there%20is%20something%20about%20the%20user%20being%20external%20that%20is%20causing%20issues.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1530750%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20required%20to%20grant%20Sentinel%20acccess%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1530750%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3Egood%20call%20on%20Lighthouse%2C%20we'll%20look%20to%20transition%20to%20this.%20That%20said%2C%20the%20person%20who%20was%20adding%20permissions%20and%20had%20Sub%20Owner%20permissions%20also%20was%20an%20external%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1530784%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20required%20to%20grant%20Sentinel%20acccess%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1530784%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F520442%22%20target%3D%22_blank%22%3E%40truekonrads%3C%2FA%3Ehowever%2C%20Lighthouse%20isn't%20the%20solution%20in%20principle%20I%20think%2C%20because%20while%20Sentinel%20can%20collect%20most%20data%2C%20some%20things%20in%20Microsoft%20security%20suite%20don't%20blend%20into%20Lighthouse%20-%20such%20as%20Win%20Def%20ATP%2C%20Azure%20ATA%20and%20others.%20If%20you%20have%20Senitnel%20and%20WD%20ATP%2C%20you%20still%20need%20login%20on%20customer%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1546181%22%20slang%3D%22en-US%22%3ERe%3A%20Permissions%20required%20to%20grant%20Sentinel%20acccess%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1546181%22%20slang%3D%22en-US%22%3EUPDATE%3A%20after%20a%20fairly%20extended%20period%20of%20time%20-%20several%20days%3B%20this%20issue%20resovled%20itself%20without%20anyone%20doing%20anything%20about%20it.%20Very%20annoying%20but%20glad%20it%20works%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I am troubleshooting Sentinel access issues on Azure portal - i can access log analytics workspace but not Sentinel workspace.

 

So far the setup is such:

  • Group "Sentinel Users" to which all Sentinel users belong
  • Dedicated Resource Group "RG_Sentinel"; Sentinel Users have Owner level access.
  • At Subscription level (Sub1), Sentinel Users have "Reader" and "Azure Sentinel Contributor"

The selection for "Azure Sentinel Workspaces" (https://portal.azure.com/#blade/Microsoft_Azure_Security_Insights/WorkspaceSelectorBlade) is empty.

 

But Log Analytics workspace which belongs to the dedicated resource group "RG_Sentinel" and is associated with sentinel is readily visible and I can use it as you'd expect.

 

I've checked that Sentinel Workspace belongs to the Sub1 group and the user I'm testing belongs to "Sentinel Users" . The user is an external user.

4 Replies

@truekonrads  I am not sure about why you don't see the workspace but I have a question as to why you are using an external user like that rather than using Lighthouse?   If I were to hazard a guess I would think there is something about the user being external that is causing issues.

@Gary Busheygood call on Lighthouse, we'll look to transition to this. That said, the person who was adding permissions and had Sub Owner permissions also was an external user.

 

@truekonradshowever, Lighthouse isn't the solution in principle I think, because while Sentinel can collect most data, some things in Microsoft security suite don't blend into Lighthouse - such as Win Def ATP, Azure ATA and others. If you have Senitnel and WD ATP, you still need login on customer tenant.

UPDATE: after a fairly extended period of time - several days; this issue resovled itself without anyone doing anything about it. Very annoying but glad it works