%3CLINGO-SUB%20id%3D%22lingo-sub-1435799%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1435799%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%3CFONT%3E%3CBR%20%2F%3Ethank%20you%20for%20this%20well%20described%20blog%20post%20and%20it%20gave%20us%20some%20usefull%20insights%20and%20these%202%20specific%20models.%20An%20additional%20question%20I%20have%20is%20related%20to%20our%20specific%20organisation.%20Within%20our%20company%20we%20have%20specialized%20managed%20detect%20%26amp%3B%20respond%20services%2C%20however%20we%20are%20not%20a%20CSP%20as%20we%20don't%20offer%20specific%20technologies%2C%20it%20is%20more%20a%20service.%20Within%20this%20perspective%20we%20typicalle%20have%20to%20work%20via%20the%20customer%20and%20their%20CSP%20to%20get%20the%20necessary%20access.%20Do%20you%20know%20any%20approach%20that%20would%20be%20in%20line%20of%20our%20setup%20se%20were%20the%20CSP%20typically%20delivers%20the%20technology%20and%20we%20as%20a%20security%20company%20deliver%20our%20expertise%20in%20security%20monitoring%20and%20incident%20response%20%3F%20Normally%20we%20use%20external%20guest%20accounts%20and%20RBAC%20to%20achieve%20this%20but%20maybe%20you%20have%20a%20better%20view%20or%20idea%20%3F%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EAgain%20thanks%20for%20you%20insights%20really%20appreciated%20!%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1439730%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1439730%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F117136%22%20target%3D%22_blank%22%3E%40Jeroen%20Vandeleur%3C%2FA%3E%26nbsp%3B%2C%20in%20your%20case%20the%20best%20approach%20is%20to%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flighthouse%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Lighthouse%3C%2FA%3E.%20You%20could%20for%20example%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flighthouse%2Fhow-to%2Fpublish-managed-services-offers%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epublish%20a%20managed%20services%20offer%3C%2FA%3E%20in%20the%20Azure%20Marketplace%20that%20would%20grant%20you%20delegated%20access%20to%20the%20customer's%20Sentinel%20environment%20with%20whatever%20roles%20you%20need%20to%20perform%20your%20functions.%20External%20guest%20accounts%20(B2B)%20work%20fine%2C%20but%20Lighthouse%20has%20several%20benefits%20compared%20to%20B2B.%20First%2C%20Lighthouse%20provides%20you%20with%20cross-tenant%20visibility%20without%20switching%20context%2C%20so%20you%20can%20for%20example%20build%20cross-tenant%20dashboards%20or%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fwhat-s-new-cross-workspace-incident-view-in-public-preview%2Fba-p%2F1379796%22%20target%3D%22_self%22%3Emulti-workspace%20incident%20view%3C%2FA%3E.%20Lighthouse%20also%20allows%20you%20to%20do%20management%20as%20scale%2C%20for%20example%2C%20you%20could%20build%20a%20PS%20script%20that%20updates%20all%20your%20customers%20in%20parallel.%20Take%20a%20look%20at%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fcombining-azure-lighthouse-with-sentinel-s-devops-capabilities%2Fba-p%2F1210966%22%20target%3D%22_self%22%3Ethis%20other%20post%3C%2FA%3E%20for%20more%20details%20on%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20this%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1439817%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1439817%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EThank%20you%20for%20the%20quick%20reply%2C%20I%20agree%20that%20B2B%20accounts%20are%20not%20the%20way%20to%20go%20for%20this.%20We%20will%20take%20a%20look%20at%20the%20lighthouse%20option%2C%20I%20thought%20this%20was%20primarily%20developed%20for%20a%20CSP.%20However%2C%20from%20our%20perspective%20Lighthouse%20would%20be%20the%20ideal%20solution%20to%20get%20the%20required%20roles%20%26amp%3B%20responsibilities%20for%20our%20MDR%20service.%20So%20if%20we%20can%20connect%20our%20customer%20tenants%20towards%20our%20lighthouse%20service%20it%20would%20be%20the%20ideal%20solution!%26nbsp%3B%20%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20Regards%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJeroen%20Vandeleur%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1440152%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1440152%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20Lighthouse%20is%20the%20way%20to%20go%20as%20it%20works%20the%20same%20across%20any%20licensing%20model.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448048%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448048%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20great%20info%3B%20sharing%20with%20my%20Linkedin%20Network%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1472480%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1472480%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%20Thanks%20for%20the%20info...%20Can%20you%20please%20elaborate%20on%20your%20statement%20%3CSTRONG%3E%22%3CSPAN%3EIf%20you%20have%20developed%20a%20workbook%20that%20you%20don%E2%80%99t%20want%20your%20customer%20to%20copy%2C%20you%20should%20store%20it%20in%20your%20tenant%3C%2FSPAN%3E%22%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20an%20MSSP%2C%20we%20have%20the%20multiple%20workbooks%20in%20our%20tenant%2C%20I%20want%20customers%20to%20use%20these%20workbook%20from%20their%20sentinel%20workspace%20and%20also%20they%20should%20be%20prevented%20from%20copying%20the%20code%20(our%20Intellectual%20Property).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1473316%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1473316%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20your%20comment%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F660803%22%20target%3D%22_blank%22%3E%40KrishhnaM%3C%2FA%3E%26nbsp%3B.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20idea%20is%20that%20you%20build%2Fdeploy%20your%20workbook%20in%20your%20tenant%20(MSSP)%20and%20query%20customer%20workspaces%20from%20there.%20It%20is%20true%20that%20if%20you%20want%20the%20customer%20to%20see%20it%2C%20you%20have%20no%20easy%20option%20as%20of%20today.%20Even%20if%20you%20use%20reverse%20Lighthouse%20granting%20only%20Reader%20role%2C%20the%20customer%20would%20still%20be%20able%20to%20see%20the%20queries%20underneath.%20We%20hope%20to%20have%20a%20solution%20for%20this%20soon.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20will%20update%20the%20article%20to%20reflect%20this%20case.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1473554%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1473554%22%20slang%3D%22en-US%22%3E%3CP%3EYes%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%20%2C%20even%20with%20reverse%20concept%20(customer%20with%20reader%20role)%20the%20workbook%20code%20is%20visible%20and%20also%20that%20the%20customer%20is%20able%20to%20edit%20the%20workbook!!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20reply%2C%20kindly%20let%20us%20know%20once%20the%20solution%20is%20available%20to%20secure%20analytical%20rule%20and%20workbook.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1512168%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1512168%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20CSP%20(indirect%20reseller)%20and%20Azure%20lighthouse%20we%20have%20built%20sentinel%20workspace%20at%20he%20customer%20estate%20on%20our%20CSP%20subscription.%26nbsp%3B%20Inspite%20of%20Delegate%20Admin%20Access%20it%20is%20interesting%20to%20see%20that%20we%20are%20not%20allowed%20to%20enable%20the%20connectors%20in%20sentinel%20(for%20example%3A%20Microsoft%20Defender%20ATP).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20a%20must%20only%20thier%20Global%20admin%20or%20Security%20Admin%20can%20enable%20the%20connector%20to%20collect%20logs%20or%20is%20there%20any%20other%20best%20practice%20%3F%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20will%20their%20global%20admin%20see%20this%20CSP%20subscription%20if%20they%20are%20not%20added%20under%20AdminAgents%20within%20out%20partner%20portal%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20for%20advice%20on%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1518399%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1518399%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F516158%22%20target%3D%22_blank%22%3E%40Prash915%3C%2FA%3E%26nbsp%3B%2C%20yes%2C%20Global%20Admin%2FSecurity%20Admin%20permissions%20is%20a%20requirement%20for%20some%20connectors%2C%20and%20there's%20no%20workaround%20for%20that.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20CSP%2C%20you%20might%20have%20Delegated%20Admin%20Privileges%20over%20the%20customer%20tenant%20and%20be%20able%20to%20perform%20this.%20Whether%20or%20not%20you%20have%20this%20permission%20depends%20on%20how%20you%20onboarded%20that%20customer%20into%20your%20CSP.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMakes%20sense%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1518449%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1518449%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20response.%20Here%20is%20my%20experience%20with%20a%20recent%20on-boarding%20for%20one%20of%20the%20CSP%20workspace.%3C%2FP%3E%3CP%3EIt%20was%20interesting%20to%20see%20that%20for%20an%20indirect%20reseller%20owned%20subscription%20inspite%20of%20having%20DAP%20and%20the%20user%20is%20part%20of%20AOBO%20group%20we%20couldn't%20enable%20Sentinel%20Connector%20(example%3A%20Microsoft%20Defender%20ATP)%20for%20the%20workspace%20in%20the%20customer%20tenant%20though%20the%20subscription%20is%20owned%20by%20us%20as%20a%20CSP%20(indirect%20seller)%20with%20owner%20access%20at%20the%20subscription%20level.%26nbsp%3B%20The%20expectation%20at%20sentinel%20workspace%20is%20that%20user%20must%20have%20Global%20or%20Security%20Admin%20privilege%20%3CSTRONG%3E%3CU%3Eat%20the%20workspace%20tenant%3C%2FU%3E%3C%2FSTRONG%3E%26nbsp%3Bto%20enable%20connectors%20like%20defender%20or%20office.%26nbsp%3B%20To%20assign%20Global%20Admin%20or%20Security%20Admin%20at%20the%20%3CSTRONG%3E%3CU%3Ecustomer%26nbsp%3Bat%20the%20workspace%20tenant%3C%2FU%3E%3C%2FSTRONG%3E%26nbsp%3B%20the%20user%20needs%20to%20be%20local%20to%20their%20tenant%20which%20mean%20either%20we%20end%20up%20creating%20an%20additional%20user%20at%20client%20tenant%20to%20assign%26nbsp%3BGlobal%20or%20Security%20Admin%20privilege%20or%20grant%20access%20to%20their%20tenant%20global%20admin%20user%20so%20that%20they%20activate%20required%20connectors.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20not%20see%20DAP%20fully%20serve%20the%20required%20ownership%20for%20%3CSTRONG%3Ea%20CSP%20user%20who%20is%20a%20indirect%20seller.%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20how%20do%20I%20achieve%20taking%20complete%20ownership%20including%20activation%20of%20required%20sentinel%20connectors%20without%20having%20a%20local%20user%20at%20customer%20tenant%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520374%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520374%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F516158%22%20target%3D%22_blank%22%3E%40Prash915%3C%2FA%3E%26nbsp%3B%2C%20as%20far%20as%20I%20know%2C%20you%20don't%20need%20to%20be%20in%20the%20customer%20tenant%20to%20be%20global%20or%20security%20admin.%20You%20can%20be%20a%20B2B%20guest%20user%20and%20still%20have%20the%20global%20or%20security%20admin%20role.%20Did%20you%20try%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520596%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520596%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B-%20Sorry%20i%20meant%20a%20local%20user%20can%20be%20be%20either%20B2B%20guest%20or%20user%20at%20the%20customer%20tenant.%20But%20one%20has%20to%20have%20a%20user%20at%20the%20customer%20tenant%20to%20connect%20on-boarding%20logs%20into%20sentinel%20inspite%20of%20Azure%20lighthouse%20%2B%20CSP%20which%20i%20see%20it%20as%20a%20downside%20as%20it%20again%20increases%20the%20dependency.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20remember%20those%20good%20to%20old%20days%20without%20CSP%20and%20Lighthouse%20where%20MSSP's%20used%20to%20have%20users%20in%20customer%20tenant%20to%20manage%20their%20security.%20But%20With%20Lighthouse%20I%20see%20no%20changes%20other%20than%20centralized%20model%20of%20managing%20multiple%20customers.%26nbsp%3B%20With%20CSP%20relation%20granting%20DAP%20I%20was%20expecting%20AOBO%20users%20having%20ability%20to%20do%20perform%20all%20actions%20not%20depending%20on%20having%20a%20local%20or%20B2B%20user%20in%20customer%20tenant.%20I%20think%20microsoft%20has%20opportunity%20for%20enhancement%20of%20capabilities%20for%20users%20under%20AOBO%20off-course%20with%20security%20in%20mind.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20it%20was%20a%20good%20discussion.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1420941%22%20slang%3D%22en-US%22%3EProtecting%20MSSP%E2%80%99s%20Intellectual%20Property%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1420941%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3ESpecial%20thank%20you%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F187254%22%20target%3D%22_blank%22%3E%40Koby%20Koren%3C%2FA%3E%26nbsp%3Bfor%20reviewing%20this%20article%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20last%20few%20months%20helping%20MSSPs%20adopt%20and%20build%20services%20around%20Azure%20Sentinel%2C%20one%20of%20the%20common%20concerns%20for%20them%20is%20protecting%20the%20Intellectual%20Property%20(IP)%20that%20they%20develop.%3C%2FP%3E%0A%3CP%3EThis%20IP%20can%20be%20in%20multiple%20forms%2C%20it%20might%20be%20a%20Workbook%20that%20provides%20additional%20features%20and%20visualizations%2C%20a%20new%20Analytics%20Rule%20that%20can%20detect%20a%20specific%20attack%20or%20a%20Playbook%20that%20extends%20Sentinel%E2%80%99s%20functionality.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20what%20happens%20if%20you%20deploy%20that%20IP%20into%20the%20customer%E2%80%99s%20Sentinel%20environment%3F%20Well%2C%20there%20are%20two%20scenarios%20depending%20on%20how%20your%20customer%20buys%20Azure%3A%20Cloud%20Solutions%20Provider%20(CSP)%20and%20Enterprise%20Agreement%20(EA).%20Let%E2%80%99s%20look%20at%20each%20of%20them%20separately.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1328722984%22%20id%3D%22toc-hId--1328722984%22%3ECSP%20customers%3C%2FH2%3E%0A%3CP%3EIf%20you%20are%20reselling%20Azure%20as%20a%20Cloud%20Solutions%20Provider%20(CSP)%2C%20you%20are%20supposed%20to%20manage%20the%20Azure%20subscription(s)%20on%20behalf%20of%20the%20customer.%20There%20is%20a%20mechanism%20called%20Admin-On-Behalf-Of%20(AOBO)%20that%20automatically%20will%20provide%20some%20users%20from%20the%20partner%20organization%20%3CSTRONG%3EOwner%20access%3C%2FSTRONG%3E%20to%20the%20customer%20subscription%20and%20the%20%3CSTRONG%3Ecustomer%20will%20have%20NO%20access%20by%20default%3C%2FSTRONG%3E.%20The%20users%20that%20get%20this%20access%20are%20the%20ones%20inside%20the%20Admin%20Agents%20group%20in%20the%20partner%E2%80%99s%20Azure%20AD%20tenant%20attached%20to%20the%20CSP%20contract%20(this%20tenant%20might%20differ%20from%20the%20partner%E2%80%99s%20main%20AAD%20tenant).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20is%20recommended%20to%20%3CSTRONG%3Euse%20Azure%20Lighthouse%20to%20provide%20additional%20users%20with%20access%20to%20the%20customer%20environment%3C%2FSTRONG%3E.%20This%20provides%20finer%20granularity%20as%20you%20can%20grant%20users%20or%20groups%20access%20to%20a%20specific%20scope%20(resource%20group%20or%20subscription)%20with%20one%20of%20the%20available%20built-in%20roles.%20See%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flighthouse%2Fconcepts%2Fcloud-solution-provider%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20for%20more%20details.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20explained%20above%2C%20in%20this%20model%20the%20customer%20has%20no%20access%20by%20default%2C%20and%20only%20if%20you%20grant%20them%20access%20explicitly%2C%20they%20will%20see%20the%20Azure%20environment.%20If%20the%20customer%20needs%20to%20access%20to%20the%20Azure%20environment%2C%20the%20recommendation%20is%20to%20%3CSTRONG%3Egrant%3C%2FSTRONG%3E%20them%20%3CSTRONG%3Eaccess%20at%20the%20resource%20group%20level%3C%2FSTRONG%3E.%20That%20way%2C%20you%20can%20show%2Fhide%20parts%20of%20the%20environment.%20For%20example%2C%20you%20might%20grant%20access%20to%20the%20customer%20to%20several%20RGs%20where%20customer%20applications%20are%20located%2C%20but%20keep%20the%20Sentinel%20environment%20in%20a%20different%20RG%20where%20the%20customer%20has%20no%20access.%20With%20this%20model%2C%20you%20can%20still%20allow%20customers%20to%20see%20playbooks%20and%20workbooks%2C%20because%20these%20are%20separate%20resources%20and%20can%20reside%20in%20a%20separate%20RG.%20Also%2C%20keep%20in%20mind%20that%20the%20customer%20will%20only%20be%20able%20to%20see%20log%20data%20for%20the%20resources%20they%20have%20access%20to%20(eg.%20logs%20from%20a%20VM).%20If%20they%20KQL%20query%20in%20the%20workbook%20is%20trying%20to%20get%20data%20from%20a%20resource%20the%20customer%20doesn't%20have%20access%20to%2C%20the%20query%20will%20not%20work.%20You%20can%20find%20more%20in%20detail%20information%20about%20data%20RBAC%20options%20in%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fcontrolling-access-to-azure-sentinel-data-resource-rbac%2Fba-p%2F1301463%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ethis%20article%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20following%20picture%20you%20can%20see%20how%20this%20option%20would%20work%20from%20a%20permissions%20point%20of%20view%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22pic1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F194784iBF10CBE1D080FF74%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22pic1.png%22%20alt%3D%22pic1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20picture%2C%20the%20users%20that%20are%20part%20of%20the%20Admin%20Agents%20group%2C%20come%20from%20the%20partner%E2%80%99s%20CSP%20tenant%20(the%20one%20associated%20with%20their%20CSP%20contract).%20Partner%20users%20and%20groups%20in%20the%20yellow%20and%20purple%20boxes%20above%20(the%20ones%20that%20are%20using%20Lighthouse)%2C%20%3CSTRONG%3Emight%20come%20from%20a%20different%20tenant%20than%20the%20one%20used%20as%20the%20partner%E2%80%99s%20CSP%20tenant%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20your%20customer%20needs%20to%20access%20the%20whole%20subscription%2C%20then%20move%20to%20the%20next%20section%20(EA%20Customers).%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1158789849%22%20id%3D%22toc-hId-1158789849%22%3EEA%20customers%3C%2FH2%3E%0A%3CP%3EIf%20your%20customer%20is%20buying%20directly%20from%20Microsoft%2C%20then%20the%20customer%20already%20has%20full%20access%20to%20the%20Azure%20environment%20so%20you%20won%E2%80%99t%20be%20able%20to%20hide%20things%20that%20are%20located%20in%20the%20customer%20tenant.%20This%20is%20because%20%3CSTRONG%3ERBAC%20permissions%20are%20inherited%3C%2FSTRONG%3E%2C%20so%20if%20a%20customer%20has%20owner%20permissions%20at%20the%20subscription%20level%2C%20then%20they%20will%20have%20that%20same%20permission%20on%20anything%20inside%20it%2C%20even%20the%20Sentinel%20environment%20that%20you%20manage%20on%20their%20behalf.%20So%2C%20how%20can%20you%20protect%20the%20Intellectual%20Property%20that%20you%20develop%20on%20top%20of%20Sentinel%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%E2%80%99s%20look%20at%20this%20by%20type%20of%20resource%20that%20needs%20to%20be%20protected.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1849351323%22%20id%3D%22toc-hId-1849351323%22%3EAnalytics%20Rules%3C%2FH3%3E%0A%3CP%3EAnalytics%20rules%20live%20within%20the%20Sentinel%20solution%2C%20so%20they%20cannot%20be%20separated%20from%20the%20Sentinel%20resource%20and%20workspace.%20Even%20if%20the%20customer%20user%20has%20only%20Sentinel%20Reader%20permissions%2C%20he%2Fshe%20will%20be%20able%20to%20see%20the%20query%20in%20your%20rule%20from%20the%20Analytics%20Rule%20blade%20within%20Sentinel.%20There%20will%20be%20a%20solution%20in%20the%20future%20for%20this.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-41896860%22%20id%3D%22toc-hId-41896860%22%3EHunting%20Queries%3C%2FH3%3E%0A%3CP%3ESimilar%20to%20the%20previous%20case%2C%20Hunting%20Queries%20live%20inside%20the%20Sentinel%20solution.%20If%20you%20need%20to%20hide%20a%20specific%20query%20from%20your%20customer%2C%20you%20could%20always%20store%20the%20query%20on%20your%20own%20tenant%20(MSSP)%20and%20run%20it%20against%20the%20customer%20workspace%20as%20shown%20in%20the%20previous%20section%20using%20the%20%3CEM%3Eworkspace%20%3C%2FEM%3Estatement.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1765557603%22%20id%3D%22toc-hId--1765557603%22%3EWorkbooks%3C%2FH3%3E%0A%3CP%3EIf%20you%20have%20developed%20a%20workbook%20that%20you%20don%E2%80%99t%20want%20your%20customer%20to%20copy%2C%20you%20should%20store%20it%20in%20your%20tenant.%20The%20good%20news%20is%20that%20you%20can%20modify%20that%20workbook%20to%20use%20whatever%20customer%20workspaces%20you%20want%20as%20long%20as%20you%20have%20access%20to%20them%20via%20Lighthouse.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20-ERR%3AREF-NOT-FOUND-this%20other%20blog%20post%20you%20have%20details%20on%20how%20to%20modify%20your%20workbooks%20to%20make%20them%20multi-tenant.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22pic3.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F194854i37303E55BD82D902%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22pic3.png%22%20alt%3D%22pic3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAn%20additional%20use%20case%20with%20workbooks%2C%20is%20when%20a%20customer%20needs%20to%20see%20the%20workbook%20visualizations%2C%20but%20the%20MSSP%20wants%20to%20keep%20the%20workbook%20code%20secret.%20In%20that%20case%2C%20the%20recommended%20approach%20is%20to%20export%20the%20workbook%20to%20PowerBI%20as%20explained%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fpowerbi%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-721955230%22%20id%3D%22toc-hId-721955230%22%3EPlaybooks%3C%2FH3%3E%0A%3CP%3EUsing%20Lighthouse%2C%20it%20is%20straight%20forward%20to%20create%20analytics%20rules%20in%20the%20customer%E2%80%99s%20Sentinel%20environment%20and%20attach%20to%20it%20a%20playbook%20hosted%20in%20your%20own%20tenant.%20The%20playbook%20in%20this%20case%20will%20get%20the%20alert%2Fincident%20(and%20any%20other%20info%20related%20to%20customer%20info)%20data%20from%20the%20customer%20workspace.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22pic5.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F194858i365C946343FB7BC5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22pic5.png%22%20alt%3D%22pic5.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-711452126%22%20id%3D%22toc-hId-711452126%22%3EIn%20Summary%3C%2FH2%3E%0A%3CP%3EIn%20this%20post%20we%20have%20explained%20the%20different%20options%20that%20an%20MSSP%20has%20to%20protect%20its%20intellectual%20property%20in%20an%20Azure%20Sentinel%20environment.%20Please%20leave%20a%20comment%20below%20if%20you%20have%20any%20questions!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1420941%22%20slang%3D%22en-US%22%3E%3CP%3ELearn%20the%20different%20options%20that%20MSSPs%20have%20to%20protect%20their%20IP%20in%20Azure%20Sentinel%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

Special thank you to @Ofer_Shezaf and @Koby Koren for reviewing this article

 

In the last few months helping MSSPs adopt and build services around Azure Sentinel, one of the common concerns for them is protecting the Intellectual Property (IP) that they develop.

This IP can be in multiple forms, it might be a Workbook that provides additional features and visualizations, a new Analytics Rule that can detect a specific attack or a Playbook that extends Sentinel’s functionality.

 

But what happens if you deploy that IP into the customer’s Sentinel environment? Well, there are two scenarios depending on how your customer buys Azure: Cloud Solutions Provider (CSP) and Enterprise Agreement (EA). Let’s look at each of them separately.

 

CSP customers

If you are reselling Azure as a Cloud Solutions Provider (CSP), you are supposed to manage the Azure subscription(s) on behalf of the customer. There is a mechanism called Admin-On-Behalf-Of (AOBO) that automatically will provide some users from the partner organization Owner access to the customer subscription and the customer will have NO access by default. The users that get this access are the ones inside the Admin Agents group in the partner’s Azure AD tenant attached to the CSP contract (this tenant might differ from the partner’s main AAD tenant).

 

It is recommended to use Azure Lighthouse to provide additional users with access to the customer environment. This provides finer granularity as you can grant users or groups access to a specific scope (resource group or subscription) with one of the available built-in roles. See here for more details.

 

As explained above, in this model the customer has no access by default, and only if you grant them access explicitly, they will see the Azure environment. If the customer needs to access to the Azure environment, the recommendation is to grant them access at the resource group level. That way, you can show/hide parts of the environment. For example, you might grant access to the customer to several RGs where customer applications are located, but keep the Sentinel environment in a different RG where the customer has no access. With this model, you can still allow customers to see playbooks and workbooks, because these are separate resources and can reside in a separate RG. Also, keep in mind that the customer will only be able to see log data for the resources they have access to (eg. logs from a VM). If they KQL query in the workbook is trying to get data from a resource the customer doesn't have access to, the query will not work. You can find more in detail information about data RBAC options in this article.

 

In the following picture you can see how this option would work from a permissions point of view:

 

pic1.png

 

In this picture, the users that are part of the Admin Agents group, come from the partner’s CSP tenant (the one associated with their CSP contract). Partner users and groups in the yellow and purple boxes above (the ones that are using Lighthouse), might come from a different tenant than the one used as the partner’s CSP tenant.

 

If your customer needs to access the whole subscription, then move to the next section (EA Customers).  

 

EA customers

If your customer is buying directly from Microsoft, then the customer already has full access to the Azure environment so you won’t be able to hide things that are located in the customer tenant. This is because RBAC permissions are inherited, so if a customer has owner permissions at the subscription level, then they will have that same permission on anything inside it, even the Sentinel environment that you manage on their behalf. So, how can you protect the Intellectual Property that you develop on top of Sentinel?

 

Let’s look at this by type of resource that needs to be protected.

 

Analytics Rules

Analytics rules live within the Sentinel solution, so they cannot be separated from the Sentinel resource and workspace. Even if the customer user has only Sentinel Reader permissions, he/she will be able to see the query in your rule from the Analytics Rule blade within Sentinel. There will be a solution in the future for this.

 

Hunting Queries

Similar to the previous case, Hunting Queries live inside the Sentinel solution. If you need to hide a specific query from your customer, you could always store the query on your own tenant (MSSP) and run it against the customer workspace as shown in the previous section using the workspace statement.

 

Workbooks

If you have developed a workbook that you don’t want your customer to copy, you should store it in your tenant. The good news is that you can modify that workbook to use whatever customer workspaces you want as long as you have access to them via Lighthouse.

 

In this other blog post you have details on how to modify your workbooks to make them multi-tenant.

 

pic3.png

 

An additional use case with workbooks, is when a customer needs to see the workbook visualizations, but the MSSP wants to keep the workbook code secret. In that case, the recommended approach is to export the workbook to PowerBI as explained here.

 

Playbooks

Using Lighthouse, it is straight forward to create analytics rules in the customer’s Sentinel environment and attach to it a playbook hosted in your own tenant. The playbook in this case will get the alert/incident (and any other info related to customer info) data from the customer workspace.

 

pic5.png

 

In Summary

In this post we have explained the different options that an MSSP has to protect its intellectual property in an Azure Sentinel environment. Please leave a comment below if you have any questions!

 

 

13 Comments
Senior Member

@Javier Soriano 
thank you for this well described blog post and it gave us some usefull insights and these 2 specific models. An additional question I have is related to our specific organisation. Within our company we have specialized managed detect & respond services, however we are not a CSP as we don't offer specific technologies, it is more a service. Within this perspective we typicalle have to work via the customer and their CSP to get the necessary access. Do you know any approach that would be in line of our setup se were the CSP typically delivers the technology and we as a security company deliver our expertise in security monitoring and incident response ? Normally we use external guest accounts and RBAC to achieve this but maybe you have a better view or idea ? 

 

Again thanks for you insights really appreciated ! 

Microsoft

Hi @Jeroen Vandeleur , in your case the best approach is to use Azure Lighthouse. You could for example publish a managed services offer in the Azure Marketplace that would grant you delegated access to the customer's Sentinel environment with whatever roles you need to perform your functions. External guest accounts (B2B) work fine, but Lighthouse has several benefits compared to B2B. First, Lighthouse provides you with cross-tenant visibility without switching context, so you can for example build cross-tenant dashboards or use the multi-workspace incident view. Lighthouse also allows you to do management as scale, for example, you could build a PS script that updates all your customers in parallel. Take a look at this other post for more details on this.

 

Hope this helps!

Senior Member

Dear @Javier Soriano , 

 

Thank you for the quick reply, I agree that B2B accounts are not the way to go for this. We will take a look at the lighthouse option, I thought this was primarily developed for a CSP. However, from our perspective Lighthouse would be the ideal solution to get the required roles & responsibilities for our MDR service. So if we can connect our customer tenants towards our lighthouse service it would be the ideal solution! 

 

Thank you ! 

 

Best Regards, 

 

Jeroen Vandeleur 

Microsoft

Yes, Lighthouse is the way to go as it works the same across any licensing model.

Occasional Contributor

Thanks for the great info; sharing with my Linkedin Network

New Contributor

@Javier Soriano, Thanks for the info... Can you please elaborate on your statement "If you have developed a workbook that you don’t want your customer to copy, you should store it in your tenant"

 

As an MSSP, we have the multiple workbooks in our tenant, I want customers to use these workbook from their sentinel workspace and also they should be prevented from copying the code (our Intellectual Property).

Microsoft

Thanks for your comment @KrishhnaM . 

 

The idea is that you build/deploy your workbook in your tenant (MSSP) and query customer workspaces from there. It is true that if you want the customer to see it, you have no easy option as of today. Even if you use reverse Lighthouse granting only Reader role, the customer would still be able to see the queries underneath. We hope to have a solution for this soon.

 

I will update the article to reflect this case.

New Contributor

Yes @Javier Soriano , even with reverse concept (customer with reader role) the workbook code is visible and also that the customer is able to edit the workbook!!!

 

Thanks for your reply, kindly let us know once the solution is available to secure analytical rule and workbook.

Occasional Contributor

Hi @Javier Soriano,

 

With CSP (indirect reseller) and Azure lighthouse we have built sentinel workspace at he customer estate on our CSP subscription.  Inspite of Delegate Admin Access it is interesting to see that we are not allowed to enable the connectors in sentinel (for example: Microsoft Defender ATP).

 

Is it a must only thier Global admin or Security Admin can enable the connector to collect logs or is there any other best practice ?   

 

How will their global admin see this CSP subscription if they are not added under AdminAgents within out partner portal ? 

 

Looking for advice on this.

 

Thanks. 

 

Microsoft

Hi @Prash915 , yes, Global Admin/Security Admin permissions is a requirement for some connectors, and there's no workaround for that.

 

In CSP, you might have Delegated Admin Privileges over the customer tenant and be able to perform this. Whether or not you have this permission depends on how you onboarded that customer into your CSP.

 

Makes sense?

Occasional Contributor

@Javier Soriano 

 

Thanks for your response. Here is my experience with a recent on-boarding for one of the CSP workspace.

It was interesting to see that for an indirect reseller owned subscription inspite of having DAP and the user is part of AOBO group we couldn't enable Sentinel Connector (example: Microsoft Defender ATP) for the workspace in the customer tenant though the subscription is owned by us as a CSP (indirect seller) with owner access at the subscription level.  The expectation at sentinel workspace is that user must have Global or Security Admin privilege at the workspace tenant to enable connectors like defender or office.  To assign Global Admin or Security Admin at the customer at the workspace tenant  the user needs to be local to their tenant which mean either we end up creating an additional user at client tenant to assign Global or Security Admin privilege or grant access to their tenant global admin user so that they activate required connectors. 

 

I do not see DAP fully serve the required ownership for a CSP user who is a indirect seller. 

 

My question how do I achieve taking complete ownership including activation of required sentinel connectors without having a local user at customer tenant? 

 

Thanks

 

Microsoft

Hi @Prash915 , as far as I know, you don't need to be in the customer tenant to be global or security admin. You can be a B2B guest user and still have the global or security admin role. Did you try this?

Occasional Contributor

@Javier Soriano - Sorry i meant a local user can be be either B2B guest or user at the customer tenant. But one has to have a user at the customer tenant to connect on-boarding logs into sentinel inspite of Azure lighthouse + CSP which i see it as a downside as it again increases the dependency.

 

I remember those good to old days without CSP and Lighthouse where MSSP's used to have users in customer tenant to manage their security. But With Lighthouse I see no changes other than centralized model of managing multiple customers.  With CSP relation granting DAP I was expecting AOBO users having ability to do perform all actions not depending on having a local or B2B user in customer tenant. I think microsoft has opportunity for enhancement of capabilities for users under AOBO off-course with security in mind. 

 

Thanks it was a good discussion.