SOLVED

Sentinel RBAC not working for Workbooks

%3CLINGO-SUB%20id%3D%22lingo-sub-1256491%22%20slang%3D%22en-US%22%3ESentinel%20RBAC%20not%20working%20for%20Workbooks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1256491%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20recently%20started%20testing%20the%203%20built-in%20Azure%20Sentinel%20RBAC%20roles%20based%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Froles%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Froles%3C%2FA%3E%3C%2FP%3E%3CUL%3E%3CLI%3EAzure%20Sentinel%20reader%3C%2FLI%3E%3CLI%3EAzure%20Sentinel%20responder%3C%2FLI%3E%3CLI%3EAzure%20Sentinel%20contributor%3C%2FLI%3E%3C%2FUL%3E%3CP%3EBased%20on%20the%20matrix%20in%20the%20documentation%20%22%3CSTRONG%3EAzure%20Sentinel%20contributor%3C%2FSTRONG%3E%22%20should%20give%20the%20user%20access%20to%20add%20and%20view%20Workbooks.%20However%20testing%20show%20I%20was%20able%20to%20add%20and%20save%20new%20workbooks%20but%20not%20view%20saved%20workbooks.%20All%20other%20accesses%20seems%20fine%20I%20could%20run%20queries%20and%20everything.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1256549%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20RBAC%20not%20working%20for%20Workbooks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1256549%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370232%22%20target%3D%22_blank%22%3E%40ehloworldio%3C%2FA%3E%26nbsp%3BTry%20also%20adding%20the%20Log%20Analytics%20Reader%20(or%20Contributor)%20role%20and%20try%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1260057%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20RBAC%20not%20working%20for%20Workbooks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1260057%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E-%20Inspite%20of%20assigning%20Azure%20Sentinel%20Reader%20role%20and%20Log%20Analytics%20Reader%20Role%20for%20my%20guest%20user%20of%20a%20different%20tenant%2C%20he%20is%20not%20able%20to%20read%20the%20report.%26nbsp%3B%20Appreciate%20your%20advise.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1260059%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20RBAC%20not%20working%20for%20Workbooks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1260059%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370232%22%20target%3D%22_blank%22%3E%40ehloworldio%3C%2FA%3E%26nbsp%3B%3CSPAN%3EInspite%20of%20assigning%20Azure%20Sentinel%20Reader%20role%20and%20Log%20Analytics%20Reader%20Role%20for%20my%20guest%20user%20of%20a%20different%20tenant%2C%20the%20user%20is%20is%20not%20able%20to%20view%20the%20workbook.%26nbsp%3B%20Appreciate%20your%20advice.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1291186%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20RBAC%20not%20working%20for%20Workbooks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1291186%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370232%22%20target%3D%22_blank%22%3E%40ehloworldio%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20create%20a%20custom%20role%20to%20allow%20users%20to%20read%20Workbooks%20to%20avoid%20the%20read%20rights%20on%20the%20whole%20of%20Log%20Analytics.%3C%2FP%3E%3CP%3EFor%20example%2C%20you%20can%20add%20the%20read%20rights%20on%20Azure%20Sentinel%20and%20on%20Workbooks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20create%20the%20custom%20role%2C%20start%20to%20use%20the%20Azure%20Sentinel%20Reader%20and%20add%20these%20permissions%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft.Insights%2FComponents%2FRead%3CBR%20%2F%3EMicrosoft.Insights%2FComponents%2FEvents%2FRead%3CBR%20%2F%3EMicrosoft.Insights%2FComponents%2FQuery%2FRead%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYour%20user%20will%20have%20access%20with%20read%20rights%20on%20the%20Azure%20Sentinel%20and%20on%20saved%20Workbooks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1322567%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20RBAC%20not%20working%20for%20Workbooks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1322567%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F586763%22%20target%3D%22_blank%22%3E%40MS_Clouder%3C%2FA%3E%26nbsp%3B%20-%20I%20am%20using%20Azure%20Lighthouse%20thus%20published%20a%20shared%20dashboard%20into%20my%20customer%20tenants%20workspace.%26nbsp%3B%20I%20am%20lost%20on%20how%20to%20implement%20RBAC%20to%20access%2Flimit%20users%20from%20accessing%20this%20dashboard%20which%20is%20at%20a%20customer%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAppreciate%20any%20advice.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1330296%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20RBAC%20not%20working%20for%20Workbooks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1330296%22%20slang%3D%22en-US%22%3EHi%20Prash%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20dashboard%20are%20you%20talking%20about%3F%20Sentinel%20dashboard%3F%3CBR%20%2F%3E%3CBR%20%2F%3EPerhaps%2C%20you%E2%80%99ll%20get%20a%20better%20answer%20to%20your%20question%20on%20another%20topic%20specialized%20on%20Azure%20Lighthouse%20if%20it%E2%80%99s%20this%20one.%3CBR%20%2F%3EIn%20my%20previous%20post%2C%20I%20talked%20about%20the%20reading%20rights%20on%20Azure%20Sentinel%20Workbook.%3CBR%20%2F%3E%3CBR%20%2F%3ELet%20me%20know%20if%20I%20can%20help%20you.%3CBR%20%2F%3EJoris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1331579%22%20slang%3D%22en-US%22%3ERe%3A%20Sentinel%20RBAC%20not%20working%20for%20Workbooks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1331579%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F586763%22%20target%3D%22_blank%22%3E%40MS_Clouder%3C%2FA%3E%26nbsp%3B-%20Thanks%20for%20your%20reply.%26nbsp%3B%20I%20am%20talking%20about%20the%20Azure%20Dashboards%20that%20utilize%20graphs%20pinned%20from%20workbook%20and%20some%20custom%20graph%20that%20query%20sentinel%20workspace%20logs.%26nbsp%3B%20As%20an%20MSSP%20when%20you%20build%20these%20dashboards%20and%20push%20to%20customer%20tenants%20workspace%20using%20Azure%20lighthouse%20we%20dont%20get%20the%20control%20to%20assign%20RBAC%20permissions%20for%20the%20dashboard%20resource%20that%20resides%20in%20customer%20tenant.%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I've recently started testing the 3 built-in Azure Sentinel RBAC roles based on https://docs.microsoft.com/en-us/azure/sentinel/roles

  • Azure Sentinel reader
  • Azure Sentinel responder
  • Azure Sentinel contributor

Based on the matrix in the documentation "Azure Sentinel contributor" should give the user access to add and view Workbooks. However testing show I was able to add and save new workbooks but not view saved workbooks. All other accesses seems fine I could run queries and everything. 

 

 

6 Replies
Highlighted
Best Response confirmed by ehloworldio (Occasional Contributor)
Solution

@ehloworldio Try also adding the Log Analytics Reader (or Contributor) role and try again.

Highlighted

@ehloworldio Inspite of assigning Azure Sentinel Reader role and Log Analytics Reader Role for my guest user of a different tenant, the user is is not able to view the workbook.  Appreciate your advice.

Highlighted

Hi @ehloworldio,

 

You can create a custom role to allow users to read Workbooks to avoid the read rights on the whole of Log Analytics.

For example, you can add the read rights on Azure Sentinel and on Workbooks.

 

When you create the custom role, start to use the Azure Sentinel Reader and add these permissions:

 

Microsoft.Insights/Components/Read
Microsoft.Insights/Components/Events/Read
Microsoft.Insights/Components/Query/Read

 

Your user will have access with read rights on the Azure Sentinel and on saved Workbooks.

Highlighted

@MS_Clouder  - I am using Azure Lighthouse thus published a shared dashboard into my customer tenants workspace.  I am lost on how to implement RBAC to access/limit users from accessing this dashboard which is at a customer tenant.

 

Appreciate any advice.

 

 

Highlighted
Hi Prash,

What dashboard are you talking about? Sentinel dashboard?

Perhaps, you’ll get a better answer to your question on another topic specialized on Azure Lighthouse if it’s this one.
In my previous post, I talked about the reading rights on Azure Sentinel Workbook.

Let me know if I can help you.
Joris
Highlighted

@MS_Clouder - Thanks for your reply.  I am talking about the Azure Dashboards that utilize graphs pinned from workbook and some custom graph that query sentinel workspace logs.  As an MSSP when you build these dashboards and push to customer tenants workspace using Azure lighthouse we dont get the control to assign RBAC permissions for the dashboard resource that resides in customer tenant.