Cross tenancy management is a concern for ISVs and organizations with multiple tenants. An ISV might have multiple tenants due to the following reasons:
- Multiple subsidiaries or business units that operates independently.
- Merger and Acquisitions
- Multiple Clouds for regulatory compliance need
- Multiple geographical boundary
This blog describes the use case of an ISV who wants to utilize to manage Sentinel across the multiple tenants.
Microsoft Sentinel is a scalable, cloud native SIEM and SOAR solution. It delivers intelligent security analytics and threat intelligence across the enterprise. Learn more here.
Azure Lighthouse allows service providers to perform operations across several Microsoft Entra Tenants at once. It enables multi-tenant management with scalability, higher automation, and enhanced governance across resources.
Azure Lighthouse allows the Entra service principals in the primary tenant to be granted access to secondary tenant subscriptions. The resources in secondary tenant subscriptions become available in primary tenant subscriptions. Learn more here.
Architecture
Getting Started
- Use this article to onboard Lighthouse for Sentinel as a service provider
- Key points to note:
- Determine which tenant will have users to perform management operations on the other tenants
- The access is unidirectional. The service provider will be able to access secondary tenant resources but not vice versa.
- The same set up process will be required for every tenant.
- Follow the principle of least privilege
- It is best practice to create a security group in Entra Tenant that will be used to grant access to secondary tenant. Learn more here.
Steps
Either the templates here: GitHub - Azure/Azure-Lighthouse-samples: Provide samples for understanding managed service solutions or the portal directly can be used to set up Lighthouse with the secondary tenants. The steps documented here are directly through the Azure portal.
1) In the primary tenant, search for My Customers and Click on “Create ARM Template.”
2) Provide details
3) The next step is authorization, consider the best practices of assigning the least privilege access. The screen looks like this:
4) Click on View Template and download it. Once downloaded, the template needs to be uploaded to Secondary Tenant.
5) Go to Secondary Tenant -> Azure Lighthouse -> View Service Provider Offers. Click on Service Provider Offers -> Add Offers -> Add via Template. Upload the template downloaded in Step 4. It takes approximately 15 mins for this to work. For any deployment error, use the troubleshooting section from this article.
6) Switch to primary tenant, refresh and click on Directory/Subscription to see the newly delegated Tenant/Subscription.
Next Steps
Once you have completed the delegation, you can see the Sentinel in the list in your primary tenant. The steps in this article - Manage Microsoft Sentinel workspaces at scale - Azure Lighthouse | Microsoft Learn - allows you to do tasks such as:
- View and Manage incidents across workspaces.
- Configure playbooks for mitigation.
- Create cross tenant workbooks.
- Run Log Analytics and hunting queries across the workspaces.
Workspace Manager
Workspace Manager is a new feature which lets you manage multiple Sentinel workspaces within one or more Azure tenants with workspaces manager. Use this link - Manage multiple Microsoft Sentinel workspaces with workspace manager | Microsoft Learn - to enable the workspace manager on the central workspace.