SOLVED

Azure Sentinel Multi-Tenant in MSP via Lighthouse

Frequent Contributor

Hi All,

 

We are looking at Azure Sentinel across a Multi-Tenanted model where from the MSP perspective (Master) we could have Read Only (RO) access to monitor multiple instances - however should there be a requirement where there is possibly an Incident - can this then be changed to Read Write (RW) access to be able to assist the customers with triage and incident response in a more direct manner?

 

Is this possible?

Could this be achieved via PIM or JIT?
JIT would require a VM in the customers tenancy?

 

Please feel free to shoot this down with a better or more pragmatic solution if that's the case.

Regards,
Dave Caddick

1 Reply
best response confirmed by David Caddick (Frequent Contributor)
Solution

@David Caddick Since you are using Lighthouse, you can create 2 Azure AD groups in your tenant, one that provides read-only rights and the other that provides read/write rights.   Then, if you need it, you can add the appropriate user to the read/write group (or just assign a person that would handle all modifications of the incident to that group).

 

You can also look at Privileged Identity Management (PIM) access to AD groups (currently in preview) Managing privileged Azure AD groups in Privileged Identity Management (PIM) | Microsoft Docs