Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Bringing data in from other tenants (e.g. 0365)

New Contributor

I'm experimenting with connecting data sources into my Sentinel environment. I'm trying to connect natively, an O365 (E3) source that I have provisioned through Partner Network licensing. It's under a different tenant and isn't visible under the Sentinel 0365 connector config page. I believe that the connector has changed since last year in regards to multi-tenant native connections*. I also have a similar issue with MS Defender ATP trial as a source.

What other solutions have people used for that scenario (multi-tenant Sentinel inputs for MS products)? Webjobs, EventHubs, LogicApps etc or is there a simple option I've missed?

I'm having some good success with other sources and have plans for other, non-native, connectors... (e.g. syslog from my non-Windows OSs and Cisco kit etc).



* 'Azure Sentinel now enables Office 365 single-tenant connection'

4 Replies

@Roblo1 Unless you absolutely need to have all the data in one place I would suggest having another Azure Sentinel instance in the other tenant and using Lighthouse to manage both your Azure Sentinel instances.

Thanks @Gary Bushey. I've been thinking about that as an option too, although wanted to see if it's possible to bring it to my current environment - ideally with a native connector, rather than doing something else to pull it from an API and get it into Sentinel/LA. I'll do some further research on the method you've mentioned combining two instances.

Update for completeness: 

added a presentation on this on the 23rd June, which was useful.