Multiple Subscriptions in Sentinel


Hello all,


Can I set up a central Azure Sentinel to monitor multiple subscriptions?


Or is one Azure Sentinel recommended per subscription?



14 Replies



At this time it's one Azure Sentinel Workspace per Tenant, Azure Sentinel works across subscriptions. Microsoft is in the process of looking into MSP (Managed Service Provider ) solutions but nothing has been publicly released at this time. Please feel free to reach out if you have any more questions.

@Chris Boehm  Does it work across multiple subscriptions? Maybe I don't understand what you mean by that but I would like to bring in MCAS data from multiple tenants and that doesn't seem to be possible.

@Andrea Fisher 

We don't have multi-tenant support at this point. If all subs are on the same tenant, than it should work.

@Chris Boehm is there any beta program an MSP could take part in to assist in trialing features :) Any idea of when something public may be released? For now if we set up a Azure tenant for the customer will there be a migration tool to bring into multi-tenant when that option is available?



@Jarrod Winsor 


We'll most likely make the announcement within this communities page for the preview functionality, you're already looking in the best location at this time :)


I don't have an answer at this time on the migration path if it'll just be a connection between workspaces with the key or if it'll be a different interface to integrate them. I'm sure we'll announce the details whenever they've been established.


Great question!



@Chris Boehm is there any further update on multi tenant support for Sentinel?

@Rob Ellis 


Development is already in process; if you haven't looked into it we're using Azure Lighthouse for the MSSP solution: 

@Chris Boehm thanks - I saw Lighthouse mentioned recently - I did wonder if it was related, so good to know.

Could you elaborate on "across subscription"?
Azure Sentinel is using Log Analytics within one tenant with one to multiple subscriptions. If you have multiple subscriptions they can interact with each other with RBAC permissions of data when pulling into a sentinel workspace. If you're wanting to know how to do “cross-tenant” data monitoring you’re required to use the MSSP solution “Azure Lighthouse” with Azure Sentinel.

Is there a specific question to subscriptions that’s not clear in our documentation that we can improve upon?

@Chris BoehmIs there an aggregation capability to provide a "single pane of glass" for all CSP tenants? From the documentation, it appears that the CSP can gain delegated access to each individual tenant for Log Analytics and ASC.  This article mentions "cross-tenant visibility" for ASC, but does not show what the user experience is like. It would be nice to see a screen-shot showing multiple subscriptions from multiple Azure AD tenants in a centralized view in Sentinel and ASC.



We recently announced a central incident management screen which is in private preview. You can read more about working with multiple workspaces, optionally across tenants, in our archtecture webinar (MP4YouTube) and the (updated) presentation. You may also want to register for the MSSP and distributed organization webinar on April 20th here.

@Ofer, I know this thread is almost a year old but I have a similar situation with multiple subscriptions but would like to use a single workspace for Sentinel. I know lighthouse is required for multi tenant but my situation is just a single tenant with multiple subscriptions and would like to use one workspace. How do I go about having this work?