Jul 16 2020 11:28 PM
Hello,
I am troubleshooting Sentinel access issues on Azure portal - i can access log analytics workspace but not Sentinel workspace.
So far the setup is such:
The selection for "Azure Sentinel Workspaces" (https://portal.azure.com/#blade/Microsoft_Azure_Security_Insights/WorkspaceSelectorBlade) is empty.
But Log Analytics workspace which belongs to the dedicated resource group "RG_Sentinel" and is associated with sentinel is readily visible and I can use it as you'd expect.
I've checked that Sentinel Workspace belongs to the Sub1 group and the user I'm testing belongs to "Sentinel Users" . The user is an external user.
Jul 17 2020 04:06 AM
@truekonrads I am not sure about why you don't see the workspace but I have a question as to why you are using an external user like that rather than using Lighthouse? If I were to hazard a guess I would think there is something about the user being external that is causing issues.
Jul 18 2020 02:45 AM
@Gary Busheygood call on Lighthouse, we'll look to transition to this. That said, the person who was adding permissions and had Sub Owner permissions also was an external user.
Jul 18 2020 03:42 AM
@truekonradshowever, Lighthouse isn't the solution in principle I think, because while Sentinel can collect most data, some things in Microsoft security suite don't blend into Lighthouse - such as Win Def ATP, Azure ATA and others. If you have Senitnel and WD ATP, you still need login on customer tenant.
Jul 25 2020 09:24 PM
Nov 17 2022 11:31 AM
@truekonrads what did you end up doing