cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to connect Azure Devops Repo to customer Sentinel

gsk256
Copper Contributor

‎Jan 26 2022 02:09 PM

‎Jan 26 2022 02:09 PM

Unable to connect Azure Devops Repo to customer Sentinel

Hello all!  I trying to setup the new Microsoft Sentinel Repos in an MSSP environment.  I have a Devops repo in my tenant, and Lighthouse access to a test 'customer' tenant.  I've tried all of the following, and am stuck:

 

- First I tried signing in to MSSP tenant, using Lighthouse, open the customer Sentinel; open Repos and try to make the connection.  I can see my Devops org, project, and repo.  However, when I hit Create, I get an error saying my account doesn't have roleAssignment/write action over the (remote) Sentinel tenant.  My understanding is this is because I need Owner rights to the customer tenant/Resource Group/ with Sentinel (which I can't do with Lighthouse).

 

- Second, I tried signing in as an owner in the customer tenant and making the connection.  When I click 'Authorize' it doesn't allow me to input alternate credentials, it just uses the current account.  I then can't see the MSSP tenant's Devops org.  I tried using the option to manually entry the repo URL, I click Connect and get this error "Error while performing Azure DevOps repository fetch. Details: [TF400813: The user [redacted tenant admin] is not authorized to access this resource" I did make sure to use the correct URL format (as noted by @Larssen92  here)

 

- Finally, I retried the first method above, but first added my MSSP account as a guest in the customer account, and gave it Owner rights on the Resource Group that Sentinel is in.  But that gave the same error as before.

 

I think I've read through all of the documentation but can't figure out what I'm doing wrong.  Any help is greatly appreciated!

3,959 Views
0 Likes
10 Replies
Reply
10 Replies
gsk256

‎Jan 26 2022 02:27 PM

‎Jan 26 2022 02:27 PM

Re: Unable to connect Azure Devops Repo to customer Sentinel

I think I figured it out. Here's what I did that worked (Basically the first and third options above with a few extra steps)

1. In the customer tenant:
    a. Add my MSSP account as a guest in the customer tenant
    b. Grant 'Owner' rights to the new guest account on the resource group containing Sentinel
2. Accept the invite email sent to my MSSP account
3. In the MSSP Tenant
    a. Sign in to MSSP tenant with Lighthouse access to the customer tenant
    b. Switch Directories and select the customer tenant directory
    c. Navigate to Sentinel, then add the repo (using the repo URL)

 

That worked!!

 

Would love to see the option to enter alternate credentials on the Authorize button.  Is that possible?

gsk256_0-1643236006150.png

 

0 Likes
Reply
tomsolari_kmt

‎Jan 26 2022 11:22 PM

‎Jan 26 2022 11:22 PM

Re: Unable to connect Azure Devops Repo to customer Sentinel

Thanks for posting this. I came across the same issue but unfortunately couldn't get around it by Switching tenancies as per your reply. I ended up using GitHub which appears to work.
0 Likes
Reply
bradleyfell

‎Jan 29 2022 04:59 PM - edited ‎Jan 29 2022 05:00 PM

‎Jan 29 2022 04:59 PM - edited ‎Jan 29 2022 05:00 PM

Re: Unable to connect Azure Devops Repo to customer Sentinel

Hi @gsk256@tomsolari_kmt 

To solve your Lighthouse woes :)

Owner Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. 8e3af657-a8ff-443c-a75c-2fe8c4bcb635

0 Likes
Reply
gsk256

‎Jan 31 2022 06:02 AM

‎Jan 31 2022 06:02 AM

Re: Unable to connect Azure Devops Repo to customer Sentinel

Hey @bradleyfell
Are you saying I can grant Owner rights via RBAC? I didn't see that option in the template builder for Lighthouse. Do I need to scope the role to a Resource Group instead of a subscription?
1 Like
Reply
bradleyfell

‎Jan 31 2022 09:30 AM - edited ‎Feb 01 2022 04:27 AM

‎Jan 31 2022 09:30 AM - edited ‎Feb 01 2022 04:27 AM

Re: Unable to connect Azure Devops Repo to customer Sentinel

Correct,
should look something like this:

{
"principalId": "",
"roleDefinitionId": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"principalIdDisplayName": "[Your Naming Convention]"
},


Update: Owner role is not supported with Lighthouse

0 Likes
Reply
bradleyfell

‎Feb 01 2022 04:26 AM

‎Feb 01 2022 04:26 AM

Re: Unable to connect Azure Devops Repo to customer Sentinel

Update:
Just tried to test this for myself, I was largely mistaken -
That stinks...
0 Likes
Reply
bradleyfell

‎Feb 06 2022 12:01 PM

‎Feb 06 2022 12:01 PM

Re: Unable to connect Azure Devops Repo to customer Sentinel

Bump, anyone have a solution?
Microsoft working on this?
Workaround for now is to use GitHub.
0 Likes
Reply
danielmangan

‎Feb 22 2022 10:13 PM - edited ‎Feb 22 2022 10:14 PM

‎Feb 22 2022 10:13 PM - edited ‎Feb 22 2022 10:14 PM

Re: Unable to connect Azure Devops Repo to customer Sentinel

@bradleyfell, we're trying to connect a GitHub repo to a Sentinel instance from an MSSP subscription into an onboarded 'customer' subscription, but coming across the same permission problem. Is there a specific permission we need to delegate in order to make this work, without having to go through the b2b invite/owner role assignment at the rg level? Any clues greatly appreciated.

0 Likes
Reply
bradleyfell

‎Aug 05 2022 06:09 AM

‎Aug 05 2022 06:09 AM

Re: Unable to connect Azure Devops Repo to customer Sentinel

You need to do it from an account inside the customer tenant with the proper permissions.
During onboarding it's best to have a specific account with the required permissions for the entire duration of onboarding just to avoid any headaches, and have a smooth deployment.
0 Likes
Reply
Nan_Zang

‎Jun 15 2023 12:40 PM

‎Jun 15 2023 12:40 PM

Re: Unable to connect Azure Devops Repo to customer Sentinel

  Currently, Sentinel Repository supports ADO multi-tenancy configuration through guest account.

 

This is the instruction how to set up Tenan B sentinel to be imported content from Tenant A ADO.

 

Steps:

  1. ADO preparation: Make sure there is a user account
    1. userA@TenantA  can be used in TenantA. userA should have project admin permission on ADO.
    2. Get the repo link and branch name ready and it will be used later to set up the connection.  Repo: https://dev.azure.com/sentinel-eco-devs/Sentinel-ContentAsCode/_git/sentinel-content-2    Branch: main
    3. Go to https://dev.azure.com and make sure sign-out on all the vsms instances.
  2. Create guest account and grant the permission: log into Tenant B using Tenant B admin credential
    1. Invite userA@TenantA as a guest account. 
    2. Go to the resource group where Sentinel instance is hosted in, grant userA@tenantA the Owner and Sentinel Contributor permission to the resource group.
  3. Set up repo connection:
  1. Open a private browser session.
  2. Log-in to https://portal.azure.com using userA@TenantA credential. Make sure switch the directory TenantB.
  3. Go to Sentinel instance of Tenant B, go to repository blade and set up connection.
  4. When authorize window pops up, make sure enter userA@tenantA credential and authorize the Sentinel app as guided.
  5. Click the following hyperlink “Click here” and enter the repository url and branch name from step
  6. You should be able to create the connection.

     

0 Likes
Reply