Jan 26 2022 02:09 PM
Hello all! I trying to setup the new Microsoft Sentinel Repos in an MSSP environment. I have a Devops repo in my tenant, and Lighthouse access to a test 'customer' tenant. I've tried all of the following, and am stuck:
- First I tried signing in to MSSP tenant, using Lighthouse, open the customer Sentinel; open Repos and try to make the connection. I can see my Devops org, project, and repo. However, when I hit Create, I get an error saying my account doesn't have roleAssignment/write action over the (remote) Sentinel tenant. My understanding is this is because I need Owner rights to the customer tenant/Resource Group/ with Sentinel (which I can't do with Lighthouse).
- Second, I tried signing in as an owner in the customer tenant and making the connection. When I click 'Authorize' it doesn't allow me to input alternate credentials, it just uses the current account. I then can't see the MSSP tenant's Devops org. I tried using the option to manually entry the repo URL, I click Connect and get this error "Error while performing Azure DevOps repository fetch. Details: [TF400813: The user [redacted tenant admin] is not authorized to access this resource" I did make sure to use the correct URL format (as noted by @Larssen92 here)
- Finally, I retried the first method above, but first added my MSSP account as a guest in the customer account, and gave it Owner rights on the Resource Group that Sentinel is in. But that gave the same error as before.
I think I've read through all of the documentation but can't figure out what I'm doing wrong. Any help is greatly appreciated!
Jan 26 2022 02:27 PM
I think I figured it out. Here's what I did that worked (Basically the first and third options above with a few extra steps)
1. In the customer tenant:
a. Add my MSSP account as a guest in the customer tenant
b. Grant 'Owner' rights to the new guest account on the resource group containing Sentinel
2. Accept the invite email sent to my MSSP account
3. In the MSSP Tenant
a. Sign in to MSSP tenant with Lighthouse access to the customer tenant
b. Switch Directories and select the customer tenant directory
c. Navigate to Sentinel, then add the repo (using the repo URL)
That worked!!
Would love to see the option to enter alternate credentials on the Authorize button. Is that possible?
Jan 26 2022 11:22 PM
Jan 29 2022 04:59 PM - edited Jan 29 2022 05:00 PM
Hi @gsk256, @tomsolari_kmt
To solve your Lighthouse woes :)
Owner Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
Jan 31 2022 06:02 AM
Jan 31 2022 09:30 AM - edited Feb 01 2022 04:27 AM
Correct,
should look something like this:
{
"principalId": "",
"roleDefinitionId": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"principalIdDisplayName": "[Your Naming Convention]"
},
Update: Owner role is not supported with Lighthouse
Feb 01 2022 04:26 AM
Feb 06 2022 12:01 PM
Feb 22 2022 10:13 PM - edited Feb 22 2022 10:14 PM
@bradleyfell, we're trying to connect a GitHub repo to a Sentinel instance from an MSSP subscription into an onboarded 'customer' subscription, but coming across the same permission problem. Is there a specific permission we need to delegate in order to make this work, without having to go through the b2b invite/owner role assignment at the rg level? Any clues greatly appreciated.
Aug 05 2022 06:09 AM
Jun 15 2023 12:40 PM
Currently, Sentinel Repository supports ADO multi-tenancy configuration through guest account.
This is the instruction how to set up Tenan B sentinel to be imported content from Tenant A ADO.
Steps: