Microsoft Sentinel – Using Azure Lighthouse

Last Updated: 03/12/2024

Lighthouse is a very useful feature within Azure. It allows businesses such as MSPs/MSSPs to manage customers Azure subscriptions and resources. Whilst aimed at MSPs, Lighthouse can be deployed internally by consumers to help manage multiple tenants.

In the context of Microsoft Sentinel. Lighthouse allows us to centrally view Security Incidents across multiple instances of Sentinel that are based in different tenants. Depending on configuration, you can also use a combination of Sentinel Workspace Manager and Lighthouse to deploy content out to connected instances.

Configuring Azure Lighthouse

There are two methods of onboarding tenants into Azure Lighthouse. This post focuses on the manual ARM template method. There are options for creating an Azure Marketplace offering, but this is more for MSPs/MSSPs, rather than businesses wanting to centralise Sentinel.

Throughout the guide, I will use the following terminology:

  • Parent Tenant – This is the tenant that will do the actual managing. For example: an MSSP, or your primary Entra ID Tenant.
  • Child Tenant – This is the tenant that will be managed. For example: a customer, or an additional Entra ID Tenant.

Parent Tenant Configuration

Create the ARM Template for Azure Lighthouse

On the Parent Tenant, Log into the Azure Portal. In the Azure Portal, navigate to “My Customers”.

Azure Portal My Customers

Under “Get Started”, Select “Create ARM Template”

Lighthouse ARM Template

You will now be taken to the ARM Template wizard. Give your ARM template a Name, this will show up for within the Child Tenant later. Click on “Add Authorisation” to be taken to another screen.

Azure Lighthouse Create ARM Template

Populate the user or group that you want to grant authorisation to, within the Parent Tenant. (Ie. The users in the parent Tenant who will be doing the managing of the Child Tenant). Then select the role you require from the Child Tenant.

For Microsoft Sentinel, I am granting the ‘Reader’ and the ‘Microsoft Sentinel Contributor’ roles. You will need to do separate authorisations for each role.

Note: Microsoft 365 Groups are not supported. Use Security Groups.

Note: Ensure no user has the “Owner” role assigned for any subscription.

Note: It’s recommended to also include the “Managed Services Registration Assignment Delete Role”, this will allow the parent to remove the delegation if needed. This is more relevant for MSPs/MSSPs.

Azure Lighthouse ARM Template

Once you have added your authorisations. Click on “View Template” then Download.

This file is what you will upload to the child tenant.

To explain this further. What we are effectively doing is, defining which users in the parent tenant will have which roles from the child tenant. This then produces a template, which the child tenant will apply and assign us those permissions.

Child Tenant Configuration

Ensure Resource Providers are Registered against the Subscription(s)

  1. Select Subscriptions from the Azure portal, and then select a relevant subscription from the menu.
  2. From the navigation menu on the subscription screen, under Settings, select Resource providers.
  3. From the subscription name | Resource providers screen, search for and select Microsoft.OperationalInsights and Microsoft.SecurityInsights, and check the Status column. If the provider’s status is NotRegistered, select Register.

Azure Resource Providers Subscription

Load the ARM template into the child tenant

In the child tenant, navigate to “Service Providers”.

Azure Service Providers Lighthouse

Under “Service provider offers”, select “Add Offer”, then “Add via template”

Azure Service Providers Lighthouse add offer

A separate dialog windows will appear to the right where you can drag and drop the ARM template. This is the ARM template created and downloaded from the parent tenant.

Leave the “I have a separate parameter file” unchecked and upload.

Azure Service Providers Lighthouse ARM Template

On the next screen, Select the Subscription and the Region.

Click on “Review + Create”.

Azure Lighthouse deployment ARM template

This will then deploy the ARM template, which effectively grants access to the parent account. The template is simply providing what permissions are needed and who to grant them to.

On the parent tenant, check the Delegations in ‘My Customers’ to validate the configuration has occurred.

Azure My Customers Delegations

Note: There can be a time delay on the parent tenant seeing the customer appear in ‘My Customers’. A hard fresh/ log out is recommended.

Once you see the delegations, the configuration is complete. You will now be able to manage all child tenants via the parent tenant Azure portal.

Management via Azure Lighthouse

Adjust the Azure Global Filter

On the parent tenant, within the Azure Portal, select the Settings Wheel on the top left to configure which directory & subscription you want to manage.

Adjust your filter to include the new directory (the child tenant). This will allow you to view, access and configure resources in the Azure tenant, based on what you have permissions to.

Publishing Content via Microsoft Sentinel Workspace Manager 

You can use a function in Microsoft Sentinel called ‘Workspace Manager’ to publish content to other Sentinel instances. Those Sentinel instances can include any managed with Lighthouse. This gives us the ability to deploy Sentinel content from one tenant to another.

On the parent tenant Sentinel instance, you will need to enable Workspace manager.

Navigate to your Sentinel instance and then Settings, followed by Settings again. Scroll down to find the options for Workspace manager configuration. 

Enable the workspace as a central workspace.

Next, navigate to Workspace manager from the main blade.

Azure Microsoft Sentinel Workspace Manager

You will then need to create a group and add your Sentinel instances.

Note: Only groups can publish contents. So at least one group is required for this.

When creating the group, specify the workspaces you want as part of the group. Then you can select the content you want to publish out.

Azure Microsoft Sentinel  Workspace Manager Publish Content

You can then save and publish this content to the selected Sentinel workspaces.

This method allows you to create and maintain all the objects in the central Sentinel instance and publish these down centrally.

Note: The groups located in Workspace Manager are only used for the publishing of content. These groups cannot be used for grouping Sentinel instances to view alerts & incidents. Therefore, group creation should be defined around the content you wish to push down to managed instances.

Centralised Visibility of Incidents across Tenants

On the parent Azure Portal, navigate to the Sentinel service page. You should see a list of all the Sentinel instances you have access to. Including those that are managed by Lighthouse.

Select the instances that you want to see incidents for and click ‘View Incidents’.

Microsoft Azure Sentinel view all incidents

This will provide a consolidated view of all incidents across the selected workspaces.

Microsoft Azure Sentinel Incidents Lighthouse

As you can see from the above, I now have a consolidated view of all incidents across workspaces in different tenants. If I select any of these, it will jump into that Sentinel instance.

This is crucial for getting a central view of incidents across your environment. Or, if you are an MSSP, this is a great way of monitoring threats for your customers.

Wrap Up

Hopefully this guide has helped in understanding how to setup Azure Lighthouse and what the benefits are when using it for Sentinel. Both customers and MSPs/MSSPs can take advantage of this functionality and use it for more complex designs of Microsoft Sentinel. Check out my previous post that looks at different tips for planning a Microsoft Sentinel deployment.

1 thought on “Microsoft Sentinel – Using Azure Lighthouse

Leave a Reply

Your email address will not be published. Required fields are marked *