How would a SaaS vendor integrate their service with Azure Sentinel? ie the customer doesn't run/host any component of it.
Initially, I thought that they would be able to use the Azure Monitor HTTP Data Collector API but now I'm not so sure if this would be appropriate. I believe the documentation assumes (eg https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md#rest-api-connectors) the customer is hosting the application/device. If the SaaS vendor makes the API calls on behalf of the customer then they would require the primary or secondary key for the customer's Sentinel workspace. This doesn't seem like a good idea - as it could give the SaaS vendor access to other data.
What is the best approach for integration in this case? Is it to create a connector which Microsoft hosts? Suggest the customer has a workspace dedicated to data for the service? Is there something similar to AWS IAM which I've missed? (shared access signature tokens seem close but it doesn't look like they can be used with Sentinel).