question

GarrettMiller-1284 avatar image
0 Votes"
GarrettMiller-1284 asked Monalla-MSFT commented

One user in org can see Customer relationship in Lighthouse, another can't?

Hi everyone,

My organization is an MSSP and has a customer relationship with another tenant. We've used an ARM Template to create a service offering for our customer to upload to their Azure subscription. Another user and I in our org were configured with the same exact access, but he's able to see it in our Lighthouse My Customers tab (https://portal.azure.com/#blade/Microsoft_Azure_CustomerHub/MyCustomersBladeV2/overview), and I'm not.

We both have the required "Reader" and other access. Do you know why this would be the case?

Thanks!

175565-screen-shot-2022-02-17-at-95234-pm.png


azure-lighthouse
screen-shot-2022-02-17-at-95234-pm.png (527.3 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

Monalla-MSFT avatar image
0 Votes"
Monalla-MSFT answered GarrettMiller-1284 commented

@GarrettMiller-1284 - Welcome to Microsoft Q&A and thanks for reaching out.

Apologies for the inconvenience caused.

A user in the managing tenant should be able to see the customer information as long as the customer are granted the Reader role in when that customer was onboarded to Azure Lighthouse.

For more information on how you can view and manage delegations, please take a look at this document: view-manage-customers

If you are still facing the same issue, please let me know so we can work on raising a support ticket.

Hope this helps.


If the above response was helpful, please feel free to "Accept as Answer" and "Upvote" the same so it can be beneficial to the community.



· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GarrettMiller-1284 avatar image GarrettMiller-1284 ·

Hi Monalla,

Unfortunately I do have the reader permission assigned, yet I'm still not able to see anything. Are you able to help?

Thank you,
-Garrett

0 Votes 0 ·
AndrewBlumhardt-1137 avatar image
0 Votes"
AndrewBlumhardt-1137 answered GarrettMiller-1284 commented

Do you have Reader at the tenant level? To the root subscription. You might also try global security reader. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tenant-wide-permissions-management

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GarrettMiller-1284 avatar image GarrettMiller-1284 ·

I do, I have Reader, as well as Security Admin and Microsoft Sentinel Responder, which I believe should both be higher than Global Security Reader.

0 Votes 0 ·
AndrewBlumhardt-1137 avatar image
0 Votes"
AndrewBlumhardt-1137 answered GarrettMiller-1284 commented

I found another related article that mentions "Monitoring Reader"

https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/lighthouse-security-baseline#pa-1-protect-and-limit-highly-privileged-users

If not your best best is to open a support case.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GarrettMiller-1284 avatar image GarrettMiller-1284 ·

Yep, we did - and they were able to get us to a resolution. I'll provide details below.

0 Votes 0 ·
GarrettMiller-1284 avatar image
0 Votes"
GarrettMiller-1284 answered Monalla-MSFT commented

So the problem here was found by Microsoft Support, and was twofold:

First, I had to go into the "Directories + subscriptions" area in our Azure subscription, and indeed our client was visible was not checked. Checking this made the customer visible in the "My Customers" view, but we were not yet able to see client data.

177327-image.png

Second - Eventually we had to "re-register" the Resource Providers Microsoft.SecurityInsights, Microsoft.OperationalInsights and Microsoft.Insights in both the client tenant and our tenant. After doing this, we were able to see client data flowing in.

177364-image.png

Thanks all for the help!


image.png (31.7 KiB)
image.png (37.1 KiB)
· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Monalla-MSFT avatar image Monalla-MSFT ·

@GarrettMiller-1284 - Glad the issue was resolved for you. Please reach out back to us if you have any questions.

Do you mind accepting the above answer that you answered for the benefit of community?

0 Votes 0 ·
GarrettMiller-1284 avatar image GarrettMiller-1284 Monalla-MSFT ·

Hi Monalla, I think I did above - is there a way to mark it as an accepted answer?

0 Votes 0 ·
Monalla-MSFT avatar image Monalla-MSFT GarrettMiller-1284 ·

@GarrettMiller-1284 - Yes, you can click on Accept as Answer under the setting section right beside your answer that you have posted?

0 Votes 0 ·
Show more comments