Work with multiple tenants in Azure Sentinel

If you’re a managed security service provider (MSSP) and you’re using Azure Lighthouse to manage your customers’ security operations centers (SOC), you will be able to manage your customers’ Azure Sentinel resources without connecting directly to the customer’s tenant, from your own Azure tenant.

Prerequisites

  • Onboard Azure Lighthouse
  • For this to work properly, your tenant must be registered to the Azure Sentinel Resource Provider on at least one subscription. If you have a registered Azure Sentinel in your tenant, you are ready to get started. If not, in the Azure portal, select Subscriptions followed by Resource providers and then search for Microsoft.Security.Insights and select Register. Check resource providers

How to access Azure Sentinel from other tenants

  1. Under Directory + subscription, select the delegated directories, and the subscriptions where your customer’s Azure Sentinel workspaces are located.

    Generate security incidents

  2. Open Azure Sentinel. You will see all the workspaces in the selected subscriptions, and you’ll be able to work with them seamlessly, like any workspace in your own tenant.

Note

You will not be able to deploy connectors in Azure Sentinel from within a managed workspace. To deploy a connector, you must directly sign into the tenant on which you want to deploy a connector and authenticate there with the required permissions.

Next steps

In this document, you learned how to manage multiple Azure Sentinel tenants seamlessly. To learn more about Azure Sentinel, see the following articles: