Manage Microsoft Sentinel workspaces at scale

Azure Lighthouse allows service providers to perform operations at scale across several Microsoft Entra tenants at once, making management tasks more efficient.

Microsoft Sentinel delivers security analytics and threat intelligence, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. With Azure Lighthouse, you can manage multiple Microsoft Sentinel workspaces across tenants at scale. This enables scenarios such as running queries across multiple workspaces, or creating workbooks to visualize and monitor data from your connected data sources to gain insights. IP such as queries and playbooks remain in your managing tenant, but can be used to perform security management in the customer tenants.

This topic provides an overview of how Azure Lighthouse lets you use Microsoft Sentinel in a scalable way for cross-tenant visibility and managed security services.

Tip

Though we refer to service providers and customers in this topic, this guidance also applies to enterprises using Azure Lighthouse to manage multiple tenants.

Note

You can manage delegated resources that are located in different regions. However, you can't delegate resources across a national cloud and the Azure public cloud, or across two separate national clouds.

Architectural considerations

For a managed security service provider (MSSP) who wants to build a Security-as-a-Service offering using Microsoft Sentinel, a single security operations center (SOC) may be needed to centrally monitor, manage, and configure multiple Microsoft Sentinel workspaces deployed within individual customer tenants. Similarly, enterprises with multiple Microsoft Entra tenants may want to centrally manage multiple Microsoft Sentinel workspaces deployed across their tenants.

This model of centralized management has the following advantages:

  • Ownership of data remains with each managed tenant.
  • Supports requirements to store data within geographical boundaries.
  • Ensures data isolation, since data for multiple customers isn't stored in the same workspace.
  • Prevents data exfiltration from the managed tenants, helping to ensure data compliance.
  • Related costs are charged to each managed tenant, rather than to the managing tenant.
  • Data from all data sources and data connectors that are integrated with Microsoft Sentinel (such as Microsoft Entra Activity Logs, Office 365 logs, or Microsoft Threat Protection alerts) remains within each customer tenant.
  • Reduces network latency.
  • Easy to add or remove new subsidiaries or customers.
  • Able to use a multi-workspace view when working through Azure Lighthouse.
  • To protect your intellectual property, you can use playbooks and workbooks to work across tenants without sharing code directly with customers. Only analytic and hunting rules will need to be saved directly in each customer's tenant.

Important

If workspaces are only created in customer tenants, the Microsoft.SecurityInsights and Microsoft.OperationalInsights resource providers must also be registered on a subscription in the managing tenant.

An alternate deployment model is to create one Microsoft Sentinel workspace in the managing tenant. In this model, Azure Lighthouse enables log collection from data sources across managed tenants. However, there are some data sources that can't be connected across tenants, such as Microsoft Defender XDR. Because of this limitation, this model isn't suitable for many service provider scenarios.

Granular Azure role-based access control (Azure RBAC)

Each customer subscription that an MSSP will manage must be onboarded to Azure Lighthouse. This allows designated users in the managing tenant to access and perform management operations on Microsoft Sentinel workspaces deployed in customer tenants.

When creating your authorizations, you can assign Microsoft Sentinel built-in roles to users, groups, or service principals in your managing tenant. Common roles include:

You may also want to assign other built-in roles to perform additional functions. For information about specific roles that can be used with Microsoft Sentinel, see Roles and permissions in Microsoft Sentinel.

After you onboard your customers, designated users can log into your managing tenant and directly access the customer's Microsoft Sentinel workspace with the roles that were assigned.

View and manage incidents across workspaces

If you work with Microsoft Sentinel resources for multiple customers, you can view and manage incidents in multiple workspaces across different tenants at once. For more information, see Work with incidents in many workspaces at once and Extend Microsoft Sentinel across workspaces and tenants.

Note

Be sure that the users in your managing tenant have been assigned both read and write permissions on all of the managed workspaces. If a user only has read permissions on some workspaces, warning messages may appear when selecting incidents in those workspaces, and the user won't be able to modify those incidents or any others selected along with them (even if the user has write permissions for the others).

Configure playbooks for mitigation

Playbooks can be used for automatic mitigation when an alert is triggered. These playbooks can be run manually, or they can run automatically when specific alerts are triggered. The playbooks can be deployed either in the managing tenant or the customer tenant, with the response procedures configured based on which tenant's users should take action in response to a security threat.

Create cross-tenant workbooks

Azure Monitor workbooks in Microsoft Sentinel help you visualize and monitor data from your connected data sources to gain insights. You can use the built-in workbook templates in Microsoft Sentinel, or create custom workbooks for your scenarios.

You can deploy workbooks in your managing tenant and create at-scale dashboards to monitor and query data across customer tenants. For more information, see Cross-workspace workbooks.

You can also deploy workbooks directly in an individual managed tenant for scenarios specific to that customer.

Run Log Analytics and hunting queries across Microsoft Sentinel workspaces

Create and save Log Analytics queries for threat detection centrally in the managing tenant, including hunting queries. These queries can be run across all of your customers' Microsoft Sentinel workspaces by using the Union operator and the workspace() expression.

For more information, see Query multiple workspace.

Use automation for cross-workspace management

You can use automation to manage multiple Microsoft Sentinel workspaces and configure hunting queries, playbooks, and workbooks. For more information, see Manage multiple workspaces using automation.

Monitor security of Office 365 environments

Use Azure Lighthouse with Microsoft Sentinel to monitor the security of Office 365 environments across tenants. First, enable out-of-the-box Office 365 data connectors in the managed tenant. Information about user and admin activities in Exchange and SharePoint (including OneDrive) can then be ingested to a Microsoft Sentinel workspace within the managed tenant. This information includes details about actions such as file downloads, access requests sent, changes to group events, and mailbox operations, along with details about the users who performed those actions. Office 365 DLP alerts are also supported as part of the built-in Office 365 connector.

The Microsoft Defender for Cloud Apps connector lets you stream alerts and Cloud Discovery logs into Microsoft Sentinel. This connector offers visibility into cloud apps, provides sophisticated analytics to identify and combat cyberthreats, and helps you control how data travels. Activity logs for Defender for Cloud Apps can be consumed using the Common Event Format (CEF).

After setting up Office 365 data connectors, you can use cross-tenant Microsoft Sentinel capabilities such as viewing and analyzing the data in workbooks, using queries to create custom alerts, and configuring playbooks to respond to threats.

Protect intellectual property

When working with customers, you might want to protect intellectual property developed in Microsoft Sentinel, such as Microsoft Sentinel analytics rules, hunting queries, playbooks, and workbooks. There are different methods you can use to ensure that customers don't have complete access to the code used in these resources.

For more information, see Protecting MSSP intellectual property in Microsoft Sentinel.

Next steps