Monitor Sentinel environment.
We are entering into an arrangement with a vendor who is supposed to monitor our Sentinel environment for us. They wanted to use Azure Lighthouse to enable access to our tenant, but we want to do this in the least privileged way - we only want to give them what they need to get into Sentinel.
We received a JSON file and parameter file from them which appears to grant Sentinel Reader and Sentinel Contributor to two different groups in their environment. We ran the template and granted those permissions to those groups at the resource group where our Sentinel resources reside. They are stating that they can see the resources, but that they cannot "get into" Sentinel. I have asked repeatedly what this means and they do not provide enough detail to be useful. I am unfamiliar with the Lighthouse experience - I have never managed another tenant using it - so I do not know what they are expecting. What I would like to know is whether they should be able to access Sentinel in this scenario, or if additional permissions are required.