Prerequisites to deploy Microsoft Sentinel
Before deploying Microsoft Sentinel, make sure that your Azure tenant meets the requirements listed in this article. This article is part of the Deployment guide for Microsoft Sentinel.
Prerequisites
A Microsoft Entra ID license and tenant, or an individual account with a valid payment method, are required to access Azure and deploy resources.
An Azure subscription to track resource creation and billing.
Assign relevant permissions to your subscription. For new subscriptions, designate an owner/contributor.
- To maintain the least privileged access, assign roles at resource group level.
- For more control over permissions and access, set up custom roles. For more information, see Role-based access control (RBAC).
- For extra separation between users and security users, consider resource-context or table-level RBAC.
For more information about other roles and permissions supported for Microsoft Sentinel, see Permissions in Microsoft Sentinel.
A Log Analytics workspace is required to house the data that Microsoft Sentinel ingests and analyzes for detections, analytics, and other features. For more information, see Microsoft Sentinel workspace architecture best practices.
The Log Analytics workspace must not have a resource lock applied, and the workspace pricing tier must be Pay-as-You-Go or a commitment tier. Log Analytics legacy pricing tiers and resource locks aren't supported when enabling Microsoft Sentinel. For more information about pricing tiers, see Simplified pricing tiers for Microsoft Sentinel.
To reduce complexity, we recommend a dedicated resource group for your Microsoft Sentinel workspace. This resource group should only contain the resources that Microsoft Sentinel uses, including the Log Analytics workspace, any playbooks, workbooks, and so on.
A dedicated resource group allows for permissions to be assigned once, at the resource group level, with permissions automatically applied to dependent resources. With a dedicated resource group, access management of Microsoft Sentinel is efficient and less prone to improper permissions. Reducing permission complexity ensures users and service principals have the permissions required to complete actions and makes it easier to keep less privileged roles from accessing inappropriate resources.
Implement extra resource groups to control access by tiers. Use the extra resource groups to house resources only accessible by groups with higher permissions. Use multiple tiers to separate access between resource groups even more granularly.
Next steps
In this article, you reviewed the prerequisites that help you plan and prepare before deploying Microsoft Sentinel.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for