Share via

Sentinel SIEM

Phumlani Zwane 60 Reputation points
2026-05-26T12:54:48.11+00:00

How can I achieve multi-tenancy in Microsoft sentinel without them having sentinel that I can access via lighthouse, is there a different method?

If a client wants me to monitor only their third party EDR and i already onboarded the same third party on my tenant, can I reuse that data connector? or I will need to create a separate workspace for them? in terms of cost?

Microsoft Security | Microsoft Sentinel
0 comments

Answer accepted by question author

Rukmini 41,725 Reputation points Microsoft External Staff Moderator
2026-05-26T13:08:14.5766667+00:00

Hello Phumlani Zwane

You can’t achieve true multi-tenant Microsoft Sentinel ingestion without separate workspaces.

  • Data connectors cannot be shared among tenants or clients since Sentinel is workspace-bound.
  • Microsoft Lighthouse does not offer shared ingestion; it only offers cross-tenant management.
  • You still require a distinct Log Analytics workspace for each client even if they refuse to provide Lighthouse access.
  • Each workspace must have a separate deployment of the same third-party EDR connector (it cannot spread out data to several tenants).

Cost impact: each workspace is billed separately based on ingestion and retention, so there is no shared-cost model for connectors.

Hence, best practice is:

1 customer = 1 workspace = 1 Sentinel instance (recommended MSSP model)

Let me know if any further queries - feel free to reach out!

Hello @Phumlani Zwane

If the resolution was helpful, kindly take a moment to click on 210246-screenshot-2021-12-10-121802.pngand click on Yes for was this answer helpful. And, if you have any further query do let us know.

Was this answer helpful?

1 person found this answer helpful.

Answer accepted by question author

AI answer

2026-05-26T12:55:05.5333333+00:00

Multi-tenancy in Microsoft Sentinel is achieved by using multiple workspaces, typically one per customer tenant, and then managing them centrally. Reusing a single connector and workspace for multiple customers is not supported when data must stay in each customer’s tenant and be logically isolated.

  1. Multi-tenancy without customers having Sentinel already

To monitor multiple customers (or multiple Entra tenants) centrally:

  • Create at least one Log Analytics workspace enabled for Microsoft Sentinel in each customer’s Microsoft Entra tenant when you need tenant-level or diagnostic-based data connectors (for example, Microsoft Entra ID, Office 365, Azure Activity, Azure Firewall). These connectors only work within their own tenant.
  • Use Azure Lighthouse to centrally manage all those Sentinel workspaces from the managing/MSSP tenant. After onboarding with Azure Lighthouse, use the Directory + subscription selector to see and operate on all customer workspaces from a single pane of glass.
  • This model keeps ownership and storage of data in each customer tenant, supports data residency and compliance, and allows flexible role assignment between local and central SOCs.

This is the recommended multi-tenant architecture for MSSPs and for organizations with multiple tenants; there is no alternative “single-tenant” Sentinel setup that still provides proper isolation and compliance for multiple customers.

  1. Reusing a third‑party EDR connector vs. separate workspace

If a client wants monitoring only for a third‑party EDR:

  • The recommended pattern is still a separate Sentinel workspace per customer tenant. Each customer’s EDR data should be ingested into that customer’s own workspace, then managed centrally via Azure Lighthouse.
  • Partner/third‑party data connectors are often API/agent based and not tied to a specific tenant in the same way as service‑to‑service connectors, but for MSSP and multi‑tenant scenarios the guidance is to avoid mixing multiple customers’ data in a single workspace.
  • Centralizing multiple customers’ EDR logs into one MSSP workspace would:
    • Break data ownership and isolation (all customers’ data in one workspace).
    • Complicate compliance and data residency.
    • Make per‑customer billing and cost attribution harder.

Cost considerations:

  • With one workspace per customer, each customer pays for its own ingestion and retention in its own subscription/tenant. This aligns with the documented advantages: data ownership, isolation, compliance, and per‑tenant billing.
  • A single shared workspace might look cheaper to operate, but it is not the recommended architecture for MSSPs and is explicitly called out as an alternate model with important limitations (for example, some data sources like Microsoft Defender XDR cannot be connected across tenants).

Therefore:

  • Multi‑tenancy is achieved by multiple Sentinel workspaces (one per tenant/customer) plus Azure Lighthouse for central management.
  • The third‑party EDR connector should be configured per customer workspace; do not reuse a single connector/workspace to host multiple customers’ data if proper multi‑tenant isolation and compliance are required.

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.