Invite external users to access and contribute to Azure Sentinel

Ali Ahmed Dar 20

We are taking services from an external service provider and we want to invite the members of their organization to access Azure portal (Sentinel) without having to manage their onboarding/offboarding processes. The flow that we have in their mind is that we want to create a group in our Azure AD that we want to be synced with the users in a certain email group in the service provider's outlook domain. We have tried to Configure cross-tenant synchronization but failed since it requires both organizations to have a P1 subscription which the service provider does not own.

How can we do this ?

Accepted answer

Clive Watson 5,951 Reputation points MVP

2023-10-05T16:09:19.6966667+00:00

Many Service Providers will prefer to use Azure Lighthouse for remote Microsoft Sentinel access.

https://learn.microsoft.com/en-us/azure/lighthouse/how-to/manage-sentinel-workspaces

This is free and reasonably easy to configure and Control, have you considered this, if not please reply and we can answer another way?

https://learn.microsoft.com/en-us/azure/lighthouse/overview#benefits
Please sign in to rate this answer.
Ali Ahmed Dar 20 Reputation points

2023-10-06T14:44:42.7833333+00:00

@Clive Watson This seems to be a very good solution, I have not tried it yet but I think I will be giving it a go

I have a couple of questions if you can answer

What are the accountability aspects wrt the customer? Can customer see which user (from Service Provider tenant) accessed what and performed what actions in the Customer Tenant?

Does this setup need any specific type of subscription? Are there are cost limitations ? (The service provider has only free setup yet)

How to backup the configurations ? the ARM template would be enough ?
Sign in to comment

2 additional answers

Ali Ahmed Dar 20 Reputation points

2023-10-06T11:03:21.78+00:00
This seems to be a very good solution, I have not tried it yet but I think I will be giving it a go

I have a couple of questions if you can answer

What are the accountability aspects wrt the customer? Can customer see which user (from Service Provider tenant) accessed what and performed what actions in the Customer Tenant?

Does this setup need any specific type of subscription? Are there are cost limitations ? (The service provider has only free setup yet)

How to backup the configurations ? the ARM template would be enough ?
Please sign in to rate this answer.
Clive Watson 5,951 Reputation points MVP

2023-10-06T14:34:40.04+00:00

Hi, I'm glad this helps, it really is a great solution, giving you the control and allowing a Service Provider specific access.

https://learn.microsoft.com/en-us/azure/lighthouse/how-to/view-service-provider-activity and https://learn.microsoft.com/en-gb/azure/lighthouse/how-to/view-manage-service-providers

This is free for you and the Service Provider https://azure.microsoft.com/en-us/pricing/details/azure-lighthouse/#pricing and https://learn.microsoft.com/en-gb/azure/lighthouse/how-to/onboard-customer#deploy-the-azure-resource-manager-template

In the unlikely event, you can re-apply the ARM template in conjunction with your service provider who should walk you through this

There are some demos and presentations at the bottom of this page: https://azure.microsoft.com/en-us/products/azure-lighthouse/#layout-container-uid96b9

Ali Ahmed Dar 20 Reputation points

2023-10-06T15:35:18.3966667+00:00

Hi @Clive Watson you have been very helpful. Just 1 more thing:

In case we set this up and assign permissions through azure groups, would we be able to see the group members that are added to that group in the service provider's azure ? Asking because I want to know how many users are working through this setup from the Service Provider's AD, how to do that ?

As for accountability, would the logs be generated in our Azure Activity logs table ? And if so, will we be able to see activity by the service provider's AD Users individually or as a single entity like a group ?

Clive Watson 5,951 Reputation points MVP

2023-10-06T16:01:46.9233333+00:00

Hello, Yes it will be logged in your Workspace - as the activity occurs within your Tenant.

Therefore you can use those details to answer Question 1 (I'm not familiar with what a customer sees in their portal, only the provider side)

So you could report on how many users you have seen in the past 30days (each day). You can see (I hope), on 5th Oct two users from the Service Provider were seen in the Activity logs

Showing this as a graph, shows 1-6 individuals accessing the customers environment every day (each colour block is a distinct user)

Clive Watson 5,951 Reputation points MVP

2023-10-06T16:18:08.78+00:00

I did two posts on viewing the settings using the Microsoft Resource Graph as well, see here https://www.linkedin.com/feed/update/urn:li:linkedInArticle:7029171637635686400/ and https://www.linkedin.com/feed/update/urn:li:linkedInArticle:7029532756401352706/

We provide our customers a link to a Workbook report, that shows which Groups Users are defined with Permissions, your provider might do the same or document the setup for you?

Ali Ahmed Dar 20 Reputation points

2023-10-06T16:18:56.0966667+00:00

sorry i am a bit confused about

Therefore you can use those details to answer Question 1 (I'm not familiar with what a customer sees in their portal, only the provider side)

The service provider has been granted access to a Customer's tenant resources. So the customer (I) should be able to see what the service provider has been doing in my tenant, right ? Because they are accessing and managing my tenant. Is that so ?

Ali Ahmed Dar 20 Reputation points

2023-10-06T16:35:30.76+00:00

@Clive Watson the customer who is allowing would be able to see what the service provider is doing in the customer's tenant, right ?

Ali Ahmed Dar 20 Reputation points

2023-10-06T16:46:42.5333333+00:00

i a

i am assuming these pictures are from a Customer's tenant (which is the target)

Clive Watson 5,951 Reputation points MVP

2023-10-08T21:48:06.15+00:00

The customer who is allowing would be able to see what the service provider is doing in the customer's tenant, right ? Yes, that is right

And yes, those graphs are from the customer side. They are just examples of the type of report you might want and data you can show.

Ali Ahmed Dar 20 Reputation points

2023-10-16T09:52:27.6033333+00:00

Thank you so much @Clive Watson sorry for the delayed reply I was not working last week. I will start implementing Lighthouse this week. The information you provided was very helpful, Thanks!

Ali Ahmed Dar 20 Reputation points

2023-10-20T10:44:21.6933333+00:00

Hi @Clive Watson during deployment today:

I created a user group in the service provider's tenant

I created a template and deployed through ARM as given here https://github.com/Azure/Azure-Lighthouse-samples

But I am getting the following error:

The managed services template deployment file contains invalid values. Please see details. (Code: InvalidManagedServicesTemplateDeployment) The resource contains invalid principal object identifiers. Please see details Only user, security group, or service principals are allowed. (Code: InvalidPrincipalId)
Sign in to comment
Ali Ahmed Dar 20 Reputation points

2023-10-23T17:21:28.98+00:00

I was able to solve it by assigning access to Security Insights. I have another query:

Another thing that I want to ask is that the customer wants to have an insight into the auth logs of the group that is able to access their resources. For example, the customer wants to know which member of the group logged in to the Service Provider's Azure. And the customer wants to set up a detection to get an alert when there is a brute force attempt or any other incident against any other user in the SP's group.

How is it possible for the SP to forward auth/signin logs to the Customer's log analytics workspace ?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Invite external users to access and contribute to Azure Sentinel

2 additional answers