Invite external users to access and contribute to Azure Sentinel

Ali Ahmed Dar 20 Reputation points
2023-10-05T15:26:04.6433333+00:00

We are taking services from an external service provider and we want to invite the members of their organization to access Azure portal (Sentinel) without having to manage their onboarding/offboarding processes. The flow that we have in their mind is that we want to create a group in our Azure AD that we want to be synced with the users in a certain email group in the service provider's outlook domain. We have tried to Configure cross-tenant synchronization but failed since it requires both organizations to have a P1 subscription which the service provider does not own.

How can we do this ?

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
987 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,000 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,807 questions
0 comments No comments
{count} votes

Accepted answer
  1. Clive Watson 5,721 Reputation points MVP
    2023-10-05T16:09:19.6966667+00:00

    Many Service Providers will prefer to use Azure Lighthouse for remote Microsoft Sentinel access.

    https://learn.microsoft.com/en-us/azure/lighthouse/how-to/manage-sentinel-workspaces

    This is free and reasonably easy to configure and Control, have you considered this, if not please reply and we can answer another way?

    https://learn.microsoft.com/en-us/azure/lighthouse/overview#benefits


2 additional answers

Sort by: Most helpful
  1. Ali Ahmed Dar 20 Reputation points
    2023-10-06T11:03:21.78+00:00

    This seems to be a very good solution, I have not tried it yet but I think I will be giving it a go

    I have a couple of questions if you can answer

    1. What are the accountability aspects wrt the customer? Can customer see which user (from Service Provider tenant) accessed what and performed what actions in the Customer Tenant?
    2. Does this setup need any specific type of subscription? Are there are cost limitations ? (The service provider has only free setup yet)
    3. How to backup the configurations ? the ARM template would be enough ?

  2. Ali Ahmed Dar 20 Reputation points
    2023-10-23T17:21:28.98+00:00

    I was able to solve it by assigning access to Security Insights. I have another query:

    Another thing that I want to ask is that the customer wants to have an insight into the auth logs of the group that is able to access their resources. For example, the customer wants to know which member of the group logged in to the Service Provider's Azure. And the customer wants to set up a detection to get an alert when there is a brute force attempt or any other incident against any other user in the SP's group.

    How is it possible for the SP to forward auth/signin logs to the Customer's log analytics workspace ?

    0 comments No comments