Edit

Prerequisites to deploy Microsoft Sentinel

  • Article

Before deploying Microsoft Sentinel, make sure that your Azure tenant meets the requirements listed in this article. This article is part of the Deployment guide for Microsoft Sentinel.

Prerequisites

  • An Microsoft Entra ID license and tenant, or an individual account with a valid payment method, are required to access Azure and deploy resources.

  • After you have a tenant, you must have an Azure subscription to track resource creation and billing.

  • After you have a subscription, you'll need the relevant permissions to begin using your subscription. If you're using a new subscription, an admin or higher from the Microsoft Entra tenant should be designated as the owner/contributor for the subscription.

    • To maintain the least privileged access available, assign roles at the level of the resource group.
    • For more control over permissions and access, set up custom roles. For more information, see Role-based access control.
    • For extra separation between users and security users, you might want to use resource-context or table-level RBAC.

    For more information about other roles and permissions supported for Microsoft Sentinel, see Permissions in Microsoft Sentinel.

  • A Log Analytics workspace is required to house all of the data that Microsoft Sentinel will be ingesting and using for its detections, analytics, and other features. For more information, see Microsoft Sentinel workspace architecture best practices. Microsoft Sentinel doesn't support Log Analytics workspaces with a resource lock applied.

  • We recommend that when you set up your Microsoft Sentinel workspace, create a resource group that's dedicated to Microsoft Sentinel and the resources that Microsoft Sentinel uses, including the Log Analytics workspace, any playbooks, workbooks, and so on.

    A dedicated resource group allows for permissions to be assigned once, at the resource group level, with permissions automatically applied to any relevant resources. Managing access via a resource group helps to ensure that you're using Microsoft Sentinel efficiently without potentially issuing improper permissions. Without a resource group for Microsoft Sentinel, where resources are scattered among multiple resource groups, a user or service principal might find themselves unable to perform a required action or view data due to insufficient permissions.

    To implement more access control to resources by tiers, use extra resource groups to house the resources that should be accessed only by those groups. Using multiple tiers of resource groups enables you to separate access between those tiers.

Next steps

In this article, you reviewed the prerequisites that help you plan and prepare before deploying Microsoft Sentinel.

Review workspace architecture best practices