If a user only has read permissions on some workspaces, warning messages may appear when selecting incidents in those workspaces, and the user won't be able to modify those incidents or any others selected along with them (even if the user has write permissions for the others). For more information, see Work with incidents in many workspaces at once and Extend Microsoft Sentinel across workspaces and tenants.īe sure that the users in your managing tenant have been assigned both read and write permissions on all of the manage workspaces. If you work with Microsoft Sentinel resources for multiple customers, you can view and manage incidents in multiple workspaces across different tenants at once.
View and manage incidents across workspaces Once you've onboarded your customers, designated users can log into your managing tenant and directly access the customer's Microsoft Sentinel workspace with the roles that were assigned.
For information about specific roles that can be used with Microsoft Sentinel, see Roles and permissions in Microsoft Sentinel. You may also want to assign additional built-in roles to perform additional functions. When creating your authorizations, you can assign the Microsoft Sentinel built-in roles to users, groups, or service principals in your managing tenant: This allows designated users in the managing tenant to access and perform management operations on Microsoft Sentinel workspaces deployed in customer tenants. Granular Azure role-based access control (Azure RBAC)Įach customer subscription that an MSSP will manage must be onboarded to Azure Lighthouse. Because of this limitation, this model isn't suitable for many service provider scenarios. However, there are some data sources that can't be connected across tenants, such as Microsoft 365 Defender. In this model, Azure Lighthouse enables log collection from data sources across managed tenants. If workspaces are only created in customer tenants, the Microsoft.SecurityInsights & Microsoft.OperationalInsights resource providers must also be registered on a subscription in the managing tenant.Īn alternate deployment model is to create one Microsoft Sentinel workspace in the managing tenant. Only analytic and hunting rules will need to be saved directly in each customer's tenant.
#Microsoft and steelcase creative workspaces code#
To protect your intellectual property, you can use playbooks and workbooks to work across tenants without sharing code directly with customers.Able to use a multi-workspace view when working through Azure Lighthouse.Easy to add or remove new subsidiaries or customers.Data from all data sources and data connectors that are integrated with Microsoft Sentinel (such as Azure AD Activity Logs, Office 365 logs, or Microsoft Threat Protection alerts) will remain within each customer tenant.Related costs are charged to each managed tenant, rather than to the managing tenant.Prevents data exfiltration from the managed tenants, helping to ensure data compliance.Ensures data isolation, since data for multiple customers isn't stored in the same workspace.Supports requirements to store data within geographical boundaries.Ownership of data remains with each managed tenant.This model of centralized management has the following advantages: Similarly, enterprises with multiple Azure AD tenants may want to centrally manage multiple Microsoft Sentinel workspaces deployed across their tenants.
Architectural considerationsįor a managed security service provider (MSSP) who wants to build a Security-as-a-Service offering using Microsoft Sentinel, a single security operations center (SOC) may be needed to centrally monitor, manage, and configure multiple Microsoft Sentinel workspaces deployed within individual customer tenants. However, you can't delegate resources across a national cloud and the Azure public cloud, or across two separate national cloud. You can manage delegated resources that are located in different regions.
0 kommentar(er)
