Managing Microsoft Sentinel at scale with Lighthouse for distributed IT teams. This process is specifically meant for organizations that are using Lighthouse to manage tenants where different IT organizations control each tenant. It is also for when the SOC will have a separate subscription for its services that will be billed back to them.
Follow the steps to create a subscription in the customer tenant.
A user in the customer tenant with the correct permissions can use the following link to onboard:
The following steps will require the customer to create identities to allow SOC to perform automation tasks.
These tasks can be completed in the Azure Portal using Cloud Shell. Open the Cloud Shell verify that PowerShell (not Bash) is the selected shell type.
# Change CustomerName to the name of the SOC customer
$umiName = "MsspName-SOC-UMI"
# Default resource group for managed identities
$rg = "soc-identities"
$azRegion = "eastus" # this should match your deployment region and should only be: eastus, eastus2, westus2, australiacentral, brazilsouth, southeastasia
$graphAppId = "00000003-0000-0000-c000-000000000000" # Don't change this.
# Graph API permissions to set
$addPermissions = @(
"Application.ReadWrite.OwnedBy"
)
$SubscriptionId = (Get-AzContext).Subscription.Id
$scope = "/subscriptions/$($SubscriptionId)"
$azureRoleId = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" # This is Owner but can be set to whatever is needed.
# Create resource group if needed.
if ([string]::IsNullOrEmpty((Get-AzResourceGroup -Name $rg -ErrorAction SilentlyContinue))) {
New-AzResourceGroup -Name $rg -Location $azRegion
}
# Create user managed identity
$null = New-AzUserAssignedIdentity -Name $umiName -ResourceGroupName $rg -Location $AzRegion
$umi = Get-AzAdServicePrincipal -DisplayName $umiName
# assign permissions to allow creating service principals.
$graphSP = Get-AzADServicePrincipal -appId $graphAppId
$appRoles = $graphSP.AppRole | Where-Object {($_.Value -in $addPermissions) -and ($_.AllowedMemberType -contains "Application")}
Connect-AzureAD
# If Connect-AzureAd does not work, run 'Connect-AzureAD -TenantId <CustomerTenantId>'
$appRoles | ForEach-Object { New-AzureAdServiceAppRoleAssignment -ObjectId $umi.Id -PrincipalId $umi.Id -ResourceId $graphSp.Id -Id $_.Id }
# Assign User Assigned Identity Owner permissions to the subscription
New-AzRoleAssignment -RoleDefinitionId $azureRoleId -ObjectId $umi.Id -Scope $scope
The customer should complete the following tasks from their tenant.
Click the button below to automatically create the service principal using the UMI created earlier.
Sign in to the Azure portal and complete these high-level steps.
- Create a Service Principal in customer tenant
- Assign the Service Principal the Monitoring Metrics Publisher role (3913510d-42f4-4e42-8a64-420c390055eb) for entire subscription.
- Create credentials for the SP and securely supply to MSSP.
These tasks can also be completed in the Azure Portal using Cloud Shell. Open the Cloud Shell, and verify that PowerShell (not Bash) is selected. Then run the following script:
# Name of the service principal
$servicePrincipalName = "MsspNameSOC-Sentinel-LogIngest"
$subscriptionId = (Get-AzContext).Subscription.Id
$sp = New-AzAdServicePrincipal -DisplayName $servicePrincipalName
$scope = "/subscriptions/$($subscriptionId)"
New-AzRoleAssignment -RoleDefinitionId "3913510d-42f4-4e42-8a64-420c390055eb" -ObjectId $sp.Id -Scope $scope
New-AzADServicePrincipalCredential -ObjectId $sp.IdIf you would like the standard connectors to be connected, the customer must be signed in with Global Admin. Otherwise the SOC can complete the basic deployment and the work with the customer to complete the configuration steps.