Blog Post

Microsoft Sentinel Blog
15 MIN READ

Deploying and Managing Microsoft Sentinel as Code

Javier-Soriano's avatar
Javier-Soriano
Icon for Microsoft rankMicrosoft
Jan 28, 2020
  Philippe Zenhaeusern and Javier Soriano co-author this blog post.   This blog post serves as a guideline for implementing Sentinel as Code. You may need to update the scripts for your env...
clipboard_image_1.png
Updated Mar 06, 2025
Version 19.0
microsoft sentinel
security
JayJay250's avatar
JayJay250
Copper Contributor
Sep 10, 2022

Hey Folks,

 

First off this is an amazing project and really good content here!

 

However, I am having issues understanding how we can manage the service principal in a multi-tenant scenario. I have created the service principal and use admin consent to have it created on my clients tenant however when trying to create the service connection it says failed to read subscription. This makes sense as there is no "Subscription read" permission for the app. If I go into my clients subscription (cli or gui) and add the app to the sentinel contributor role everything works fine however this is a random manual step amongst all the automation and I want to make it streamlined.

 

I understand you should be able to leverage lighthouse and I did deploy lighthouse successfully where I used the App ID to set the Sentinel contributor role however it still does not work for some reason. I am unable to create the service connection if permissions are granted through lighthouse. I see the permissions but it does not work. 

 

Is this the same with everyone else? Are you granting permissions manually to the service principal?

--------------------------------------------------------------------------------------------------------------------------------------------------------------

*UPDATE*

 

Updating as I've figured it out. I realized I was trying to sign into the client's tenant when creating the Azure DevOps Service connection rather than setting my managed service tenant and the clients subscription! After first delegating permissions to my service principal via lighthouse then configuring the Azure DevOps service connection with the client subscription and the tenant where the service principal was originally created I am able to execute automation through my tenant to the client (same way I am accessing client resources through lighthouse via the Azure Portal).

 

Alternatively you can simply add the application created on the client tenant (it has a different object ID) and give it permissions manually on the client side however this is not what I want.