Hello all, Can I set up a central Azure Sentinel to monitor multiple subscriptions? Or is one Azure Sentinel recommended per subscription?BestChristian

christian-knipping At this time it's one Azure Sentinel Workspace per Tenant, Azure Sentinel works across subscriptions. Microsoft is in the process of looking into MSP (Managed Service Provider ) solutions but nothing has been publicly released at this time. Please feel free to reach out if you have any more questions.

Chris Boehm is there any beta program an MSP could take part in to assist in trialing features :) Any idea of when something public may be released? For now if we set up a Azure tenant for the customer will there be a migration tool to bring into multi-tenant when that option is available?

Chris BoehmIs there an aggregation capability to provide a "single pane of glass" for all CSP tenants? From the documentation, it appears that the CSP can gain delegated access to each individual tenant for Log Analytics and ASC. This article mentions "cross-tenant visibility" for ASC, but does not show what the user experience is like. It would be nice to see a screen-shot showing multiple subscriptions from multiple Azure AD tenants in a centralized view in Sentinel and ASC.

If you need to get Activity Logs from the subscriptions, you can use the "Azure Activity" data connector. This works by adding a policy with the relevant subscriptions in a scope. Most likely you want your scope to be a management group consisting of all your subscriptiosn.

christian-knipping CC: Chris Boehm and Shalini Pasupneti

Multiple Subscriptions in Sentinel | Microsoft Community Hub

Chris Boehm
Microsoft
Mar 28, 2019
christian-knipping

At this time it's one Azure Sentinel Workspace per Tenant, Azure Sentinel works across subscriptions. Microsoft is in the process of looking into MSP (Managed Service Provider ) solutions but nothing has been publicly released at this time. Please feel free to reach out if you have any more questions.
- Thuan Ng
  Brass Contributor
  Aug 13, 2019
  Could you elaborate on "across subscription"?
  - Chris Boehm
    Microsoft
    Aug 14, 2019
    Azure Sentinel is using Log Analytics within one tenant with one to multiple subscriptions. If you have multiple subscriptions they can interact with each other with RBAC permissions of data when pulling into a sentinel workspace. If you're wanting to know how to do “cross-tenant” data monitoring you’re required to use the MSSP solution “Azure Lighthouse” with Azure Sentinel.
    
    Is there a specific question to subscriptions that’s not clear in our documentation that we can improve upon?
- Jarrod Winsor
  Copper Contributor
  Apr 25, 2019
  Chris Boehm is there any beta program an MSP could take part in to assist in trialing features :) Any idea of when something public may be released? For now if we set up a Azure tenant for the customer will there be a migration tool to bring into multi-tenant when that option is available?
  - Chris Boehm
    Microsoft
    Apr 25, 2019
    Jarrod Winsor
    
    We'll most likely make the announcement within this communities page for the preview functionality, you're already looking in the best location at this time :)
    
    I don't have an answer at this time on the migration path if it'll just be a connection between workspaces with the key or if it'll be a different interface to integrate them. I'm sure we'll announce the details whenever they've been established.
    
    Great question!
    
    Thanks,
- AndreaFisher
  Microsoft
  Apr 01, 2019
  Chris Boehm Does it work across multiple subscriptions? Maybe I don't understand what you mean by that but I would like to bring in MCAS data from multiple tenants and that doesn't seem to be possible.
  - Chris Boehm
    Microsoft
    Apr 01, 2019
    AndreaFisher
    
    We don't have multi-tenant support at this point. If all subs are on the same tenant, than it should work.
Ryan Heffernan
Microsoft
Mar 28, 2019
christian-knipping

CC: Chris Boehm and Shalini Pasupneti

Forum Discussion

Multiple Subscriptions in Sentinel

Share

Resources