Azure Lighthouse & Sentinel at Scale

Azure Lighthouse on AzureTracks.com
Andrew Posted on 7:12 am

Azure Lighthouse & Sentinel at Scale

In this post we begin to explore enabling multitenant management with scalability, higher automation, and enhanced governance across resources. I think an Azure Lighthouse walk-through is long overdue here, so let’s get ready to talk about how to scale operations or a SOC to manage multiple tenants, enhance governance, all delivered using native Azure tooling!

A customer can retain control over who has access to their tenant, which resources they have access to, and what actions can be taken, all without having to deal with complex permissions or managing individual accounts. When you work with a trusted partner, you are able to trust a security group of that partner’s accounts to do a certain job within your tenant. This is essentially what Azure Lighthouse allows a source and a destination tenant to do together. There is a lot more to it, so let’s dive in!

How Does Lighthouse Work?

Azure Lighthouse enables multi-tenant management with scalability, higher automation, and enhanced governance across resources. With Lighthouse, a SOC team can deliver services using comprehensive and robust tooling built right into the Azure platform.

A provider tenant reaches out to destination / customer tenants allowing streamlined management of resources, in the case of how we would use this with Microsoft Sentinel, we could look at a single subscription or even a single resource group:

Image: Microsoft Learn Docs

The customer retains control over who has access to the tenant, what resources can be accessed, and what actions can be taken in their tenant. This is often used in two scenarios:
1. Enterprise organizations managing resources across multiple tenants such as by a SOC Team, or
2. An MSP or MSSP (Manage Security Service Provider) that may manage multiple customer tenants.

The typical management scenarios I would see in the wild are:

  1. A Microsoft Entra ID B2B relationship has been established and the source tenant has B2B accounts in the customer tenant. This can be tricky in some ways as the rights need to be managed very closely by the customer to ensure that everything stays configured as intended.
  2. A customer may create accounts in their own environment for the partner staff. This is really more work for the customer, but has the same granular management requirements as the first point above.
  3. Azure Lighthouse delegated permissions package is deployed and the permissions to customer resources are managed via Service Providers dashboard. If the partner follows best practices (of course right!) then a security group will be defined from the partner (provider) and they manage membership; but the customer manages permissions in their own tenant through this package. It sounds like it might be some extra work, but it is not! Once the Lighthouse delegation package is deployed (JSON is my favourite method because it is simple to understand and explain to everyone!), the permissions are set and auditing takes care of the rest.

A customer can use the Service Providers dashboard to manage the package or revoke that package.

Control is enforced the same way we are all used to in Azure — Role Based Access Controls – RBAC. A customer is able to grant just enough access. The customer is always in control:

  • Who
  • What
  • Administrative Rights

RBAC via Azure Lighthouse allows the service provider to work autonomously while keeping your systems secure.

Security by Design

Security and Compliance is by design with Azure Lighthouse.

Logging works the same as you would expect. Actions taken inside the provider tenant are logged there. Actions taken in the customer tenant are logged in the customer tenant.

What is logged exactly?

  • Identity
  • Timestamps
  • Resources
  • Actions Taken
  • PIM Activity (Privileged Identity Management)

Overview

What does Lighthouse bring to both sides?

  1. Designed to enable enterprise
  2. Cross-tenant management
  3. Deployment automation
  4. Single portal for SOC Teams to access Microsoft Sentinel and Log Analytics Workspaces
  5. Ability to deliver well-architected services across all managed environments
  6. There is no additional cost to use Azure Lighthouse (Q1 2024)

Summary

Join me for the next post where we jump into an Azure Lighthouse deep dive! We will explore more of the technical details and come to understand what the permissions management is all about!