Getting access to client Sentinel instances

Instructions for the MSP

The MSP needs to gather their own unique group object-IDs to populate the template before sending it to the end customer.

Step 1: Gather your IDs

Tenant ID: Go to Microsoft Entra ID (formerly Azure AD) > Overview. Copy the Tenant ID.
Security Group ID: It is best practice to assign access to a Security Group, not an individual user.
- Create a group (e.g., "Sentinel Analysts").
- Go to Groups > Search for your group > Copy the Object ID (this is your principalId).
Sign into Attic partner portal
1. Go to the client you need access to
2. Select settings
3. Search for "resource_group"
4. Copy the resource group name (this is your resourceGroupName)

Step 2: Prepare the files

Save the JSON Template below as sentinel-lighthouse.json.
Save the Parameters File below as sentinel-lighthouse.parameters.json.
Crucial: Open the parameters file and replace REPLACE_WITH_YOUR_TENANT_ID and REPLACE_WITH_YOUR_GROUP_ID.

2. The ARM Template Files

The Template (`sentinel-lighthouse.json`)

This code is standard and does not need to be edited.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "mspOfferName": { "type": "string", "defaultValue": "MSP Sentinel Access" },
    "mspOfferDescription": { "type": "string", "defaultValue": "Lighthouse connection for Sentinel Monitoring" },
    "resourceGroupName": { "type": "string" },
    "resourceGroupLocation": { "type": "string", "defaultValue": "westeurope" },
    "managedByTenantId": { "type": "string" },
    "authorizations": { "type": "array" }
  },
  "variables": {
    "mspRegistrationName": "[guid(parameters('mspOfferName'))]",
    "mspAssignmentName": "[guid(parameters('mspOfferName'))]"
  },
  "resources": [
    {
      "type": "Microsoft.ManagedServices/registrationDefinitions",
      "apiVersion": "2020-02-01-preview",
      "name": "[variables('mspRegistrationName')]",
      "properties": {
        "registrationDefinitionName": "[parameters('mspOfferName')]",
        "description": "[parameters('mspOfferDescription')]",
        "managedByTenantId": "[parameters('managedByTenantId')]",
        "authorizations": "[parameters('authorizations')]"
      }
    },
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2021-04-01",
      "name": "lighthouseAssignmentToResourceGroup",
      "resourceGroup": "[parameters('resourceGroupName')]",
      "dependsOn": [
        "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
      ],
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": [
            {
              "type": "Microsoft.ManagedServices/registrationAssignments",
              "apiVersion": "2020-02-01-preview",
              "name": "[variables('mspAssignmentName')]",
              "properties": {
                "registrationDefinitionId": "[subscriptionResourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
              }
            }
          ]
        }
      }
    }
  ]
}

The Parameters (`sentinel-lighthouse.parameters.json`)

Edit the values in bold before sending.


{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "mspOfferName": { "value": "MSP Sentinel Monitoring Access" },
    "managedByTenantId": { "value": "REPLACE_WITH_MSP_TENANT_ID" },
    "resourceGroupName": { "value": "REPLACE_WITH_CUSTOMER_EXISTING_RG_NAME" },
    "authorizations": {
      "value": [
        {
          "principalId": "REPLACE_WITH_MSP_GROUP_ID",
          "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
          "principalIdDisplayName": "Sentinel Reader"
        },
        {
          "principalId": "REPLACE_WITH_MSP_GROUP_ID",
          "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
          "principalIdDisplayName": "Sentinel Writer"
        }
      ]
    }
  }
}

Roles included: Reader (for the RG) and Microsoft Sentinel Reader (for the logs/incidents).

3. Clear Instructions for the MSP to send to the End-Client

Subject: Access Request for Sentinel Environment

To allow our team to monitor your Sentinel environment securely, please apply the following template. This grants us read-only access restricted to the specific Resource Group containing your Sentinel instance.

Steps to Apply:

Log in to the Azure Portal.
Search for "Deploy a custom template" in the top search bar.
Select Build your own template in the editor.
Copy the contents of sentinel-lighthouse.json into the window and click Save.
Select Edit parameters and copy the contents of sentinel-lighthouse.parameters.json into the window. Click Save.
Subscription: Select the subscription where Sentinel is located.
Region: Select the same region as your Sentinel instance (e.g., West Europe).
Wait: You may see a "Resource Group" box at the top of the form. You can ignore it or leave it as default. The template is programmed to automatically target the Resource Group name we provided in the parameters file.
Click Review + create, then Create.

Once completed, our team will have the visibility needed to start monitoring.

How the MSP Works After This

Once the client runs the template, the MSP users (in the specified Group) just need to:

Go to the "Directory + Subscription" filter in the top-right toolbar.
Check the box for the Customer's Directory.
Go to the Microsoft Sentinel blade. They will now see the customer's workspace listed alongside their own.