How Attic Security Accesses Your Sentinel Environment
Azure Lighthouse is a Microsoft technology that allows a service provider to securely manage resources in a customer's Azure tenant without needing a separate account or credentials in that tenant.
What is Azure Lighthouse?
Azure Lighthouse is a Microsoft technology that allows a service provider to securely manage resources in a customer's Azure tenant without needing a separate account or credentials in that tenant. It provides delegated access with full transparency -- you can see exactly what permissions have been granted and revoke them at any time.
Attic Security uses Azure Lighthouse to access and manage your Microsoft Sentinel workspace.
How It Works
During onboarding, you are asked to deploy an ARM (Azure Resource Manager) template to your Azure subscription. This template sets up the Lighthouse delegation by:
- Creating a dedicated resource group in your subscription (e.g.,
attic-yourdomain-sentinel-rg). This is the resource group where your Sentinel workspace will live. - Registering a Lighthouse delegation scoped to that resource group only. Attic Security does not receive access to your entire subscription -- only to the specific resource group containing Sentinel.
- Assigning roles to Attic Security's tenant, allowing us to manage your Sentinel environment.
What Roles Are Granted?
The Lighthouse delegation grants three specific roles, each scoped to the Sentinel resource group only:
| Role | Azure Role | Purpose |
|---|---|---|
| SentinelWriter | Contributor | Create and manage the Sentinel workspace, configure datasources, deploy analytics rules, and manage incidents |
| SentinelReaders | Reader | Read Sentinel data for monitoring, alerting, and reporting |
| SentinelOffboarders | Managed Services Registration Assignment Delete | Remove the Lighthouse delegation when offboarding |
These roles follow the principle of least privilege: we only have the permissions necessary to operate Sentinel on your behalf, and nothing more.
What Can Attic Security Access?
With this delegation, Attic Security can:
- Create and configure the Log Analytics Workspace and Sentinel
- Configure datasources and data connectors
- Deploy and manage analytics rules (detections)
- Read and manage security incidents and alerts
- Remove the delegation when no longer needed
Attic Security cannot:
- Access resources outside the Sentinel resource group
- Access other subscriptions in your tenant
- Manage users, groups, or other Azure AD/Entra ID resources
- Modify Azure policies or management groups
- Access your data outside of what is ingested into Sentinel
Visibility and Control
You retain full control over the delegation at all times:
- View the delegation: In the Azure portal, navigate to Service Providers to see the active Lighthouse delegation from Attic Security.
- See granted permissions: The roles and their scope are fully visible in the Service Providers blade.
- Revoke access: You can remove the Lighthouse delegation at any time by deleting the service provider offer in the Azure portal. This immediately revokes all access.
Deploying the Lighthouse Template
The ARM template is deployed automatically during the Attic Security onboarding process. When you click the onboarding button, you are redirected to the Azure portal where you can review and confirm the template deployment. No manual configuration is required -- the template contains all necessary parameters pre-filled for your environment.