Microsoft Azure Lighthouse: Deploying Microsoft Sentinel Across Multi-Tenant Environments.
Ciaran Doherty, AfCIIS, MBCS
Introduction.
Security teams within Managed Security Service Providers (MSSPs) or multi-brand organisations often require visibility into several isolated Microsoft Sentinel instances. Without centralisation, analysts must switch between portals or accounts—inefficient, error-prone, and lacking holistic visibility.
Azure Lighthouse solves this by delegating access to customer tenants using Azure Resource Manager (ARM), allowing a single security operations team to manage incidents, hunting, workbooks, and automation across all tenants.
The Need for Multi-Tenant Management.
Security operations teams often face challenges when managing multiple isolated Sentinel deployments. Without a centralised approach, analysts must log into separate portals or switch accounts, reducing efficiency and increasing the risk of misconfigurations or oversight.
Azure Lighthouse addresses this by enabling secure, delegated access to customer tenants. With proper configuration, it allows central SOC teams to investigate incidents, run queries, and manage Sentinel workspaces without direct tenant access or identity switching.
Key Benefits of Azure Lighthouse Integration.
Using Azure Lighthouse with Microsoft Sentinel provides several operational advantages. It allows for centralised security monitoring, role-based access control using Azure RBAC, streamlined analyst workflows, and consistent deployment of processes and automation. Analysts can interact with delegated Sentinel environments as if they were part of their own tenant, reducing friction and increasing responsiveness to threats.
Deployment Steps:
TO BE CONTINUED.
Use Case: Multi-Tenant SOC Operations.
With Lighthouse in place, a central SOC team can monitor multiple environments simultaneously. Analysts can perform triage on incidents, investigate threats using Kusto Query Language (KQL), and trigger Logic App playbooks to respond to alerts.
Although each Sentinel workspace operates independently in terms of data and analytics rules, centralised access simplifies day-to-day security operations and governance.
Limitations and Considerations.
There are some limitations to be aware of. Data ingestion and retention remain within the customer tenant and are billed accordingly. Analytics rules and hunting queries must be deployed individually per tenant; there is no global rule propagation across workspaces.
Workbooks, playbooks, and custom connectors are also isolated and must be manually deployed or automated via DevOps processes. Additionally, role scoping should always adhere to the principle of least privilege.
Conclusion.
Deploying Microsoft Sentinel in multi-tenant environments can introduce significant operational complexity if not centralised properly. Azure Lighthouse provides a scalable, secure, and compliant method for centralising access to Microsoft Sentinel workspaces across tenant boundaries.
For MSSPs and enterprise security teams, this integration enables streamlined investigations, consistent automation, and enhanced visibility without compromising on control or security.
If you require a downloadable version of the ARM templates or diagrams to support this article, please get in touch or refer to Microsoft’s Azure Lighthouse documentation.
Subscribe to my newsletter
Read articles from Ciaran Doherty, AfCIIS, MBCS directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by