Using a Lighthouse Service Principal within Azure DevOps

Within our SOC, Cloud Control, we heavily rely on Azure Sentinel to monitor the environments of our customers. To easily manage multiple Azure Sentinel environments, Lighthouse can be enabled to manage Sentinel from our own, The Collective, tenant.

To streamline the deployment of Analytics Rules, Workbooks, Playbooks… we use Azure DevOps to easily manage our customers without having to create all the rules manually. Normally, you would create a new Service Principal per customer and assign it rights to the resource group in which Azure Sentinel is deployed, but we can also configure DevOps to use a Service Principal from Lighthouse.

Lighthouse onboarding

The first step in the process is to onboard your customers to Azure Lighthouse. For a general introduction into onboarding a customer onto Azure Lighthouse, check out the Microsoft documentation.

Before we onboard our customer, we need to define which Service Principals and user groups we are going to use.

  • For the service principal you can use a new or existing one. If you are creating a new one, just create a blank app registration and generate a secret for it.
  • The group should contain the security operators who are going to manage the environments of your customers. If you want, you can create multiple groups. For example
    • ‘Helpdesk’ which are Azure Sentinel Operators, and can ‘drive’ Azure Sentinel on a day-to-day basis (investigate incidents, etc.)
    • ‘Architects’ which are Contributors, and have the ability to add items to Azure Sentinel

Inside your parameters file, add the following authorization:

          "principalId": "81f35717f-506f-f5daf-fdsa5-dgf5p144315d", 
          "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
          "principalIdDisplayName": "<SPN>" 

Here, Principal ID should be the Object ID of your Service Principal (not your app registration!). The Role Definition ID is the ID of the role you want to assign your Service Principal. As we manage Azure Sentinel and push out Workbooks/Playbooks, our SPN has Contributor permissions on the resource group in which Azure Sentinel resides.

To onboard the tenant, connect through Powershell with the ‘Connect-AzAccount’ command and execute the following command:

New-AzDeployment -Name "OnboardSentinel"  -Location WestEurope  -TemplateFile "C:\tempp\rgDelegatedResourceManagement.json" -TemplateParameterFile "C:\temp\rgDelegatedResourceManagement.parameters.json"

If all is well, you will receive a confirmation that the deployment was successful and the customer’s Azure Sentinel workspace will show up in your own (managing) tenant, as illustrated in the image below:

Azure DevOps Configuration

Once the customer has been onboarded onto Lighthouse, getting the Azure DevOps pipeline is pretty straightforward. If you are new to managing Azure Sentinel through DevOps, there is a great blog post on the Tech Community on how to get started.

To deploy Workbooks, Analytics rules and Playbooks, we need both a Service Connection and Variable group. Let’s start off with configuring the Service Connection. To do so, navigate to Project Settings and then Service Connections. Choose Azure Resource Manager as the service type.

Then, select Service Principal (manual) as your Service Principal as our Service Principal was already created.

In the configuration window, set the following options:

  • Subscription Id: The ID of the subscription where the Sentinel of the customer resides
  • Subscription Name: Name of the subscription from your customer
  • Service Principal ID: The Application ID of your service principal (not Object ID like in the json file!)
  • Service Principal Key: The client secret from your app registration (It’s recommended to create a new secret per connection)
  • Tenant ID: The tenant ID of the managing tenant (your own).

Verify the connection and then save it. Note that it can take a while before the permissions have fully propagated after the onboarding into Azure Lighthouse.

Next, it’s time to create the Variable Group. Navigate to PipelinesLibrary and click on ‘Variable Group’.

Configure the following variables:

  • ClientId: Application ID of the Service Principal
  • ClientSecret: Secret from your service principal
  • ResourceGroup: ResourceGroup from your customer where Sentinel resides
  • SubscriptionId: SubscriptionId from your customer
  • TenantId: Tenant ID of the managing tenant.

After this step, you are ready to use the Service Connection and Variable Group in your pipeline. Setup the Variable Group (1) and the Service Connection (2) as depicted in the image below:

That’s it! You can now run your pipelines with ease, without having to manage a (separate) service principal in the tenant of each customer. If you wanted to streamline this process even further, you can publish your offer to the Azure Marketplace.

Interested in offloading the management and configuration of Azure Sentinel to us? Reach out to us via email, social media, or contact us through the website and we’ll get in touch in no time!

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on print
Share on email