This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 52%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
We're trying out lighthouse + sentinel as a way to get a first look at a threat landscape of an adjacent tenant in the organization, and we've got it all set up to the point where I can see the subscription of the other tenant that has the sentinel workspace, but I can't get the sentinel workspace to populate. Any ideas? The two sentinel instances are in different areas (both US) and we can't seem to find the security group that was supposed to be created on the Customer side. Could either of those be causing this? Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hey @MarileeTurscak!
Yes! We can see the other subscription in that dropdown, but not the sentinel workspace that exists there.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 72%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
Ideally it should come. We are able to see the Sentinel from two different subscriptions and used light house. I dont think it has anything to do with Location.
However, check this new feature
https://video2.skills-academy.com/en-us/azure/sentinel/multiple-workspace-view
That drop-down will show the Subscription, not the workspace. When you open Microsoft Sentinel, you should see the workspace listed (as per the link above)
I think I'm deciding we attached Lighthouse at the wrong level in the hierarchy. I know where I should be able to find the other workspace, and it stubbornly believes there is no Sentinel instance living under that workspace. Case in point, I can query the Logs and Tables of Tenant B from Tenant A's Sentinel Logs queries (using the workspace() function), but if I try to create alerts based on those queries, it errors out and tells me that Tenant B must have a Sentinel instance in order to create the alert. So either 1) it's attached at the wrong level, 2) there's a permissions issue, 3) something completely different that would likely scare me.
I appreciate the response, hope Monday is treating you alright!
You cannot activate connectors using Lighthouse accounts. You need a local tenant account.
“You will not be able to deploy connectors in Microsoft Sentinel from within a managed workspace. To deploy a connector, you must directly sign into the tenant on which you want to deploy a connector, and authenticate there with the required permissions.”
https://video2.skills-academy.com/en-us/azure/sentinel/multiple-tenants-service-providers
