{"id":51444757,"url":"https://github.com/x3nc0n/sentinel-lighthouse-accelerator","last_synced_at":"2026-07-05T15:00:58.078Z","repository":{"id":368875459,"uuid":"1287284189","full_name":"x3nc0n/sentinel-lighthouse-accelerator","owner":"x3nc0n","description":"One-click Azure Lighthouse accelerator for multi-tenant Microsoft Sentinel: 3 operator tiers + Tier 3 just-in-time (PIM) elevation, scoped to your Sentinel resource group.","archived":false,"fork":false,"pushed_at":"2026-07-02T15:05:06.000Z","size":34,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-07-02T16:34:52.332Z","etag":null,"topics":["arm-template","azure","azure-lighthouse","bicep","microsoft-sentinel","mssp","multi-tenant","security"],"latest_commit_sha":null,"homepage":null,"language":"Bicep","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/x3nc0n.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-07-02T14:44:51.000Z","updated_at":"2026-07-02T15:07:49.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/x3nc0n/sentinel-lighthouse-accelerator","commit_stats":null,"previous_names":["x3nc0n/sentinel-lighthouse-accelerator"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/x3nc0n/sentinel-lighthouse-accelerator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x3nc0n%2Fsentinel-lighthouse-accelerator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x3nc0n%2Fsentinel-lighthouse-accelerator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x3nc0n%2Fsentinel-lighthouse-accelerator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x3nc0n%2Fsentinel-lighthouse-accelerator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/x3nc0n","download_url":"https://codeload.github.com/x3nc0n/sentinel-lighthouse-accelerator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x3nc0n%2Fsentinel-lighthouse-accelerator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35158308,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-05T02:00:06.290Z","response_time":100,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arm-template","azure","azure-lighthouse","bicep","microsoft-sentinel","mssp","multi-tenant","security"],"created_at":"2026-07-05T15:00:56.803Z","updated_at":"2026-07-05T15:00:58.024Z","avatar_url":"https://github.com/x3nc0n.png","language":"Bicep","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Microsoft Sentinel — Multi-Tenant Lighthouse Accelerator\n\nDelegate **one resource group** (your Microsoft Sentinel RG) to a service provider / MSSP tenant using\n[Azure Lighthouse](https://learn.microsoft.com/azure/lighthouse/), with a **three-tier operator model**\nand **just-in-time (PIM) elevation** for Tier 3 — deployable with a single click.\n\nThis is a focused accelerator: it does one thing well. Unlike the general\n[Azure Lighthouse samples](https://github.com/Azure/Azure-Lighthouse-samples), you **don't** have to\nhand-craft a big `authorizations` JSON array. You just provide **three group object IDs** and go.\n\n[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fx3nc0n%2Fsentinel-lighthouse-accelerator%2Fmain%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fx3nc0n%2Fsentinel-lighthouse-accelerator%2Fmain%2FcreateUiDefinition.json)\n[![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.svg?sanitize=true)](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2Fx3nc0n%2Fsentinel-lighthouse-accelerator%2Fmain%2Fazuredeploy.json)\n\n\u003e The **Deploy to Azure** button above opens a guided form (subscription + resource group pickers,\n\u003e three group-ID fields, PIM options). Prefer the raw template with no form? Use\n\u003e [this link](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fx3nc0n%2Fsentinel-lighthouse-accelerator%2Fmain%2Fazuredeploy.json).\n\n---\n\n## What it grants\n\n| Tier | Standing access (always on) | Just-in-time (PIM) |\n|------|-----------------------------|--------------------|\n| **Tier 1** | Sentinel Responder · Sentinel Playbook Operator · Reader | — |\n| **Tier 2** | Sentinel Responder · Sentinel Playbook Operator · Reader | — |\n| **Tier 3** | Sentinel Responder · Sentinel Playbook Operator · Reader · *Delegation Delete Role* † | **Sentinel Contributor** · **Logic App Contributor** (time-bound, MFA) |\n\nAll three tiers share the same **standing** roles. Only **Tier 3** can elevate on demand to the two\nbroader roles, which expire automatically after the configured duration (default 8 hours, MFA required).\n† Tier 3 also holds a delete-only **offboarding safeguard** (Managed Services Registration assignment\nDelete Role) — no data access, provider-side removal only. See [Ending the delegation](#ending-the-delegation-offboarding).\n\n### Built-in roles used\n\n| Role | GUID | Where |\n|------|------|-------|\n| Microsoft Sentinel Responder | `3e150937-b8fe-4cfb-8069-0eaf05ecd056` | Standing (all tiers) |\n| Microsoft Sentinel Playbook Operator | `51d6186e-6489-4900-b93f-92e23144cca5` | Standing (all tiers) |\n| Reader | `acdd72a7-3385-48ef-bd42-f606fba81ae7` | Standing (all tiers) |\n| Microsoft Sentinel Contributor | `ab8e14d6-4a74-4a29-9ba8-549422addade` | Eligible / PIM (Tier 3) |\n| Logic App Contributor | `87a39d53-fc1b-424a-814c-f7e04687dc9e` | Eligible / PIM (Tier 3) |\n| Managed Services Registration assignment Delete Role | `91c1777a-f3dc-4fae-b103-61d183457e46` | Standing (Tier 3) — offboarding safeguard, no data access |\n\nEvery standing role is free of `Microsoft.Authorization/*/write`, which is required for standing\nLighthouse delegation. Broader access is delivered through the **eligible (PIM)** path instead.\n\n### Alignment with Microsoft's recommended role assignments\n\nThe tier model is a direct implementation of Microsoft's\n[recommended role assignments for Microsoft Sentinel users](https://learn.microsoft.com/en-us/azure/sentinel/roles#recommended-role-assignments-for-microsoft-sentinel-users)\n— analysts get standing access, engineers get elevated access (here, just-in-time):\n\n| Microsoft-recommended user type | Recommended roles (at the Sentinel RG) | This accelerator |\n|---------------------------------|----------------------------------------|------------------|\n| **Security analysts** | Microsoft Sentinel Responder · Microsoft Sentinel Playbook Operator | **Tier 1 \u0026 Tier 2** — standing (plus Reader for resource visibility) |\n| **Security engineers** | Microsoft Sentinel Contributor · Logic App Contributor | **Tier 3** — **just-in-time (PIM)**: the same broader access, but time-bound and MFA-gated instead of standing |\n| **Service principal** | Microsoft Sentinel Contributor | Out of scope — grant separately to any automation service principal |\n\n\u003e Microsoft recommends assigning these roles at the **resource group** that contains the Sentinel\n\u003e workspace, so Logic Apps and playbooks in the same RG are covered by one set of assignments. This\n\u003e accelerator delegates exactly that scope.\n\n---\n\n## Who deploys this, and where\n\n\u003e **Direction matters — this is the #1 Lighthouse mistake.**\n\u003e The template is deployed by an admin of the **customer** tenant (the tenant that *owns* the Sentinel\n\u003e resource group), and it grants access to the **provider** (MSSP) tenant.\n\u003e The `managedByTenantId` parameter is the **provider** tenant — *not* your own.\n\n| You are… | You provide… |\n|----------|--------------|\n| The **customer** (owns the Sentinel RG) | Deploy this template into your Sentinel resource group. |\n| The **provider** / MSSP | Give the customer your **tenant ID** and the **object IDs** of your three tier groups. |\n\n### Prerequisites\n\n- **Deployer** (customer admin) needs **Owner** on the target resource group (to write\n  `Microsoft.ManagedServices/registrationDefinitions` and `registrationAssignments`).\n- The three provider groups must be **security groups** (not Microsoft 365 groups) in the provider tenant.\n- The provider tenant ID and the three group object IDs.\n\n---\n\n## Parameters\n\n| Parameter | Required | Default | Description |\n|-----------|:--------:|---------|-------------|\n| `managedByTenantId` | ✅ | — | Provider (MSSP) tenant GUID. |\n| `rgName` | ✅ | — | Name of the existing Sentinel resource group to delegate. |\n| `tier1GroupId` / `tier2GroupId` / `tier3GroupId` | ✅ | — | Object IDs of the three provider security groups. |\n| `tier1GroupName` / `tier2GroupName` / `tier3GroupName` | | `MSSP Tier N Operators` | Friendly names shown in the portal. |\n| `mspOfferName` | | `Microsoft Sentinel Multi-Tenant Accelerator` | Offer name in the *Service providers* blade. |\n| `mspOfferDescription` | | *(see template)* | Offer description. |\n| `standingRoleDefinitionIds` | | Responder, Playbook Operator, Reader | Standing roles for **all** tiers. Override to customize. |\n| `tier3EligibleRoleDefinitionIds` | | Sentinel Contributor, Logic App Contributor | Tier 3 PIM roles. |\n| `pimMaxActivationDuration` | | `PT8H` | ISO-8601 max activation time for Tier 3. |\n| `pimRequireMfa` | | `true` | Require Azure MFA for Tier 3 activation. |\n\n\u003e Tier 3 is always also granted the *Managed Services Registration assignment Delete Role* as an\n\u003e offboarding safeguard — see [Ending the delegation](#ending-the-delegation-offboarding).\n\n---\n\n## Ending the delegation (offboarding)\n\nEither side can remove the delegation at any time:\n\n- **Customer** — in the Azure portal: **Service providers → Service provider offers → Delegations**,\n  select the offer, and delete it. Or via CLI:\n  ```bash\n  az managedservices assignment delete --assignment \u003cassignmentId\u003e --scope /subscriptions/\u003csubId\u003e/resourceGroups/\u003crgName\u003e\n  ```\n- **Provider** — Tier 3 operators hold the built-in\n  **Managed Services Registration assignment Delete Role**, so they can delete the\n  `registrationAssignment` from the customer scope even if the customer never offboards it. This is a\n  break-glass for MSSP relationships that end without the customer completing offboarding. The role\n  grants **no** access to customer data or resources — only the ability to remove the delegation.\n\n\u003e Deleting the **assignment** revokes all delegated access to the resource group. The\n\u003e **registration definition** (the offer) can remain for reuse, or be deleted separately.\n\n---\n\n## Deploy from the CLI\n\nRun as a **customer-tenant admin**, signed in to the tenant that owns the Sentinel RG.\nThis is a **subscription-scoped** deployment (`az deployment sub create`); only the resource group\nnamed in `rgName` is delegated.\n\n### Bicep\n\n```bash\naz deployment sub create \\\n  --location eastus \\\n  --template-file main.bicep \\\n  --parameters \\\n      rgName=\u003cyour-sentinel-rg\u003e \\\n      managedByTenantId=\u003cprovider-tenant-guid\u003e \\\n      tier1GroupId=\u003ctier1-group-object-id\u003e \\\n      tier2GroupId=\u003ctier2-group-object-id\u003e \\\n      tier3GroupId=\u003ctier3-group-object-id\u003e\n```\n\n### ARM / JSON\n\n```bash\naz deployment sub create \\\n  --location eastus \\\n  --template-file azuredeploy.json \\\n  --parameters azuredeploy.parameters.json\n```\n\n\u003e `--location` only sets the deployment metadata region — Lighthouse resources are not placed there.\n\u003e Edit `azuredeploy.parameters.json` first — replace the placeholder GUIDs and `rgName` with the\n\u003e provider tenant ID, your three group object IDs, and your Sentinel resource group name.\n\n---\n\n## Verify the delegation\n\n```bash\n# From the customer tenant — list registration assignments on the resource group\naz rest --method GET \\\n  --url \"https://management.azure.com/subscriptions/\u003csub-id\u003e/resourceGroups/\u003cyour-sentinel-rg\u003e/providers/Microsoft.ManagedServices/registrationAssignments?api-version=2022-10-01\u0026\\$expand=registrationDefinition\"\n```\n\nOr in the portal: open the resource group → **Access control (IAM)** → or search **Service providers**.\nProvider-side operators will see the delegated RG under **My customers** in the Azure portal, and can\nactivate their Tier 3 eligible roles from **Azure Lighthouse → My customers → (RG) → activate**.\n\n---\n\n## Remove the delegation\n\n```bash\n# Get the assignment name, then delete it\nASSIGNMENT=$(az rest --method GET \\\n  --url \"https://management.azure.com/subscriptions/\u003csub-id\u003e/resourceGroups/\u003cyour-sentinel-rg\u003e/providers/Microsoft.ManagedServices/registrationAssignments?api-version=2022-10-01\" \\\n  --query \"value[0].name\" -o tsv)\n\naz rest --method DELETE \\\n  --url \"https://management.azure.com/subscriptions/\u003csub-id\u003e/resourceGroups/\u003cyour-sentinel-rg\u003e/providers/Microsoft.ManagedServices/registrationAssignments/${ASSIGNMENT}?api-version=2022-10-01\"\n```\n\n---\n\n## Files\n\n| File | Purpose |\n|------|---------|\n| `main.bicep` | Source of truth — subscription-scoped Lighthouse delegation (definition + RG assignment). |\n| `assignment.bicep` | Nested module — creates the registration assignment in the target resource group. |\n| `azuredeploy.json` | Compiled ARM template used by the **Deploy to Azure** button. |\n| `azuredeploy.parameters.json` | Sample parameters (placeholder GUIDs — edit before CLI deploy). |\n| `createUiDefinition.json` | Portal form for the guided **Deploy to Azure** experience. |\n| `LICENSE` | MIT. |\n\n---\n\n## References\n\n- [Azure Lighthouse documentation](https://learn.microsoft.com/azure/lighthouse/)\n- [Onboard a resource group to Azure Lighthouse](https://learn.microsoft.com/azure/lighthouse/how-to/onboard-customer)\n- [Eligible authorizations (JIT / PIM) in Lighthouse](https://learn.microsoft.com/azure/lighthouse/how-to/create-eligible-authorizations)\n- [Microsoft Sentinel roles and permissions](https://learn.microsoft.com/azure/sentinel/roles)\n- [Azure Lighthouse samples](https://github.com/Azure/Azure-Lighthouse-samples)\n\n---\n\n*Community accelerator — not an official Microsoft product. Provided as-is under the MIT License.*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx3nc0n%2Fsentinel-lighthouse-accelerator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fx3nc0n%2Fsentinel-lighthouse-accelerator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx3nc0n%2Fsentinel-lighthouse-accelerator/lists"}