Allow service provider Azure AD Security Group (already used by Azure Lighthouse) to be nested in customer tenant security groups
Scenario: Many Azure Sentinel incidents arise from data connectors to Microsoft security services like Defender for Endpoint. Properly investigating such an incident requires the SOC analyst to pivot to the customer tenant’s Microsoft Defender Security Center portal (https://securitycenter.microsoft.com). Remediation actions such as isolating a computer then require a pivot to Microsoft Endpoint Manager (MEM) admin center (https://endpoint.microsoft.com).
Background: With Azure Lighthouse, MSSP service providers can access Azure Sentinel workspaces using ARM-based delegations. A security group in the service provider’s Azure AD tenant is trusted by customer Azure ARM-based resources like Azure Sentinel for access generally at the Contributor role level.
Problem: Defender and MEM are not capable of participating in ARM-based delegations like Azure RM resources. So the existing security group in the service provider’s tenant is useless for gaining access to customer Defender and MEM portals.
Workaround: (1) The service provider must create guest user accounts in each customer tenant that match the membership of the service provider tenant security group. (2) Then the guest user accounts are added to a new security group in the customer tenant that mirrors the function of the service provider security group. (3) The customer tenant Azure AD security group is then associated with the Intune Administrator Azure AD role and User Administrator Azure AD role. (4) Finally, the customer Azure AD security group is specified at Microsoft Defender Security Center -> Settings -> Roles in a new custom role: Microsoft Defender for Endpoint Administrator (external) that has all the permissions of the built-in Defender administrator role.
Desired solution: Allow the service provider tenant Azure AD Security Group (already used by Azure Lighthouse) to be nested in the described customer tenant Azure AD Security Group (with permissions to access Defender and MEM).