Cybercrime reporting poll


I’ve created an anonymous public poll asking the question:

Are you reporting cybercrime incidents, like ransomware, to government or police authorities?

which is here:

as the results rolling you can see the summary here:

I’m interested to see what people are doing when it comes to reporting incidents to authorities?

Using Azure Sentinel with Azure Lighthouse

A recent article:

Configure Azure Lighthouse

detailed how to get Azure Lighthouse working across different tenants (a ‘master’ and multiple ‘clients’). It is now time to look at how to use that capability inside the ‘master’ tenant with Azure Sentinel.


Log into your ‘master’ Azure tenant. Select the user in the top right and from the menu that is displayed select Switch directory.


You’ll typically see only the current ‘master’ tenant listed in Current + delegated directories. Select the pull down arrow on the left of the Current + delegated directories option as shown.


You should now see all the ‘client’ tenants you connected with Azure Lighthouse now appear. However, you’ll will notice they are currently not selected.


Ensure that all the directories are selected.


With All directories now selected in Current + delegated directories, clock on the pull down arrow on the right of Subscription as shown above.


Again, you will probably see that the subscriptions in the ‘client’ tenants are not selected.


Ensure these are all selected and the Subscription option displays All subscriptions as shown above.


With all the ‘client’ tenant selections now complete it means they will be displayed just like any other in the ‘master’ tenant. Navigate to Azure Sentinel in the ‘master’ tenant and look at the list of workspaces that are displayed. If you don’t see ‘client’ Sentinel workspaces, select the Subscription filter at the top of the page and ensure it is set to All as shown.


With all the workspaces selected, click the View incidents button from the menu along the top as shown above.


You should now see a list of all the incidents across all the tenants. You can see this by looking at the Directory column as shown in the output. You can, of course, view at individual Sentinel workspaces if you want by just clicking on them in the previous screen. This provides the same experience as if you viewed the results inside that ‘client’ tenant but you are doing that now inside the ‘master’ tenant.

This process now provides you a single pane of glass across all your Azure Sentinel environments. Depending on the permissions you have configured in the ‘client’ tenants, you get much the same capability across other Azure resources in the ‘master’ tenant now. This is the benefit of using Azure Lighthouse to manage multiple tenants and exactly how I use it with Azure Sentinel.

Configure Azure Lighthouse

Azure Lighthouse:

“enables cross- and multi-tenant management, allowing for higher automation, scalability, and enhanced governance across resources and tenants.”

In essence, it allows you to manage multiple ‘client’ Azure tenants from a single ‘master’ tenant. There is no cost for Azure Lighthouse and it is simple to enable. However, I would caution you to pay close attention to the permissions you assign the ‘master’ tenant inside the ‘client’ tenants and follow the best practice of least privilege security.

You are going to need a few things before you start configuring Azure Lighthouse.

1. A ‘master’ Azure tenant with a paid subscription

2. ‘Client’ Azure tenants with a paid subscription in each

3. For each ‘client’ Azure tenant you will require a login to that tenant who has the Owner built-in role for the subscription being onboarded. Typically, there is only one subscription in an Azure tenant and the initial administrator has that role. You will use this user, inside each ‘client’ tenant to permit access from the ‘master’ tenant.

4. The Tenant ID of the ‘master’ tenant.


You will find that on the front page of the Azure Active Directory blade in the ‘master’ Azure tenant portal as shown above.

5. The Object ID for the controlling entity (user or group) in the ‘master’ Azure tenant. This is basically the individual user or Azure AD security group who you wish to give access rights to the ‘client’ Azure tenants.


You will find the Object ID on the front page of that item in Azure AD as shown above. The above example show this for a single user.


The above example is for a group.

6. You now need to deicide what permissions you will give this Object ID from the ‘master’ Azure tenant inside the ‘client’ tenants. You can find all the Ids for Azure built-in roles here:

So, if you want for the ‘master’ tenant Object ID to have effectively full rights inside the ‘client’ Azure tenants use:

Contributor – ID = b24988ac-6180-42a0-ab88-20f7382dd24c

Remember, best practice is to follow least privilege and as such if you just want to view Azure Sentinel information in the ‘client’ Azure tenant use:

Azure Sentinel Reader – ID = 8d289c81-5878-46d4-8554-54e1e3d8b5cb

but as I said, be very, very careful about the rights you assign the ‘master’ Object ID inside the ‘client’ tenants.

Once you have all the above information, you’ll need to login to the ‘client’ Azure tenant with the user account in step 3 above (i.e. an owner of the ‘client’ Azure tenant).

In the same browser session open a new tab and navigate to:

and select the Auto-deployment button in the first row as shown:


A custom deployment template should launch


and look like the above. Here, select the Subscription and Region appropriate in the ‘client’ Azure tenant. You can put any custom text you wish into the Msp Offer Name and Msp Offer Description field.

Into the Managed by Tenant Id field enter the value you recorded in step 4 above (i.e. the Tenant ID of the ‘master’ Azure subscription).

The Authorizations field needs to be in the format of:


where the principalId field will be the item you obtained in step 5 above (i.e. who in the ‘master’ Azure tenant do you want to have rights to the ‘client’ Azure tenant) and roleDefinitionId will be the information obtained in step 6 above (i.e. what permissions you want to gibe inside the ‘client’ Azure tenant). You can assign the principalIdDisplayName field any meaningful text you wish.

As you can see from the example you can chain multiple permission assignments together. So in this example, let’s say that I want to assign my one user full contributor rights and a security group only Azure reader rights. The entry would then look like:


It is very, very important that you get the formatting of the Authorizations field correct. I suggest you compose it in something like Notepad (with word wrap = off) and paste it in. If you see any errors during deployment, double check you have this field EXACTLY correct!


Once you have entered all the information, select the Review + create button an the bottom of the screen.

Your options will then be validated, and if passed, select the Create button at the bottom of the screen.


You should then see the deployment commence as shown above. The deployment will take a few minutes to complete, after which it take at least another 15 minutes for the Azure Lighthouse configurations to appear in the ‘master’ and ‘client’ tenants, so be patient.


After the 15 minutes, navigate to Azure Lighthouse in the ‘client’ tenant and look at Service Provider offer as seen above. This basically tells you that this ‘client’ tenant has single delegation (i.e connect to a ‘master’ Azure tenant).


Now head over to the ‘master’ Azure tenant and view Azure Lighthouse there, but look at the My customers then Customers option as seen above. Here you should see the ‘client’ Azure tenant just added to the current ‘master’ Azure tenant. Again remember, this takes around 15 minutes to appear once configured.

Congratulation you have successfully used Azure Lighthouse to link a ‘client’ Azure tenant to a ‘master Azure tenant. Look out for upcoming articles on what you can now do once you have enabled Azure Lighthouse.

Register your interest for a hands on, deep dive Microsoft 365 Security event


If you are interested in attending a hands on in person 2 day deep dive event into Microsoft Security including:

– Exchange Online

– Windows 10 hardening

– Effective incident monitoring

– Identity security

– Data protection

and more then I encourage you to register your interest now for CIAOPS Secwerks 1 in Melbourne CBD over 2 days, Thursday the 5th and Friday the 6th of August 2021. I expect demand to be extremely high for this event and I will have more to share when I have confirmed all the details. However, feel free to reach out to me if you want more information. Please register your interest here to be kept up to date with the event:

The theme of this event will be to help you understand all the technologies that the Microsoft Cloud provides, how to configure them appropriately and get your Microsoft Secure Secure above 80%. The material covered will be technical and cover all the basics but then to extend beyond Level 400. The course is specifically designed for those who need to provide security for environments connected to Microsoft 365.

I hope to see you there.

The case of the missing Azure Sentinel ingested data


Recently, I have seen my Azure Sentinel overview look like the above. I was puzzled why I had so many hours without any data being ingested? In short, it turned out that I had exceeded my storage tier capacity. Here’s where to look if you see something similar.


From the menu on the left of the Azure Sentinel workspace scroll to the bottom and select Settings as shown. Then from the pane that appears on the right select Workspace settings at the top as shown.


This will take you to the Azure Log Analytics workspace that underpins Sentinel. From the menu on the left here select Usage and estimated costs. Note on the right what is highlighted under Free pricing tier I was using:

(The log data ingestion includes the 500 MB/VM/day data allowances from Azure Security Center.)

That is the limit for my current tier. Any ingested data over that quota was not being ingested. Not ingested data, nothing recorded in the Sentinel overview report.


If you select the Daily cap button at the top of the page you’ll get more information appear from the right as shown.


The two important things to note are that the daily volume cap is 0.5 GB/day and that the limit is reset at 2am UTC (12pm Sydney time).


When I checked the Workspace Pricing tier details, shown above, there is indeed a daily cap of 512MB.


Then when I looked at the overview report in Sentinel I see that data did indeed start begin re-ingest at 12pm local time (2am UTC) as expected.


So the next question was, how is it going to cost me avoid this situation and ingest all my data? Looking at the Pay-as-you-go pricing tier I see the estimated cost per month would only be AU$4.79. Easy choice.  SELECT.


The important thing to remember with this ingested data is that you always get the initial 512MB per day free. Anything above that you won’t get any captured data unless you upgrade your pricing tier. But then you’ll only pay for the amount above the 512MB per day, which in my case was only about 34MB per day on average.


A good way to keep track of this sort of data, before it becomes and issue as it did for me, is to use the Workspace usage Report workbook which you can access from the Sentinel console as shown above.


Here you’ll see everything you need to keep on top of this total data you are ingesting and where it is coming from.

The reason I’m so much data is that I’m pulling security events from local devices. Most Microsoft cloud services include free ingestion, which is the place you should start. However, I had added a number of demo devices to my tenant which pushed me over the free 512MB limit. Most people should be able to stay well below this quota by default, at least to start with. However, if you ever need to upgrade, like I have, it’s still cheap for it provides!

Light or Dark mode?

One of the perennial high powered technology debates is whether Light or Dark mode is better. This ranks alongside similar torch and pitch fork ‘discussion’ events  like iOS or Android, PC or Mac and tabs or spaces. Luckily, just about everything these days, including Microsoft 365, supports a choice of modes.


Now I’ve dabbled with switching to dark mode over the years but recently I’ve decided to go all in for at least 30 days. This means I’ve switched EVERYTHING to dark mode. Every app, every device. Dark mode everywhere.


So, I’ve switched my Office apps (OneNote above), browsers (Edge and Brave) as well as Microsoft 365 and Azure into dark mode.

A few days in, I gotta admit, that it takes some getting used to. The border of desktop windows is much harder to find along with the dialog windows header. I notice far more reflection from what’s behind me when using my Surface PC, which is somewhat distracting, and the local post office had issues scanning an email QR code on my iPad until I changed it back to light mode. However, I’m sticking it out for the full 30 days to see but I’m not a convert as yet by any means.

I think that dark mode works a lot better if you are a coding type who spends hours and hours every day looking at lines of code. That is not the case for productivity workers who are regularly swapping between applications. This, in my opinion, is much harder when using dark mode.

Let’s see what the 30 day trial brings. I do appreciate the benefits but whether these are noticeable to me, only time will tell.