Sentinel – Common Roles for Getting Started

If you are just getting started with Sentinel take a look at the below reference to common roles required for creating Sentinel and integrating Microsoft data sources.

For a complete list of roles refer to Microsoft Sentinel roles and allowed actions
Mitigate risk to high privileged roles by leveraging Azure AD Privileged Identity Management

Deploying Sentinel

At minimum these are required on the resource group where Sentinel will be created.

Additional Role Considerations

Although it's not listed in the official docs, this will ensure you have full rights to manage the log analytics workspace.

Connecting Azure Activity Logs

  • Azure Owner role on relevant Subscriptions or Owner role at the relevant management group

Enabling UEBA and Connecting Azure AD Logs

Connecting Microsoft 365 Defender

Connecting Defender for Cloud

Connecting Office 365