Multi tenancy: Collect Azure Health logs from different Azure tenants
We manage Azure tenants for multiple companies. We want one central monitoring and automation Workspace to manage all these different tenants.
Although you can collect data from vm agents in different Azure tenants as well as data from different Office365 tenants it is not possible to get the Azure Health logs from different tenants into one OMS Workspace.
This functionality is currently available now via Azure Lighthouse, which would allow you to map other tenants workspaces to your current tenant and using cross-workspace query, you can run a query across them.
Ben Hatton commented
The question/request here is about different Tenants (i.e. Azure AD domains), not different subscriptions, so this comment doesn't address it directly. I note that the link you provide 'recommends' separate OMS for each tenancy, but I feel that the votes here reflect an interest in permitting cross-tenancy logging.
For a big customer we are facing the same issue. We monitor the VM with a unique central OMS workspace but cannot monitor other Azure PaaS resources (such as Azure SQL DB, Azure App Gateway...)
For those resources we can only use an OMS workspace in the same tenant, otherwise the command to enable this monitoring fails :
Set-AzureRmDiagnosticSetting > 'A parameter cannot be found that matches parameter name 'WorkspaceId'
Guilherme Gomes commented
It would be very good to have discrete data segment access per tenant over a single workspace. It is true that we can segment tenants per workspace, but in this case, we can’t search across multiple workspaces in the same time.
Yes I mean Azure activity logs indeed.(sorry for the confusion)
The problem is to get those logs from multiple tenants to one OMS in a different tenant. Because now we can Centrally monitor VM activity per tennant but not the Azure resources per tenant.
So every customers has it's own tenant under CSP but we can monitor and manage them form a single "management" tenant.