Defender for Cloud - Azure Continous export to Log Analytics workspace in another tenant

Question

Hi team, I am working on enabling Continuously export Microsoft Defender for Cloud data to an Log Analytics workspace in another tenant. In this process I have followed below

To export data to an Log Analytics workspace in a different tenant:

1. In the tenant that has the Log Analytics workspace, invite a user from the tenant that hosts the continuous export configuration. - complete
2. For a Log Analytics workspace: After the user accepts the invitation to join the tenant, assign the user in the workspace tenant one of these roles: Owner permissions assigned
3. Configure the continuous export configuration and select the Analytics workspace to send the data to. - In the above configuration step, only scope I see of same subscription and LAW within it. I don't see LAW from other Tenant and resource group isn't listed. I don't see any error its that LAW from other Tenant isn't listed.
4. Guest user is setup at both Source (member but as owner to subscription to setup DFC- Continous export) and destination tenant ( guest user with owner permissions to LAW)

Answer 1

Correction. I was thinking of Azure Monitor Export.

This is working partially, you can see the subscription. This is likely a permission issue on the user for the destination tenant. At a minimum, that user needs reader from the subscription to the workspace. Also write access or Log Analytic Contributor on the workspace.

Though MDFC stores Defender for Servers data in a log analytics workspace. This Continuous Export option does not appear to include the workspace data, only the subscription-level data stored in the resource graph. So the local workspace data is not exported I think.

Even though the documentation does not refer to Lighthouse directly, you may consider this instead. Using a guest account seems problematic. Like using a user account as a service account.