Defender for Cloud - Azure Continous export to Log Analytics workspace in another tenant

yash Prasad 0 Reputation points
2023-05-31T15:56:42.37+00:00

Hi team, I am working on enabling Continuously export Microsoft Defender for Cloud data to an Log Analytics workspace in another tenant. In this process I have followed below

To export data to an Log Analytics workspace in a different tenant:

  1. In the tenant that has the Log Analytics workspace, invite a user from the tenant that hosts the continuous export configuration. - complete
  2. For a Log Analytics workspace: After the user accepts the invitation to join the tenant, assign the user in the workspace tenant one of these roles: Owner permissions assigned
  3. Configure the continuous export configuration and select the Analytics workspace to send the data to. - In the above configuration step, only scope I see of same subscription and LAW within it. I don't see LAW from other Tenant and resource group isn't listed. I don't see any error its that LAW from other Tenant isn't listed.
  4. Guest user is setup at both Source (member but as owner to subscription to setup DFC- Continous export) and destination tenant ( guest user with owner permissions to LAW)
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 10,051 Reputation points Microsoft Employee
    2023-06-01T02:25:46.2166667+00:00

    Correction. I was thinking of Azure Monitor Export.

    This is working partially, you can see the subscription. This is likely a permission issue on the user for the destination tenant. At a minimum, that user needs reader from the subscription to the workspace. Also write access or Log Analytic Contributor on the workspace.

    Though MDFC stores Defender for Servers data in a log analytics workspace. This Continuous Export option does not appear to include the workspace data, only the subscription-level data stored in the resource graph. So the local workspace data is not exported I think.

    Even though the documentation does not refer to Lighthouse directly, you may consider this instead. Using a guest account seems problematic. Like using a user account as a service account.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.