Microsoft Defender for Cloud and Log Analytics Workspace with Azure Monitor Agent

Wojciech Różański 21 Reputation points


Over the past few days I have been testing MS Defender for Cloud with the new Azure Monitor Agent. There is one setup I have not been able to get to work, which is unfortunately one I would like to have included in my design which includes a dedicated subscription for security related matters.

Is it currently possible to use a single Log Analytics Workspace to store Defender for Cloud data for multiple subscriptions when using the new Azure Monitor Agent?
I believe this was possible with the old Log Analytics Agent.

I have tried with two approaches:

Approach number 1:

  • enable Defender for Cloud Plan 2 on the subscription level
  • configure Azure Monitor Agent auto-provisioning
    The problem with this approach is that I can only select a Log Analytics Workspace from the subscription I am enabling Defender on. Which does not suit my needs.

Approach number 2:

  • enable Defender for Cloud Plan 2 on the Log Analytics Workspace level
  • configure a Data Collection Rule (pretty much a copy of the DCR that's created automatically after enabling agent auto-provisioning), setting the destination as the Defender-enabled Workspace
  • associate the DCR with my test VMs
    Using this approach, I can see the SecurityCenterFree and Security Solutions enabled on the Workspace, the DCR properly shows the VM association, but not a single security related log had appeared in the Workspace. In fact, the only logs I have available are Heartbeat and Usage.

Is there any way to make it work the way I want to?

Kind regards,


Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
737 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 7,241 Reputation points Microsoft Employee

    The first option should work. I can see workspaces from several subscriptions in my lab. I assume it may be permission related.

    Though the documentation suggests that the workspace must be in the same subscription...