Migrated a subscription to a new tenant. Log Analytics query in old subcscription shows logins in new

David Beitler 31 Reputation points
2023-01-26T20:22:08.9633333+00:00

Migrated the contents of a subscription. Which has a different AD tenant. If I run the buitin query in LA, "All Azure Activity", it shows Login activity from the new subscription. If I run "All Azure Activity" in the new one. It shows nothing at all. Need to delete the old subscription, but would like to understand how they appear to be linked before doing so.

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
35,529 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Luke Murray 10,521 Reputation points MVP
    2023-01-26T20:30:31.88+00:00

    Take a look at the Azure Diagnostics settings of the Azure Active Directory tenancy, are they linked to the right LA workspace:

    https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics#send-logs-to-azure-monitor

    0 comments No comments

  2. David Beitler 31 Reputation points
    2023-01-26T23:06:03.8233333+00:00

    What was in the "migrated" subscription pointed to a different subscription ID that either the "from" or "two"

    In fact, it said it could not find the subscription indicated.

    Updated the diagnostic settings pointed them to the correct "migrated" subscription, but the behavior still persists.

    Will let it set a bit to be sure.

    0 comments No comments

  3. David Beitler 31 Reputation points
    2023-02-01T17:27:11.89+00:00

    That might have been a partial fix. Further look show the following.

    In the new subscription, in Monitor/Activity Log, I see activity mostly relating to an Azure Recovery Vault

    In the old subscription, I can see this activity by running the query "All Azure Activity" in the old LA workspace.

    I checked the diagnostic settings on the recovery vault. It is set to log to the new subscription.

    The timestamps match exactly.

    Did not change anything, but re-saved the diagnostic settings for the recovery vault. May have corrected the problem.

    ---Did not. still reporting in the old sub.

    0 comments No comments

  4. David Beitler 31 Reputation points
    2023-02-01T17:50:00.43+00:00

    Did not change anything.

    Anyone aware of a way (powershell or otherwise), to query Azure for all the diagnostic settings within a subscription?

    Still getting activity for some storage and backup activity. (Only need to browse to trigger activity. Does not require initiating any thing or making a change)