Ingest events from Azure Event Hubs into Azure Monitor Logs - Cross Tenant

Question

Hi

We have recently setup cross-tenant sync service from multiple Entra ID tenants to a single Entra ID tenant (N:1 relationship). After setting-up the cross-tenant sync, we're observing occasional failures in the sync process, which we would like to continuously (and proactively) monitor and resolve before they're picked by users / business. We thought of settings up an Event Hub in each source tenant to which Entra ID logs will be sent (via Monitoring--> Audit Logs in the Entra ID). Then have these Event Hubs ingest these events into Azure Monitor (through API) as explained here--> Tutorial: Ingest events from Azure Event Hubs into Azure Monitor Logs (Preview) - https://learn.microsoft.com/en-us/azure/azure-monitor/logs/ingest-logs-event-hub

While this article seems to assume that both Event Hub and the Azure Monitor (ingestion) API are in a single Azure Subscription (and Entra ID tenant), will this configuration also work in cross-tenant scenarios? For example, in our case, the Event Hub(s) sits in source Azure subscription (linked to one Entra ID tenant) and the Azure Monitor API sits in a different Azure subscription (liked to different Entra ID tenant). If yes, what additional changes I need to make for this configuration to work?

Would also like to understand any alternative approaches that community has used to address similar scenario.

Thanks

Taranjeet Singh

Answer 1

Taranjeet Malik, thank you for posting this question and apologies for the delayed response.

You are right, that the steps mentioned in the article Tutorial: Ingest events from Azure Event Hubs into Azure Monitor Logs (Preview) applies to resources in a single tenant. However, for cross tenant scenario, this is not applicable.

There are merits in isolating the monitoring data tenant-wise and the discussion in the following link throws light on some of the scenarios where merging data from multiple tenants to a single Log Analytics workspace could create unintended issue - Multi Tenant Centralize Log Analytics

You could try using custom solution if you would like to merge the telemetry to a single LA workspace, for example:

1. You could try using Azure Stram Analytics, to capture events from event hubs (to which Microsoft Entra Id is exporting logs). This gives you an option to use Shared Access Signature of event hubs to send/listen to data. The output for the Analytics Job could be EventHub which is connected to LA workspace. Using this method, you should be able to use a single stream analytics job instance and get telemetry from all other event hubs from different tenants (using the SAS feature). However, note that this setup would come with additional moving pieces (the Analytics Job instance) which also needs to be maintained and for security/compliance purpose, the keys used for authentication will have to be rotated periodically.
2. Another option is very similar to what is mentioned in point 1 above, where you may have a custom application (Azure Function app, for example) which listens to events from multiple event hubs and outputs the telemetry to a single event hub connected to LA workspace. Since this will also involve scenario of multi-tenancy, only SAS keys are the options for authentication, which adds to the overhead in addition to developing and maintaining the Azure Functions logic.

In my opinion, having monitoring setup at tenant level will be a better option so that things can be changed at tenant level as and when required. You could setup up alerting in all the tenants you have, and the ARM templates, Azure PowerShell/CLI scripts should be used to create these alerting rules to follow the Infrastructure as Code (IaC) methodology.

Hope this helps.

If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.