Hi,following on from this notification
https://azure.microsoft.com/en-us/updates/sending-a-log-search-alert-with-cross-tenant-target-resource-will-no-longer-be-supported/
the part 'As of March 15, 2024, this behavior will change and sending a log search alert with a cross tenant target resource (except for the lighthouse case) will no longer be supported.'
I use azure lighthouse to manage a number of customer subscriptions, up until the above date I used an Azure monitor log search alert to query all log anayltic workspaces in customer delegated subscriptions.
and as I use lighthouse I (wrongly) assumed that 'except for the lighthouse case' would mean that lighthouse behaviour would not change, until all the alerts stopped working.
the alert query rule is saved in the managing tenant, when it has a condition to alert on , it returns an error 'Alert is blocked due to unauthorized target resource (target resource tenant is different from rule tenant).'
that i thought was sort of the point of lighthouse, create a rule in the managing tenant so that you do not need monitor rules in every customer for the same thing. ie. rather than have x number of low disk space alerts , you just need 1 in the managing tenant that will create alerts when the conditions are met.
the KQL works from log analytics so it doesnt appear to be an issue reading the data from the customer workspace.
this was used a basis for the intial alert setup
https://learn.microsoft.com/en-us/azure/lighthouse/how-to/monitor-at-scale#query-data-across-customer-workspaces
this document however hasnt been updated after the cross tenant bulletin at the top of this question so i am not sure exactly how a cross tenant log search alert will work now with lighthouse if we cannot have the alert rule saved in the managing tenant.
I havent found any documention that explains how cross tenant alerting will now work after the march 15th changes.
anyone else had a similar situation that can maybe shine a light on this ?
many thanks