Share via

Issues Importing Microsoft Entra ID Logs from Multiple Tenants into a Central Log Analytics Workspace

Marija Cekic 0 Reputation points
2025-02-24T09:47:14.08+00:00

Hello all,

I am trying to import Microsoft Entra ID logs from Tenant1 and Tenant2 into a Log Analytics Workspace that is deployed in my main tenant.

To achieve this, I attempted to use Azure Event Hub on both Tenant1 and Tenant2 and connect it via the Azure Event Hub Connector on the main tenant. However, I am unable to establish a connection successfully.

I have already:

  • Created Event Hubs on Tenant1 and Tenant2.
  • Configured diagnostic settings to send Entra ID logs to these Event Hubs.
  • Tried using the Azure Event Hub Connector in the Log Analytics Workspace in the main tenant.

Despite this setup, the logs are not being ingested into the Log Analytics Workspace. I don't see any data flowing in.

Has anyone successfully set up this kind of cross-tenant log ingestion? Are there specific permissions, networking, or configuration steps I might be missing? Any help would be appreciated!

Azure Cost Management
Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
3,075 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sándor Tőkési 251 Reputation points
    2025-02-26T09:09:48.6633333+00:00

    The built-in Event Hub data connector pulls in the Diagnostics data of the Event Hub and not its content. So if you push data to an Event Hub and you want that data to be in Sentinel then this connector is not for you. This connector will send the operational data of the Event Hub, so you can monitor the operation of the Event Hub.

    It is not a permission issue in your case; you are just using a connector that was designed for a different purpose. If you want the content of the Event Hub you have to create your own connector that reads data from Event Hub and forwards it to Sentinel to a table. I'm sure you can find a Logic App or Function App on the internet that does this.

    Or you can just directly send the data cross-tenant from the other tenant to the Sentinel in the main tenant. If you want to configure it manually, you just need a user who has access to both tenants and has the permission to

    1: Configure the Entra ID diagnostic settings in tenant A and

    2: has the permission to target the Sentinel in the main tenant.

    This permission you can establish via Azure Lighthouse between the two tenants. Then you can just configure this logging on the GUI.

    My blog is about a specific drawback of this, but maybe it gives you some ideas: https://tokesi.cloud/blogs/22_08_14_crosstenant_diagnostic_logging/

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.