Log Analytics Cross-Tenant Search

In order to execute cross-tenant queries against a Microsoft Azure Log Analytics Workspace, the proper permissions first need to be configured. This can be done using Azure Lighthouse, a free service that assists customers in managing multiple Azure tenants. In this case, it is used to assign role-based access control (RBAC) permissions to grant service principals permissions across tenants.

What follows are the instructions to set up Azure Lighthouse to enable the Anvilogic Azure integration to query across Log Analytics Workspaces in different Azure tenants.

Terminology

• Provider - The tenant that is providing the service (in which the Anvilogic ADX cluster was deployed).

• Customer - The tenant that the provider needs access to. This contains the Log Analytics Workspaces that will be searched.

There is only one provider, but there can be many customers.

Other Considerations

At the moment, Microsoft does not support resource-level permissions. Their guidance is to place active DENY permissions for the Anvilogic service principal on any resources in the Customer Resource Group that you don't want it to be able to access.

Alternatively, you can move the Log Analytics Workspace to it's own resource group using the Azure Resource Mover. This is a non-destructive change and would not impact the workspace (i.e. it can be done while in production).

Microsoft also recommends that customers have only one Log Analytics Workspace per region. If customers are using multiple, that is an anti-pattern from Microsoft's perspective. For more information, see https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design.