Log analytics data/intune logs from other tenants

%3CLINGO-SUB%20id%3D%22lingo-sub-1386316%22%20slang%3D%22en-US%22%3ELog%20analytics%20data%2Fintune%20logs%20from%20other%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1386316%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20manage%20multiple%20tenants%2C%20and%20we%20would%20like%20to%20have%20the%20intune%20device%20compliance%20status%20from%20all%20tenants%20in%20a%20single%20workbook%2C%20is%20this%20possible%3F%3C%2FP%3E%3CP%3EWe%20currently%20gather%20eventlogs%20from%20client%20devices%20to%20a%20single%20log%20analytics%20workspace%2C%20but%20we%20would%20like%20to%20see%20the%20compliance%20state%20for%20all%20devices%20aswell%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1386316%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAgents%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECustom%20Logs%20and%20Custom%20Fields%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1387229%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20analytics%20data%2Fintune%20logs%20from%20other%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387229%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F666292%22%20target%3D%22_blank%22%3E%40roghaug%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20you%20looked%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fdevice-management-in-microsoft%2Fmicrosoft-intune-and-azure-log-analytics%2Fba-p%2F463145%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fdevice-management-in-microsoft%2Fmicrosoft-intune-and-azure-log-analytics%2Fba-p%2F463145%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EAzureActivity%0A%7C%20summarize%20count()%20by%20TenantId%20%2C%20_ResourceId%2C%20ResourceId%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20tables%20have%20the%20TenantId%20and%20resourceID%20columns%2C%20I%20don't%20have%20any%20example%20intune%20ones%20to%20look%20at.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388565%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20analytics%20data%2Fintune%20logs%20from%20other%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388565%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3Bnot%20sure%20how%20this%20can%20help%20me%20tho%2C%20as%20i%20cant%20forward%20intune%20logs%20to%20our%20tenants%20log%20analytics%20workspace%2C%20in%20the%20diagnostic%20settings%20i%20am%20only%20able%20to%20select%20a%20workspace%20within%20the%20customers%20tenant.%26nbsp%3B%20i%20would%20need%20to%20be%20able%20to%20pull%20compliance%20data%20from%20another%20tenant%2C%20in%20to%20our%20workspace%20or%20query%20the%20data%20from%20our%20tenants%20workbook%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388679%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20analytics%20data%2Fintune%20logs%20from%20other%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388679%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F487585%22%20target%3D%22_blank%22%3E%40Roger815%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20use%20of%20tenant%20isn't%20clear%20to%20me.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Do%20you%20have%20just%20a%20single%20central%20workspace%3F%3C%2FP%3E%0A%3CP%3E2.%20Does%20each%20client%20have%20their%20own%20workspace%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%26nbsp%3BAre%20these%20in%20the%20same%20Subscription%20as%20you%3F%3C%2FLI%3E%0A%3CLI%3EAre%20these%20in%20another%20Azure%20Active%20Directory%3F%26nbsp%3B%20If%20so%20do%20you%20know%20about%20Azure%20Lighthouse%3F%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EA%20Workbook%20can%20get%20data%20from%20any%20Subscription%20you%20have%20access%20to%2C%20and%20any%20you%20have%20access%20to%20via%20Lighthouse%20(if%20they%20are%20in%20a%20separate%20AAD%20%2F%20tenant).%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Flighthouse%2Fconcepts%2Fazure-delegated-resource-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Flighthouse%2Fconcepts%2Fazure-delegated-resource-management%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAre%20you%20Tenant%20A%20in%20this%20diagram%2C%26nbsp%3B%20talking%20to%20Tenant%20B%20%26amp%3B%20C%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Flighthouse%2Fconcepts%2Fenterprise%23tenant-management-architecture%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Flighthouse%2Fconcepts%2Fenterprise%23tenant-management-architecture%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388742%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20analytics%20data%2Fintune%20logs%20from%20other%20tenants%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388742%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BYes%20i%20would%20be%20in%20tenant%20A%20in%20this%20case%2C%20my%20user%20can%20access%2Fmanage%20their%20intune%20blade%2C%20but%20only%20global%20admin%20for%20each%20tenant%20has%20a%20subsription%2C%20there%20is%20no%20log%20analytics%20workspace%20in%20any%20of%20the%20customers%20tenants.%20I%20have%20too%20look%20into%20%22delegate%20resources%20management%22%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Visitor

We manage multiple tenants, and we would like to have the intune device compliance status from all tenants in a single workbook, is this possible?

We currently gather eventlogs from client devices to a single log analytics workspace, but we would like to see the compliance state for all devices aswell

4 Replies

@roghaug 

 

Have you looked at https://techcommunity.microsoft.com/t5/device-management-in-microsoft/microsoft-intune-and-azure-log...

 

AzureActivity
| summarize count() by TenantId , _ResourceId, ResourceId

 

Many tables have the TenantId and resourceID columns, I don't have any example intune ones to look at.   

@Clive Watson not sure how this can help me tho, as i cant forward intune logs to our tenants log analytics workspace, in the diagnostic settings i am only able to select a workspace within the customers tenant.  i would need to be able to pull compliance data from another tenant, in to our workspace or query the data from our tenants workbook

@Roger815 

 

The use of tenant isn't clear to me. 

 

1. Do you have just a single central workspace?

2. Does each client have their own workspace:

  1.  Are these in the same Subscription as you?
  2. Are these in another Azure Active Directory?  If so do you know about Azure Lighthouse?

A Workbook can get data from any Subscription you have access to, and any you have access to via Lighthouse (if they are in a separate AAD / tenant).  
https://docs.microsoft.com/en-gb/azure/lighthouse/concepts/azure-delegated-resource-management

 

Are you Tenant A in this diagram,  talking to Tenant B & C? https://docs.microsoft.com/en-gb/azure/lighthouse/concepts/enterprise#tenant-management-architecture 

 

 

 

@Clive Watson Yes i would be in tenant A in this case, my user can access/manage their intune blade, but only global admin for each tenant has a subsription, there is no log analytics workspace in any of the customers tenants. I have too look into "delegate resources management"