Azure AD/Activity logs not connecting to new workspace

%3CLINGO-SUB%20id%3D%22lingo-sub-1426817%22%20slang%3D%22en-US%22%3EAzure%20AD%2FActivity%20logs%20not%20connecting%20to%20new%20workspace%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426817%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20recently%20migrated%20regions%20in%20Azure%20and%20reconfigured%20the%20logs%20to%20send%20to%20the%20new%20workspace.%20However%2C%20the%20AzureAD%2FActivity%20logs%20still%20say%20they're%20connected%20to%20the%20old%20workspace%20and%20no%20logs%20are%20being%20sent%20to%20the%20new%20workspace.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEverything%20is%20turned%20off%20and%20unchecked%20in%20the%20old%20Sentinel%20connector.%20The%20diagnostic%20setting%20in%20AzureAD%20is%20configured%20to%20the%20new%20Sentinel%20workpsace%2C%20and%20the%20connector%20is%20enabled%20and%20boxes%20are%20checked%20for%20the%20logs.%20The%20connector%20is%20still%20showing%20as%20disconnected%20though.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430556%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%2FActivity%20logs%20not%20connecting%20to%20new%20workspace%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F418279%22%20target%3D%22_blank%22%3E%40leoszalkowski%3C%2FA%3E%26nbsp%3B%3A%20To%20make%20sure%20I%20understand%20-%20you%20connected%20to%20the%20new%20workspace%20using%20the%20diagnostics%20settings%20for%20AAD%20rather%20than%20the%20Sentinel%20connector%3F%20If%20so%2C%20can%20you%20check%20if%20events%20are%20coming%20in%20even%20if%20the%20connector%20says%20%22not%20connected%22%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430966%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%2FActivity%20logs%20not%20connecting%20to%20new%20workspace%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430966%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3BApologies.%20I%20meant%20to%20delete%20the%20post.%20The%20issue%20resolved%20itself.%20Took%20about%2020ish%20minutes%20for%20everything%20to%20sync.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

We recently migrated regions in Azure and reconfigured the logs to send to the new workspace. However, the AzureAD/Activity logs still say they're connected to the old workspace and no logs are being sent to the new workspace. 

 

Everything is turned off and unchecked in the old Sentinel connector. The diagnostic setting in AzureAD is configured to the new Sentinel workpsace, and the connector is enabled and boxes are checked for the logs. The connector is still showing as disconnected though. 

2 Replies
Highlighted

@leoszalkowski : To make sure I understand - you connected to the new workspace using the diagnostics settings for AAD rather than the Sentinel connector? If so, can you check if events are coming in even if the connector says "not connected"?

Highlighted

@Ofer_Shezaf Apologies. I meant to delete the post. The issue resolved itself. Took about 20ish minutes for everything to sync.