I have a customer that has multiple subscriptions under a single Azure Tenant. We are in the process of creating DFC/DFE/Sentinel for them. They have their single Sentinel LAW set up in Subscription A and multiple VMs. When I enable Auto-Provisioning for DFC in Subscription A, I can change the Default workspace to point to the custom LAW.
When I set up DFC in Subscription B, I can't select the LAW in Sub A
Is there a way for me to point the auto-provisioning to a LAW in a different subscription?
If No is the answer, if I manually install the Log Analytics Agent to VMs in Subscription B and connect the Agent to the LAW in Sub A, can defender for cloud still work as intended?
The ideal end goal would be to have Sentinel (and the LAW) sit in a subscription. Multiple instances of Defender for Cloud are attached to each different subscription with everything flowing into the single LAW.