Please read: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/move-workspace The last line below is what you are looking for Important Microsoft Sentinel customers Currently, after Microsoft Sentinel is deployed on a workspace, moving the workspace to another resource group or subscription isn't supported. If you've already moved the workspace, disable all active rules under Analytics and reenable them after five minutes. This solution should be effective in most cases, although it's unsupported and undertaken at your own risk. It could take Azure Resource Manager a few hours to complete. Solutions might be unresponsive during the operation. Re-create alerts: All alerts must be re-created because the permissions are based on the workspace resource ID, which changes during a workspace move or resource name change. Alerts in workspaces created after June 1, 2019, or in workspaces that were upgraded from the legacy Log Analytics Alert API to the scheduledQueryRules API can be exported in templates and deployed after the move. You can check if the scheduledQueryRules API is used for alerts in your workspace. Alternatively, you can configure alerts manually in the target workspace. Update resource paths: After a workspace move, any Azure or external resources that point to the workspace must be reviewed and updated to point to the new resource target path.