Cross Tenant Data Ingestion

Question

Cross Tenant Data Ingestion

Dimitriοs Tsamitas 0

My issue so far is that I cannot ingest data to "Azure Tables" not "Custom-Tables" with DCRs, for example data from AzureDiagnostics or SecurityAlert from Tenant A cannot be ingested to Tenant B.

I understand that Microsoft does not support a lot of the tables according to this https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview#supported-tables

Had anyone faced this issue? I dont not want to use lightHouse given the elevated cost that this solution would produce. I understand that all of the table from all of the tenant can be ingested to a corresponding _CL table but given the big impact on rule maintance I am trying to avoid that.

Does anyone have any ideas if ingesting to built-in tables is feasible with cross-tenant data

Thank you

1 answer

Your answer

Answer 1

Let’s break it down and explore your options without relying on Azure Lighthouse.

🔒 Current Limitation: Built-in Table Ingestion via DCR (Cross-Tenant)

Per Microsoft’s documentation, only a limited set of built-in tables support Log Ingestion API/DCR-based ingestion, and even those do not support cross-tenant scenarios.

Tables like AzureDiagnostics, SecurityAlert, Heartbeat, SigninLogs, etc., are "locked-down" system tables.

DCR-based ingestion is only supported to these system tables when the data originates from the same tenant, and often from Azure-managed resources.

🧩 Why Custom Tables Work (*_CL)

You’ve already correctly observed that:

Ingesting to CustomLog tables (*_CL) works across tenants, since these are user-defined, and not schema-restricted.

However, this increases rule maintenance because of the lack of schema enforcement, and your team would have to manage parsing, normalization, and KQL alignment manually.

💡 Potential Workarounds (Without Azure Lighthouse)

Here are options to consider:

✅ Option 1: Normalize Into Custom Tables (_CL) Then Project Into Views

Ingest cross-tenant data into _CL tables.

Create Kusto Views or Functions in the destination tenant’s Log Analytics workspace that simulate built-in tables (like AzureDiagnostics).

Maintain a standard mapping layer in code (e.g., DCR transforms or Data Collection Rules plus transformation rules).

✅ Pros: Cross-tenant allowed, no need for Lighthouse. ⚠️ Cons: More upfront design and maintenance.

✅ Option 2: Push Logs to Event Hub → Read from Same Tenant

Forward logs from Tenant A to Event Hub.

Use a Log Ingestion Pipeline/DCR in Tenant B within the same tenant to ingest into supported built-in tables (only if the destination table supports it).

⚠️ Still, this is limited by Microsoft’s policy of which built-in tables are open for ingestion.

🔒 Why Azure Lighthouse Works (But Costly)

Azure Lighthouse uses delegated resource management, allowing you to act within Tenant A from Tenant B, enabling things like:

Central Log Analytics ingestion

Log forwarding But yes, this incurs licensing and architectural complexity, plus cost implications.

🔮 Future Considerations

Microsoft is working on broader table openness and Log Ingestion API flexibility, but as of now:

Built-in table ingestion via DCR is strictly tenant-bound

Custom tables (*_CL) are your only supported cross-tenant ingestion targetsLet’s break it down and explore your options without relying on Azure Lighthouse. 🔒 Current Limitation: Built-in Table Ingestion via DCR (Cross-Tenant)
- Per Microsoft’s documentation, only a limited set of built-in tables support Log Ingestion API/DCR-based ingestion, and even those do not support cross-tenant scenarios.
- Tables like AzureDiagnostics, SecurityAlert, Heartbeat, SigninLogs, etc., are "locked-down" system tables.
- DCR-based ingestion is only supported to these system tables when the data originates from the same tenant, and often from Azure-managed resources.
🧩 Why Custom Tables Work (*_CL) You’ve already correctly observed that:
- Ingesting to CustomLog tables (*_CL) works across tenants, since these are user-defined, and not schema-restricted.
- However, this increases rule maintenance because of the lack of schema enforcement, and your team would have to manage parsing, normalization, and KQL alignment manually.
💡 Potential Workarounds (Without Azure Lighthouse) Here are options to consider: ✅ Option 1: Normalize Into Custom Tables (_CL) Then Project Into Views
- Ingest cross-tenant data into _CL tables.
- Create Kusto Views or Functions in the destination tenant’s Log Analytics workspace that simulate built-in tables (like AzureDiagnostics).
- Maintain a standard mapping layer in code (e.g., DCR transforms or Data Collection Rules plus transformation rules).
✅ Pros: Cross-tenant allowed, no need for Lighthouse.
⚠️ Cons: More upfront design and maintenance.

✅ Option 2: Push Logs to Event Hub → Read from Same Tenant
- Forward logs from Tenant A to Event Hub.
- Use a Log Ingestion Pipeline/DCR in Tenant B within the same tenant to ingest into supported built-in tables (only if the destination table supports it).
⚠️ Still, this is limited by Microsoft’s policy of which built-in tables are open for ingestion.

🔒 Why Azure Lighthouse Works (But Costly) Azure Lighthouse uses delegated resource management, allowing you to act within Tenant A from Tenant B, enabling things like:
- Central Log Analytics ingestion
- Log forwarding
  But yes, this incurs licensing and architectural complexity, plus cost implications.
🔮 Future Considerations Microsoft is working on broader table openness and Log Ingestion API flexibility, but as of now:
- Built-in table ingestion via DCR is strictly tenant-bound
- Custom tables (*_CL) are your only supported cross-tenant ingestion targets

Share via

Cross Tenant Data Ingestion

1 answer

Your answer