1

I am trying to collect azure diagnostics data from some resources in Azure on one separate subscription and directory, and ship them to an OMS / log analytics workspace on another subscription / directory.

The account i'm using has access to both organizations, however when I am running the commands to "To enable sending of Diagnostic Logs to a Log Analytics workspace" (as described here)

Set-AzureRmDiagnosticSetting -ResourceId [your resource id] -WorkspaceId [resource id of the log analytics workspace] -Enabled $true

My Commands:

$resourceid = "/subscriptions/e12d538c-xxxx-xxxx-xxxx-e60xxxxx2144/resourceGroups/xxx-xxxx/providers/Microsoft.Cache/Redis/xxxxxxxxxx"
$workspaceid = "/subscriptions/6a9axxxx-8xxx-4xxx-92xx-1bxxxxxx5fc23/resourceGroups/xxxxx-oms-rg/providers/Microsoft.OperationalInsights/workspaces/xxxxxxx"
Set-AzureRmDiagnosticSetting -ResourceId $ResourceId  -WorkspaceId $workspaceId -Enabled $true

I am getting the following error:

Set-AzureRmDiagnosticSetting : The access token is from the wrong issuer 'https://sts.windows.net/5xxxxxxx-cxxx-4xxx-axxx-2xxxxxxxxxxxxx/'. It must match the tenant 'https://sts.windows.net/2xxxxxxx-cxxx-2xxx-bxxx-3xxxxxxxxxxxxx/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/2xxxxxxx-cxxx-2xxx-bxxx-3xxxxxxxxxxxxx' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later. At line:1 char:1 + Set-AzureRmDiagnosticSetting -ResourceId $ResourceId -WorkspaceId $w ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Set-AzureRmDiagnosticSetting], CloudException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Insights.Diagnostics.SetAzureRmDiagnosticSettingCommand

arved
  • 453
  • 2
  • 14
Brett Larson
  • 904
  • 1
  • 12
  • 20
  • Just checking in to see if the information provided was helpful. Please let me know if you would like further assistance. – Shui shengbao Jan 20 '17 at 00:58

1 Answers1

1

According to your error logs, it seems that your subscriptions are in different tenants.

To be able to set the Diagnostic setting for a resource to a OMS Workspace that resides in a different subscription, the subscriptions must be linked to the same Azure Activity Directory Tenant and the user must have administrative authority within both subscriptions.

Shui shengbao
  • 3,583
  • 1
  • 11
  • 20
  • Is it possible for an outside organization, such as a consulting provider, to link to a corporate subscription without unlinking the corporation? I have been invited to the organization, but it doesn't sound like that's enough. – Brett Larson Jan 18 '17 at 15:44
  • Unfortunately, for now it is not possible.According to your scenario, I suggest install OMS agent, more information please refer to this [link](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents) – Shui shengbao Jan 19 '17 at 00:55
  • Bummer - I do have the agents installed, but for the SQL PaaS items i'd like to monitor DTU. – Brett Larson Jan 19 '17 at 01:12
  • Sorry, if your subscriptions are not in the same tenant, you could not do it. – Shui shengbao Jan 19 '17 at 01:14
  • For now, Azure does not support your scenario. If possible, you could one OMS in one tenant. – Shui shengbao Jan 19 '17 at 01:15
  • You could use `Get-AzureRmSubscription` to get your subscriptions and tenant – Shui shengbao Jan 19 '17 at 01:19
  • That helped, I will need to figure out a way to export the data from the tenant and import the data into our OMS with REST / JSON. – Brett Larson Jan 20 '17 at 16:31