Defender for Cloud continuous export

Question

Defender for Cloud continuous export

Tim 0

Has anyone successfully configured Defender for Cloud continuous export to a LAW in a different subscription, and what was the exact method used?

Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-05-29T01:37:53.49+00:00
Hey Tim, you can stream Defender for Cloud alerts/recommendations to a Log Analytics workspace in another subscription. We walked through this a few times – here’s a tried-and-true method we used, plus an alternative CLI/ARM approach if you need more automation.

Method 1: Azure Policy (recommended for cross-sub/MG‐wide deployments)

In the Azure portal, go to Policy > Definitions and find the built-in definition “Deploy export to Log Analytics workspace for Microsoft Defender for Cloud alerts and recommendations” (providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9).

Assign it at the Management Group or source subscription scope.

In the assignment parameters, set logAnalyticsWorkspaceResourceId to your target workspace’s full ARM ID: /subscriptions/<targetSubID>/resourceGroups/<targetRG>/providers/Microsoft.OperationalInsights/workspaces/<workspaceName>

Save the assignment. The policy will automatically create the continuous export config in each scoped Defender for Cloud environment.

Grant the Defender for Cloud service principal (the “Continuous Export” identity) Log Analytics Contributor (or higher) on the target workspace so it can ingest data cross-sub.

Method 2: Azure CLI / ARM template

Make sure the target LAW is pre-created in the other subscription and you’ve assigned the export identity the right role on it.

Use the Azure CLI on the source subscription to create the export:
az login az account set --subscription "<sourceSubID>" az security continuous-export create \ --name ExportToRemoteLAW \ --resource-group "<sourceRG>" \ --location "<AzureRegion>" \ --target-workspace-resource-id "/subscriptions/<targetSubID>/resourceGroups/<targetRG>/providers/Microsoft.OperationalInsights/workspaces/<workspaceName>" \ --export-recommendations true \ --export-alerts true

You should see the new export under Defender for Cloud > Environment settings > Continuous export.

Key things that catch folks:

• Make sure you’ve granted the “Continuous Export” service principal (in AAD) the Log Analytics Contributor role on the remote workspace.

• If you’re using Azure Policy, the policy will handle the export resource creation for you.

• Exports only pick up new or updated alerts/recommendations after the config is in place – past data isn’t backfilled.

Hope that helps you get cross-subscription exports up and running!

Reference list

Export security alerts and recommendations (Continuous export) https://docs.microsoft.com/azure/security-center/continuous-export

Deploy export to Log Analytics workspace policy https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fffb6f416-7bd2-4488-8828-56585fef2be9

Troubleshoot continuous and CSV exports https://docs.microsoft.com/azure/defender-for-cloud/continuous-export-troubleshoot

Defender for Cloud REST API (Assessments & Alerts schemas) https://docs.microsoft.com/rest/api/securitycenter/alerts https://docs.microsoft.com/rest/api/securitycenter/assessments

Role & permission requirements for exports https://docs.microsoft.com/azure/security-center/security-center-permissions

If the answer is helpful, kindly upvote it. If you have extra questions about this answer, please click "Comment".
Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-06-01T04:09:07.0733333+00:00

Tim

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.
Tim 0 Reputation points

2026-06-02T08:26:06.5533333+00:00

Seemed straightforward except step 5. I’m not sure about the Defender for Cloud service principal (the “Continuous Export” identity).

Could you provide more detail about adding Log Analytics Contributor (or higher) on the target workspace for the Defender for Cloud service principal. It seems you need this so it can ingest data cross-sub but I used a managed identity and not clear how to add Log Analytics Contributor for this service principal.
Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-06-03T02:54:23.4933333+00:00
**Tim**Thank you for your reply.

The key point is:

There is not a standalone well-documented “Defender for Cloud Continuous Export service principal” that you manually search for in Microsoft Entra ID.

When you use the Azure Policy DeployIfNotExist method, the policy assignment managed identity is typically the identity that needs access to the remote Log Analytics workspace.

That managed identity must have RBAC permissions on the destination workspace in the other subscription so the export configuration can be deployed successfully.

According to the Microsoft documentation, continuous export requires write permissions on the target Log Analytics workspace.

Reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export

Recommended Resolution

If you used Azure Policy with a managed identity, do the following:

Option: Grant the Policy Assignment Managed Identity Access

Step 1 — Locate the Managed Identity Used by the Policy Assignment

Go to Azure Portal

Open Policy

Select Assignments

Open your assignment for:

“Deploy export to Log Analytics workspace for Microsoft Defender for Cloud alerts and recommendations”

In the assignment, check the Managed identity section

You will usually see:

System-assigned managed identity, or

A user-assigned managed identity

That identity is what needs RBAC permissions on the destination workspace.

Step 2 — Grant RBAC on the Remote Log Analytics Workspace

Go to the target workspace in the destination subscription:

Open the target Log Analytics Workspace

Select Access control (IAM)

Click Add role assignment

Select role:

Log Analytics Contributor (recommended minimum)

Or Contributor if organizational policy requires broader access

Under Members, select:

the policy assignment managed identity

or the user-assigned managed identity used by the policy

Save

Step 3 — Verify Export Creation

After RBAC propagates:

Go to:

Defender for Cloud

Environment settings

Continuous export

Confirm the export was successfully created.

Validate data arrival in the destination workspace using:

SecurityAlert or SecurityRecommendation

Reference: https://docs.azure.cn/en-us/defender-for-cloud/continuous-export-view-data

Important Clarification

The Microsoft Learn documentation mainly states that the identity configuring export must have:

write permissions on the target workspace, and

appropriate workspace permissions.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export

In practice, when Azure Policy is used:

the policy assignment identity performs the deployment,

therefore, that identity needs access to the cross-subscription workspace.

So, if you used a managed identity in the policy assignment, that is the identity you grant RBAC to — not a hidden Defender for Cloud application.

Microsoft docs: -

Set up continuous export in Microsoft Defender for Cloud[]](https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export)

Set up continuous export with Azure Policy

Set up continuous export with REST API

View exported data in Azure Monitor
Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-06-04T08:26:22.4266667+00:00

Tim

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.
Tim 0 Reputation points

2026-06-04T20:42:33.75+00:00

Thanks for clarifying. I was able to identify the relevant managed identity GUID and assign it the Log Analytics Contributor role. This MI had in fact been deployed with Contributor role on the target LAW already and it was just that the policy itself needed a further step. The RG is what caused the deployment to fail as I had selected the destination RG but needed the source. This was unclear from the tooltip but failed. Needed to do a Remediation Task to redeploy. After that needed to force the DfC recommendation to update as no logs appeared. Eventually they started to appear in the LAW.

1 answer

Your answer

Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-06-01T04:09:07.0733333+00:00

Tim

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.
Tim 0 Reputation points

2026-06-02T08:26:06.5533333+00:00

Seemed straightforward except step 5. I’m not sure about the Defender for Cloud service principal (the “Continuous Export” identity).

Could you provide more detail about adding Log Analytics Contributor (or higher) on the target workspace for the Defender for Cloud service principal. It seems you need this so it can ingest data cross-sub but I used a managed identity and not clear how to add Log Analytics Contributor for this service principal.
Shubham Sharma 16,640 Reputation points Microsoft External Staff Moderator

2026-06-04T08:26:22.4266667+00:00

Tim

Following up to check if the resolution provided was helpful. Let us know if you need any further assistance.
Tim 0 Reputation points

2026-06-04T20:42:33.75+00:00

Thanks for clarifying. I was able to identify the relevant managed identity GUID and assign it the Log Analytics Contributor role. This MI had in fact been deployed with Contributor role on the target LAW already and it was just that the policy itself needed a further step. The RG is what caused the deployment to fail as I had selected the destination RG but needed the source. This was unclear from the tooltip but failed. Needed to do a Remediation Task to redeploy. After that needed to force the DfC recommendation to update as no logs appeared. Eventually they started to appear in the LAW.

Answer 1

Yes, continuous export from Microsoft Defender for Cloud to a Log Analytics workspace (LAW) in a different subscription is supported. It can also be configured to a workspace in a different tenant.

There are two main methods, depending on the level of control needed:

Azure portal – Continuous export blade (subscription-level, simpler)
REST API – Automations API (more granular, supports multiple configs and RG scope)

Below is the method based on the documented capabilities.

1. Prerequisites and permissions

Before configuring export to a LAW in another subscription:

Ensure Microsoft Defender for Cloud is enabled on the source subscription.
Ensure the target Log Analytics workspace exists in the other subscription.
Grant the exporting identity the required permissions on the target workspace:
- At minimum, write permissions for the workspace solution if it does not have the SecurityCenterFree solution: Microsoft.OperationsManagement/solutions/action.
- Or read permissions if the workspace already has the SecurityCenterFree solution: Microsoft.OperationsManagement/solutions/read.
On the source subscription, the configuring identity must be Security Admin or Owner and have write permissions on the target resource.

Details are in the continuous export prerequisites and workspace permissions section.

2. Configure continuous export via Azure portal (cross-subscription)

Use this when a single export configuration per subscription is sufficient and subscription-level scope is acceptable.

In the Azure portal, go to Microsoft Defender for Cloud.
Open Environment settings and select the source subscription.
Go to Continuous export.
Choose Export target as Log Analytics workspace.
In the workspace picker, select the target subscription and then the target LAW.
Select what to export (for example):
- Security alerts
- Security recommendations
- Regulatory compliance data
- Secure score changes
Choose export frequency:
- Streaming – sends data when resource health or alerts change.
- Snapshots – weekly snapshots of secure score and regulatory compliance data, and (in preview) recommendations and security findings.
Save the configuration.

This creates a single continuous export configuration at the subscription level that streams or snapshots Defender for Cloud data into the LAW in the other subscription.

3. Configure continuous export via REST API (cross-subscription/tenant)

Use the Microsoft Defender for Cloud automations API for more advanced scenarios:

Multiple export configurations per subscription.
Resource-group–level scope.
Additional filters and tags not exposed in the portal.
Export to an event hub or LAW in another tenant.

High-level steps:

Call the automations REST API to create or update an automation resource on the source subscription.
In the automation definition:
- Set the scope to the subscription or specific resource group.
- Define triggers for the data types (alerts, recommendations, secure score, regulatory compliance, etc.).
- Configure the action as export to Log Analytics workspace, specifying the full resource ID of the LAW in the other subscription (or tenant).
Ensure that when configuring continuous export via API, the parent is always included with the findings, as required by the API.

The API-only capabilities include:

Multiple export configurations per subscription.
More granular filters on alert and recommendation properties.
Resource-group–level scope instead of only subscription-level.
Ability to add tags to the automation resource.

If these API-only options are used, the Azure portal’s Continuous export page will show a banner indicating that other configurations exist.

4. Using exported data

Once configured, the LAW in the other subscription will receive:

Streaming data for alerts, recommendations, and regulatory compliance assessments (depending on configuration).
Weekly snapshots for secure score and regulatory compliance data, and (in preview) recommendations and security findings when snapshot mode is selected.

The data can then be queried and visualized using Azure Monitor Logs and other Azure Monitor features, or forwarded to SIEM/SOAR solutions as needed.

References:

Share via

Defender for Cloud continuous export

1 answer

1. Prerequisites and permissions

2. Configure continuous export via Azure portal (cross-subscription)

3. Configure continuous export via REST API (cross-subscription/tenant)

4. Using exported data

Your answer