|
| 1 | +--- |
| 2 | +title: Troubleshoot Export of Audit Logs to Another Tenant |
| 3 | +description: This article provides guidance to resolve permissions-related errors when you export audit logs to another tenant. |
| 4 | +ms.date: 07/22/2025 |
| 5 | +ms.reviewer: v-liuamson; v-gsitser |
| 6 | +ms.service: azure-monitor |
| 7 | +ms.custom: I can’t configure export of Activity Logs |
| 8 | +--- |
| 9 | + |
| 10 | +# Troubleshoot export of audit logs to another tenant |
| 11 | + |
| 12 | +When users try to export audit logs from one tenant to another by using Microsoft Azure Lighthouse, they might experience permissions-related errors. This article provides guidance to resolve these issues. |
| 13 | + |
| 14 | +## Common issues and solutions |
| 15 | + |
| 16 | +- **Issue**: Permissions errors occur when a user configures diagnostic settings for exporting audit logs. |
| 17 | +- **Root cause**: The user lacks the required permissions on the target workspace or has an incorrect role assignment. |
| 18 | + |
| 19 | +### Instructions to resolve export issues |
| 20 | + |
| 21 | +1. Verify the user's permissions: |
| 22 | + 1. Make sure that the user has the necessary permissions to perform actions on the target workspace. |
| 23 | + 1. Navigate to the Azure portal, and check the user's role assignments in the **Access Control (IAM)** section. |
| 24 | + |
| 25 | +2. Reset the guest invitation: |
| 26 | + 1. If the user is a guest, reset the invitation status to ensure proper linkage between home and resource tenants. |
| 27 | + 1. Follow the steps in [Reset Guest Invitation Status](/entra/external-id/reset-redemption-status). |
| 28 | + |
| 29 | +3. Check the role assignments: |
| 30 | + 1. Verify that the user has the appropriate roles assigned, such as **Log Analytics Contributor** or **Reader**. |
| 31 | + 1. Use the Azure portal to assign roles, if it's necessary. |
| 32 | + |
| 33 | +4. Review ARM template role definitions: |
| 34 | + 1. Make sure that the ARM template that's used for deployment specifies the correct `RoleDefinitionId` value. |
| 35 | + 1. Adjust the template as necessary to include the required permissions. |
| 36 | + |
| 37 | +5. Test the configuration: |
| 38 | + 1. Test the configuration to make sure that logs are exported successfully. |
| 39 | + 1. Monitor the Azure activity logs for any more error messages or warnings. |
| 40 | + |
| 41 | +## References |
| 42 | + |
| 43 | +- [Manage Access to Log Analytics workspaces](/azure/azure-monitor/logs/manage-access?tabs=portal#workspace-permissions) |
| 44 | +- [Azure role assignments](/azure/role-based-access-control/role-assignments-portal) |
| 45 | + |
| 46 | +If the issue persists after you follow these steps, open a support case for further assistance. |
0 commit comments