Merge pull request #244903 from v-jbasden/v-jbasden-logs-content-inventory-line-34

JamesJBarnett · web-flow · commit fdb4bcbaeaed · 2023-08-06T14:04:48.000-07:00
logs/move-workspace.md: Updating how to move a Log Analytics workspace within same region and authoring new guidance on required permissions
diff --git a/articles/azure-monitor/logs/move-workspace.md b/articles/azure-monitor/logs/move-workspace.md
@@ -11,31 +11,40 @@ ms.custom: devx-track-azurepowershell
 
 # Move a Log Analytics workspace to a different subscription or resource group
 
-In this article, you'll learn the steps to move a Log Analytics workspace to another resource group or subscription in the same region. To learn more about how to move Azure resources through the Azure portal, PowerShell, the Azure CLI, or the REST API, see [Move resources to a new resource group or subscription](../../azure-resource-manager/management/move-resource-group-and-subscription.md).
+In this article, you'll learn the steps to move a Log Analytics workspace to another resource group or subscription in the same region. 
 
-> [!IMPORTANT]
-> You can't move a workspace to a different region by using this procedure. Follow the steps in the article [Move a Log Analytics workspace to another region](./move-workspace-region.md) to move a workspace across regions.
+> [!TIP] 
+> To learn more about how to move Azure resources through the Azure portal, PowerShell, the Azure CLI, or the REST API, see [Move resources to a new resource group or subscription](../../azure-resource-manager/management/move-resource-group-and-subscription.md).
 
-## Verify the Azure Active Directory tenant
-The workspace source and destination subscriptions must exist within the same Azure Active Directory tenant. Use Azure PowerShell to verify that both subscriptions have the same tenant ID.
+## Prerequisites
 
-```powershell
-(Get-AzSubscription -SubscriptionName <your-source-subscription>).TenantId
-(Get-AzSubscription -SubscriptionName <your-destination-subscription>).TenantId
-```
+- The subscription or resource group where you want to move your Log Analytics workspace must be located in the same region as the Log Analytics workspace you're moving.
+   > [!NOTE]
+   > To move a workspace across regions, see [Move a Log Analytics workspace to another region](./move-workspace-region.md).
+- The move operation requires that no services can be linked to the workspace. Prior to the move, delete solutions that rely on linked services, including an Azure Automation account. These solutions must be removed before you can unlink your Automation account. Data collection for the solutions will stop and their tables will be removed from the UI, but data will remain in the workspace per the table retention period. When you add solutions after the move, ingestion is restored and tables become visible with data. Linked services include:
+  - Update management
+  - Change tracking
+  - Start/Stop VMs during off-hours
+  - Microsoft Defender for Cloud
+- Connected [Log Analytics agents](../agents/log-analytics-agent.md) and [Azure Monitor Agent](../agents/azure-monitor-agent-overview.md) remain connected to the workspace after the move with no interruption to ingestion.
+- Microsoft Sentinel can't be deployed on the Log Analytics workspace.
+
+## Permissions required
+
+| Action | Permissions required |
+|:---|:---|
+| Verify the Azure Active Directory tenant. | `Microsoft.AzureActiveDirectory/b2cDirectories/read` permissions, as provided by the [Log Analytics Reader built-in role](./manage-access.md#log-analytics-reader), for example. |
+| Delete a solution. | `Microsoft.OperationsManagement/solutions/delete` permissions on the solution, as provided by the [Log Analytics Contributor built-in role](./manage-access.md#log-analytics-contributor), for example. |
+| Remove alert rules for the Start/Stop VMs solution. | `microsoft.insights/scheduledqueryrules/delete` permissions, as provided by the [Monitoring Contributor built-in role](../../role-based-access-control/built-in-roles.md#monitoring-contributor), for example. |
+| Unlink the Automation account | `Microsoft.OperationalInsights/workspaces/linkedServices/delete` permissions on the linked Log Analytics workspace, as provided by the [Log Analytics Contributor built-in role](./manage-access.md#log-analytics-contributor), for example. |
+| Move a Log Analytics workspace. | `Microsoft.OperationalInsights/workspaces/delete` and `Microsoft.OperationalInsights/workspaces/write` permissions on the Log Analytics workspace, as provided by the [Log Analytics Contributor built-in role](./manage-access.md#log-analytics-contributor), for example. |
 
 ## Workspace move considerations
 
 Consider these points before you move a Log Analytics workspace:
 
 - Managed solutions that are installed in the workspace will be moved in this operation.
-- The move operation requires that no services can be linked to the workspace. Solutions that rely on linked services must be removed prior to the move, including an Azure Automation account. These solutions must be removed before you can unlink your Automation account. Data collection for the solutions will stop and their tables will be removed from the UI, but data will remain in the workspace per the table retention period. When you add solutions after the move, ingestion is restored and tables become visible with data. Linked services include:
-  - Update management
-  - Change tracking
-  - Start/Stop VMs during off-hours
-  - Microsoft Defender for Cloud
 - Workspace keys (both primary and secondary) are regenerated with a workspace move operation. If you keep a copy of your workspace keys in Azure Key Vault, update them with the new keys generated after the workspace is moved.
-- Connected [Log Analytics agents](../agents/log-analytics-agent.md) and [Azure Monitor Agent](../agents/azure-monitor-agent-overview.md) remain connected to the workspace after the move with no interruption to ingestion.
 
 >[!IMPORTANT]
 > **Microsoft Sentinel customers**
@@ -53,27 +62,84 @@ Consider these points before you move a Log Analytics workspace:
 >   - Custom scripting
 >
 
-### Delete solutions in the Azure portal
-Use the following procedure to remove solutions by using the Azure portal:
+## Verify the Azure Active Directory tenant
+The workspace source and destination subscriptions must exist within the same Azure Active Directory tenant. Use Azure PowerShell to verify that both subscriptions have the same tenant ID.
+
+### [Portal](#tab/azure-portal)
+
+[Find your Azure AD tenant](../../azure-portal/get-subscription-tenant-id.md#find-your-azure-ad-tenant) for the source and destination subscriptions.
+
+### [REST API](#tab/rest-api)
+
+To fetch the tenant ID for the source and destination subscriptions, call the [Subscriptions - Get API](/rest/api/resources/subscriptions/get):
+
+```http
+GET https://management.azure.com/subscriptions/{subscriptionId}?api-version=2020-01-01
+```
+
+### [CLI](#tab/cli)
+
+Run the [az account tenant](/cli/azure/account/tenant) command:
+
+```azurecli
+az account tenant list --subscription <your-source-subscription>
+az account tenant list --subscription <your-destination-subscription>
+```
+
+### [PowerShell](#tab/PowerShell)
+
+Run the [Get-AzSubscription](/powershell/module/az.accounts/get-azsubscription/) command:
+
+```powershell
+(Get-AzSubscription -SubscriptionName <your-source-subscription>).TenantId
+(Get-AzSubscription -SubscriptionName <your-destination-subscription>).TenantId
+```
+
+---
+
+## Delete solutions
+
+### [Portal](#tab/azure-portal)
 
 1. Open the menu for the resource group where any solutions are installed.
 1. Select the solutions to remove.
 1. Select **Delete Resources** and then confirm the resources to be removed by selecting **Delete**.
 
    [![Screenshot that shows deleting solutions.](media/move-workspace/delete-solutions.png)](media/move-workspace/delete-solutions.png#lightbox)
 
-### Delete by using PowerShell
+### [REST API](#tab/rest-api)
+
+To delete the solution, call the [Resources - Delete API](/rest/api/resources/resources/delete): 
+
+```http
+DELETE https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName}?api-version=2021-04-01
+```
+
+### [CLI](#tab/cli)
+
+To remove solutions, run the [az resource delete](/cli/azure/resource#az-resource-delete) command. You need to specify the name of the resource, resource type, and resource group for the solution you want to delete:
 
-To remove solutions by using PowerShell, use the [Remove-AzResource](/powershell/module/az.resources/remove-azresource) cmdlet as shown in the following example:
+```azurecli
+az resource delete --name <resource-name> --resource-type <resource-type> --resource-group <resource-group-name>
+```
+
+### [PowerShell](#tab/PowerShell)
+
+To remove solutions, use the [Remove-AzResource](/powershell/module/az.resources/remove-azresource) cmdlet as shown in the following example:
 
 ```powershell
 Remove-AzResource -ResourceType 'Microsoft.OperationsManagement/solutions' -ResourceName "ChangeTracking(<workspace-name>)" -ResourceGroupName <resource-group-name>
 Remove-AzResource -ResourceType 'Microsoft.OperationsManagement/solutions' -ResourceName "Updates(<workspace-name>)" -ResourceGroupName <resource-group-name>
 Remove-AzResource -ResourceType 'Microsoft.OperationsManagement/solutions' -ResourceName "Start-Stop-VM(<workspace-name>)" -ResourceGroupName <resource-group-name>
 ```
 
+---
+
 ### Remove alert rules for the Start/Stop VMs solution
-To remove the **Start/Stop VMs** solution, you also need to remove the alert rules created by the solution. Use the following procedure in the Azure portal to remove these rules:
+
+To remove the **Start/Stop VMs** solution, you also need to remove the alert rules created by the solution.
+
+### [Portal](#tab/azure-portal)
 
 1. Open the **Monitor** menu and then select **Alerts**.
 1. Select **Manage alert rules**.
@@ -85,21 +151,71 @@ To remove the **Start/Stop VMs** solution, you also need to remove the alert rul
 
     [![Screenshot that shows deleting rules.](media/move-workspace/delete-rules.png)](media/move-workspace/delete-rules.png#lightbox)
 
+### [REST API](#tab/rest-api)
+
+Delete the following alert rules by calling the Scheduled Query Rules - Delete API:
+
+   - AutoStop_VM_Child
+   - ScheduledStartStop_Parent
+   - SequencedStartStop_Parent
+
+```http
+DELETE https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Insights/scheduledQueryRules/{ruleName}?api-version=2023-03-15-preview
+```
+
+### [CLI](#tab/cli)
+
+Delete the following alert rules by running the [az monitor scheduled-query delete](/cli/azure/monitor/scheduled-query#az-monitor-scheduled-query-delete) command:
+
+- AutoStop_VM_Child
+- ScheduledStartStop_Parent
+- SequencedStartStop_Parent
+
+```azurecli
+az monitor scheduled-query delete [--ids]
+                                  [--name]
+                                  [--resource-group]
+                                  [--subscription]
+                                  [--yes]
+```
+
+### [PowerShell](#tab/PowerShell)
+
+Delete the following alert rules by running the [Remove-AzScheduledQueryRule](/powershell/module/az.monitor/remove-azscheduledqueryrule) command: 
+
+- AutoStop_VM_Child
+- ScheduledStartStop_Parent
+- SequencedStartStop_Parent
+
+---
+
 ## Unlink the Automation account
-Use the following procedure to unlink the Automation account from the workspace by using the Azure portal:
 
-1. Open the **Automation accounts** menu and then select the account to remove.
-1. On the **Related Resources** section of the menu, select **Linked workspace**.
-1. Select **Unlink workspace** to unlink the workspace from your Automation account.
+### [Portal](#tab/azure-portal)
 
-    [![Screenshot that shows unlinking a workspace.](media/move-workspace/unlink-workspace.png)](media/move-workspace/unlink-workspace.png#lightbox)
+See [Delete a standalone Automation account linked to workspace](../../automation/delete-account.md#delete-a-standalone-automation-account-linked-to-workspace).
 
-## Move your workspace
+### [ REST API](#tab/rest-api)
+
+Call the [Linked Services - Delete API](/rest/api/loganalytics/linked-services/delete).
+
+```http
+DELETE https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/linkedServices/{linkedServiceName}?api-version=2020-08-01
+```
+
+### [CLI](#tab/cli)
 
-Move your workspace by using the Azure portal or PowerShell.
+Not supported.
+
+### [PowerShell](#tab/PowerShell)
+
+Not supported.
+
+---
+
+## Move your workspace
 
-### Azure portal
-Use the following procedure to move your workspace by using the Azure portal:
+### [Portal](#tab/azure-portal)
 
 1. Open the **Log Analytics workspaces** menu and then select your workspace.
 1. On the **Overview** page, select **change** next to either **Resource group** or **Subscription name**.
@@ -109,13 +225,34 @@ Use the following procedure to move your workspace by using the Azure portal:
 
     [![Screenshot that shows the Overview pane in the Log Analytics workspace with options to change the resource group and subscription name.](media/move-workspace/portal.png)](media/move-workspace/portal.png#lightbox)
 
-### PowerShell
-To move your workspace by using PowerShell, use the [Move-AzResource](/powershell/module/AzureRM.Resources/Move-AzureRmResource) cmdlet as shown in the following example:
+### [ REST API](#tab/rest-api)
+
+To move your workspace, call the [Resources - Move Resources API](/rest/api/resources/resources/move-resources).
+
+```http
+POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{sourceResourceGroupName}/moveResources?api-version=2021-04-01
+```
+
+### [CLI](#tab/cli)
+
+To move your workspace, run the [az resource move](/cli/azure/resource#az-resource-move) command:
+
+```azurecli
+az resource move --destination-group
+                 --ids
+                 [--destination-subscription-id]
+```
+
+### [PowerShell](#tab/PowerShell)
+
+To move your workspace, run the [Move-AzResource](/powershell/module/AzureRM.Resources/Move-AzureRmResource) cmdlet as shown in the following example:
 
 ```powershell
 Move-AzResource -ResourceId "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup01/providers/Microsoft.OperationalInsights/workspaces/MyWorkspace" -DestinationSubscriptionId "00000000-0000-0000-0000-000000000000" -DestinationResourceGroupName "MyResourceGroup02"
 ```
 
+---
+
 > [!IMPORTANT]
 > After the move operation, removed solutions and the Automation account link should be reconfigured to bring the workspace back to its previous state.
 
diff --git a/articles/azure-monitor/toc.yml b/articles/azure-monitor/toc.yml
@@ -990,6 +990,14 @@ items:
           items:
           - name: Create a Log Analytics workspace
             href: logs/quick-create-workspace.md
+          - name: Move, delete, or recover a Log Analytics workspace
+            items:
+              - name: Move a workspace
+                href: logs/move-workspace.md
+              - name: Move a workspace across regions
+                href: logs/move-workspace-region.md
+              - name: Delete and recover a workspace
+                href: logs/delete-workspace.md  
           - name: Manage access
             displayName: Manage access to a Log Analytics workspace
             href: logs/manage-access.md
@@ -1041,14 +1049,6 @@ items:
             href: logs/data-ingestion-time.md
           - name: Analyze usage and cost
             href: logs/analyze-usage.md   
-        - name: Move and delete
-          items:
-          - name: Move a workspace
-            href: logs/move-workspace.md
-          - name: Move a workspace across regions
-            href: logs/move-workspace-region.md
-          - name: Delete and recover a workspace
-            href: logs/delete-workspace.md  
     - name: Data security
       items:
         - name: Roles permissions and security
