PowerShell function that looks for Azure resources and services that send data to Log Analytics workspaces. Use this to assess the usage of Azure Log Analytics workspaces across a tenant.

Get-AzLogAnalyticsWorkspaceSource.ps1

#Requires -Modules @{ ModuleName = 'Az.Accounts'; ModuleVersion = '2.5.1' }
#Requires -Modules @{ ModuleName = 'Az.Resources'; ModuleVersion = '4.2.0' }
#Requires -Modules @{ ModuleName = 'Az.Compute'; ModuleVersion = '4.15.0' }
#Requires -Modules @{ ModuleName = 'Az.OperationalInsights'; ModuleVersion = '2.3.0' }
#Requires -Modules @{ ModuleName = 'Az.Aks'; ModuleVersion = '2.2.0' }

<#
    .SYNOPSIS
        Returns an array Azure Log Analytics workspaces and the resources
        that send data to them.

    .DESCRIPTION
        This function loops through all the Azure subscriptions that the
        current Az session has access to and identifies all the Log
        Analytics workspace resources. For each workspace it then looks
        at the diagnostic settings or other resources (VMs etc) that are
        configured to send data to them.

        It will currently include:
        - Diagnostic Settings extension resources that are set to a Log Analytics workspace
        - AKS clusters that are enabled with Container Insights Addon
        - Virtual Machines with the Microsoft Monitoring Agent extension enabled

    .PARAMETER SubscriptionName
        The name of the subscription to limit the search to.
#>
[CmdletBinding()]
param
(
    [Parameter()]
    [System.String]
    $SubscriptionName
)

$subscriptions = Get-AzSubscription @PSBoundParameters
$workspaceSources = @()

foreach ($subscription in $subscriptions)
{
    Write-Verbose -Message ('Selecting Azure Subscription {0}.' -f $subscription.Name)
    $null = $subscription | Select-AzSubscription

    # Add resources with Diagnostic Settings using Log Analytics Workspace
    $subscriptionResources = Get-AzResource

    foreach ($subscriptionResource in $subscriptionResources)
    {
        $diagnosticSettings = Get-AzDiagnosticSetting `
            -ResourceId $subscriptionResource.ResourceId `
            -WarningAction SilentlyContinue `
            -ErrorAction SilentlyContinue | Where-Object -FilterScript {
                $null -ne $_.Id -and $null -ne $_.WorkspaceId
            }

        foreach ($diagnosticSetting in $diagnosticSettings)
        {
            $workspaceId = $diagnosticSetting.WorkspaceId
            $workspaceSources += [PSCustomObject] @{
                Type = 'Microsoft.Insights/diagnosticSettings'
                Description = 'Resource Diagnostic Settings'
                ResourceId = $subscriptionResource.Id
                ResourceName = $subscriptionResource.Name
                SubscriptionName = $subscription.Name
                SubscriptionId = $subscription.Id
                DiagnosticSettingsName = $diagnosticSetting.Name
                WorkspaceName = ($workspaceId -Split '/')[($workspaceId -Split '/').Count -1]
                WorkspaceId = $workspaceId
                Metrics = $diagnosticSetting.Metrics
                Logs = $diagnosticSetting.Logs
            }
        }
    }

    # Add AKS clusters using Log Analytics Workspace
    $aksClusterContainerInsights = Get-AzAksCluster

    foreach ($aksClusterContainerInsight in $aksClusterContainerInsights)
    {
        $workspaceId = $aksClusterContainerInsight.AddonProfiles.omsAgent.Config['logAnalyticsWorkspaceResourceID']
        $workspaceSources += [PSCustomObject] @{
            Type = 'Microsoft.ContainerService/ManagedClusters'
            Description = 'Container Insights'
            ResourceId = $aksClusterContainerInsight.Id
            ResourceName = $aksClusterContainerInsight.Name
            SubscriptionName = $subscription.Name
            SubscriptionId = $subscription.Id
            WorkspaceName = ($workspaceId -Split '/')[($workspaceId -Split '/').Count -1]
            WorkspaceId = $workspaceId
        }
    }

    # Add Virtual Machines using Log Analytics Workspace
    $logAnalyticsWorkspaces = Get-AzOperationalInsightsWorkspace

    $virtualMachines = Get-AzVm

    foreach ($virtualMachine in $virtualMachines)
    {
        $vmMonitoringExtension = Get-AzVMExtension -ResourceGroupName $virtualMachine.ResourceGroupName -VMName $virtualMachine.Name -Name 'MicrosoftMonitoringAgent'
        if ($null -eq $vmMonitoringExtension)
        {
            Write-Warning -Message ('Guest OS in virtual machine {0} is not monitored by Log Analytics.' -f $virtualMachine.Name)
        }
        else
        {
            $extensionSettings = $vmMonitoringExtension.PublicSettings | ConvertFrom-Json
            $customerId = $extensionSettings.workspaceId
            $workspaceId = $logAnalyticsWorkspaces | Where-Object -FilterScript { $_.CustomerId -eq $customerId}
            $workspaceSources += [PSCustomObject] @{
                Type = 'Microsoft.EnterpriseCloud.Monitoring'
                Description = 'Virtual Machine MicrosoftMonitoringAgent'
                ResourceId = $virtualMachine.Id
                ResourceName = $virtualMachine.Name
                SubscriptionName = $subscription.Name
                SubscriptionId = $subscription.Id
                WorkspaceName = ($workspaceId -Split '/')[($workspaceId -Split '/').Count -1]
                WorkspaceId = $workspaceId
            }
        }
    }
}

return $workspaceSources