diff --git a/modules/services/event-hub-data-source/organizational.tf b/modules/services/event-hub-data-source/organizational.tf
new file mode 100644
index 0000000..905741b
--- /dev/null
+++ b/modules/services/event-hub-data-source/organizational.tf
@@ -0,0 +1,45 @@
+data "azurerm_client_config" "current" {}
+
+data "azurerm_management_group" "onboarded_management_group" {
+  for_each = length(var.management_group_ids) > 0 ? toset(var.management_group_ids) : toset([data.azurerm_client_config.current.tenant_id])
+  name     = each.value
+}
+
+locals {
+  all_mg_subscription_ids = flatten([
+    for mg in data.azurerm_management_group.onboarded_management_group : mg.all_subscription_ids
+  ])
+}
+
+data "azurerm_subscription" "onboarded_subscriptions" {
+  for_each = toset(local.all_mg_subscription_ids)
+  subscription_id = each.value
+}
+
+locals { 
+    enabled_subscriptions = var.is_organizational ? [for s in data.azurerm_subscription.onboarded_subscriptions : s if s.state == "Enabled"] : []
+}
+
+#---------------------------------------------------------------------------------------------
+# Create diagnostic settings for the tenant
+#---------------------------------------------------------------------------------------------
+resource "azurerm_monitor_diagnostic_setting" "sysdig_org_diagnostic_setting" {
+  count = var.is_organizational ? length(local.enabled_subscriptions) : 0
+
+  name               = var.diagnostic_settings_name
+  target_resource_id = local.enabled_subscriptions[count.index].id
+  eventhub_authorization_rule_id = azurerm_eventhub_namespace_authorization_rule.sysdig_rule.id
+  eventhub_name                  = azurerm_eventhub.sysdig_event_hub.name
+
+  enabled_log {
+    category = "Administrative"
+  }
+
+  enabled_log {
+    category = "Security"
+  }
+
+  enabled_log {
+    category = "Policy"
+  }
+}
diff --git a/modules/services/event-hub-data-source/outputs.tf b/modules/services/event-hub-data-source/outputs.tf
index 3dddf8d..24dd935 100644
--- a/modules/services/event-hub-data-source/outputs.tf
+++ b/modules/services/event-hub-data-source/outputs.tf
@@ -15,4 +15,4 @@ output "consumer_group_name" {
 output "subscription_alias" {
   value = data.azurerm_subscription.sysdig_subscription.display_name
   description = "Display name of the subscription"
-}
\ No newline at end of file
+}
diff --git a/modules/services/event-hub-data-source/variables.tf b/modules/services/event-hub-data-source/variables.tf
index ae6e64e..72854dc 100644
--- a/modules/services/event-hub-data-source/variables.tf
+++ b/modules/services/event-hub-data-source/variables.tf
@@ -84,3 +84,15 @@ variable "diagnostic_settings_name" {
   description = "Name of the diagnostic settings to be created"
   default = "sysdig-diagnostic-settings"
 }
+
+variable "is_organizational" {
+  description = "(Optional) Set this field to 'true' to deploy secure-for-cloud to an Azure Tenant."
+  type        = bool
+  default     = false
+}
+
+variable "management_group_ids" {
+  description = "(Optional) List of Azure Management Group IDs. secure-for-cloud will be deployed to all the subscriptions under these management groups."
+  type        = set(string)
+  default     = []
+}