Search code examples
azureazure-storagekqlazure-log-analyticsazure-storage-files

How can I enable access to a csv on an Azure File Share that my KQL query is trying to reference?

I'm trying to apply a KQL query (special thanks to Gyp The Cat for helping) that will let me join a csv/table to a sign-in log table I have connected to an Azure Workspace.

However, I get the following error message:

The system was unable to access the storage accounts indicated in the external data operator due to access denied error. The results won’t include hits from these storage accounts.

I've tried making sure that my user account has been assigned both the "Logs Analytics Contributor" and "Storage File Data SMB Share Contributor" to the actual File Share Resource.

I've also made sure that in the query I'm specifying the url made available in the properties of the actual file.

Below is the query I'm running. Any nudge in the right direction would be appreciated -- Thanks!

let EmailAddresses = (externaldata (UserPrincipalName:string) [h@'https://myazurefileshare.file.core.windows.net/fileshare-upn-file-test/listofupns.csv']);

EmailAddresses

| join kind=leftouter (

SigninLogs

| mvexpand ConditionalAccessPolicies

| where ConditionalAccessPolicies.id == "06513c7f-2fff-4054-bd4a-9d66d01146d5"

| where ConditionalAccessStatus == "success") on UserPrincipalName

Solution

  • Instead of hosting it as a file try hosting it in the blob, ie in the $web directory on the Storage Account.

    What the blob location could be (as an example):

    https://somethingsomething.blob.core.windows.net/$web/fileshare-upn-file-test/listofupns.csv

    This will then translate to the web accessible location of:

    https://somethingsomething.z13.web.core.windows.net/fileshare-upn-file-test/listofupns.csv

    Then you need to reference the web location in your query like this:

    let EmailAddresses = (externaldata (UserPrincipalName:string) [h@'https://somethingsomething.z13.web.core.windows.net/fileshare-upn-file-test/listofupns.csv']);
EmailAddresses
| join kind=leftouter (
SigninLogs
| mvexpand ConditionalAccessPolicies
| where ConditionalAccessPolicies.id == "06513c7f-2fff-4054-bd4a-9d66d01146d5"
| where ConditionalAccessStatus == "success") on UserPrincipalName

    This link seems to cover all the main points about setting a Storage Account up like this:

    https://www.geeksforgeeks.org/microsoft-azure-hosting-a-static-website-with-azure-storage/

    There are also alternative options for the whole thing in the Storage Connection Strings too.