Reading Azure Entra ID Diagnostic Settings
we have a multi-tenant application that we deploy in our clients' environments. As part of our software solution, we will collect various data from your environment via Microsoft Graph and Azure PowerShell cmdlets.
We are trying to read the Diagnostic settings in Entra ID, what works by running the below code snipped:
$accessToken = (Get-AzAccessToken -ResourceUrl "https://management.azure.com").Token
$apiEndpoint = "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings?api-version=2017-04-01-preview"
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
}
$response = Invoke-RestMethod -Uri $apiEndpoint -Headers $headers -Method Get
We currently deploy our multi-tenant application in our clients' environments using an ARM template to assign the necessary permissions. However, we are encountering issues with successfully adding the permissions required to read the Diagnostic settings. If we run it without any modifications we get the error:
"message": "The client 'blabla' with object id 'blabla' does not have authorization to perform action 'microsoft.aadiam/diagnosticSettings/write' over scope '/providers/microsoft.aadiam/diagnosticSettings/testDiagSetting' or the scope is invalid. If access was recently granted, please refresh your credentials."
When we manually run the command below, it works. However, we would like to avoid asking IT administrators to run this command manually. Is there a way to assign these permissions via an ARM template? Alternatively, can we use the Graph API to assign the scope to the application and request the client to consent to it?
New-AzRoleAssignment -ObjectId "e348be5c-fc9b-4852-8e04-540093bd461b" -Scope "/providers/Microsoft.aadiam" -RoleDefinitionName 'Contributor' -ObjectType 'ServicePrincipal'
To read the Diagnostic settings in Entra ID specifically, you need to assign permissions at the tenant level. You can automate the assignment of permissions to read the Diagnostic settings in Entra ID using Microsoft.Authorization/roleAssignments. Create a RoleAssignmentTemplate.json to assign the necessary role
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "The principal (user or application) ID to assign the role to."
}
},
"roleDefinitionId": {
"type": "string",
"defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"metadata": {
"description": "The role definition ID for the role to assign."
}
}
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[guid(parameters('principalId'), parameters('roleDefinitionId'))]",
"properties": {
"roleDefinitionId": "[tenantResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
"principalId": "[parameters('principalId')]",
"scope": "/providers/Microsoft.aadiam"
}
}
]
}
Deploy the ARM Template
RESOURCE_GROUP_NAME="YourResourceGroupName"
TEMPLATE_FILE_PATH="path/to/your/template.json"
PRINCIPAL_ID="your-principal-id"
az deployment group create --resource-group $RESOURCE_GROUP_NAME --template-file $TEMPLATE_FILE_PATH --parameters principalId=$PRINCIPAL_ID
- Error: Server returned handshake error: Handshake was canceled
- Using Terraform For_Each and For commands to filter elements
- How can i pass file as parameter in post request (Web Activity) Azure Data Factory?
- Azure Logic Apps - Condition Notify issue
- Can't create data collection rule for Azure log analytics using Terraform - missing Terraform options?
- Azure Logic Apps - Variables Array
- How to handle token expiry in azure msal react?
- How to create VM using ARM template in which image is referenced from Azure compute gallery?
- Azure Appservice for Django fails with Azure Devops Pipeline
- Azure OpenAI and Azure Web Application giving different responses and References
- HTTP/1.1 401 Unauthorized - Developer portal
- How to directly upload an azure VM disk to a blob storage?
- How to Extract Fields from SensitivityLabelEventData within AuditData in Microsoft Graph SDK?
- Get error "You do not have elevated access" when try to postpone MFA enforcement
- Azure Python SDK - how can I know the latest API version for a resource ID?
- Deploy Azure webjob inside the correct location using YAML file
- Shortcut: Move an item to the top of the backlog
- "Key vault reference error" in azure web app configuration setting
- What is the proper way to expose an Azure Container Instance that is inside a vnet?
- Could not load file or assembly 'System.Diagnostics.DiagnosticSource', Version=6.0.0.0. The system cannot find the file specified
- I found Azure's resource health alerts is extremely hard to understand
- Its possible deploy a hybrid NEXT.js application in Azure?
- How to create Azure Virtual machine with VM Extension using the python SDK
- How to mock ServiceBusClient
- APIM quota-by-key policy when condition JWT subject
- Cannot add MFA in the Entra Admin Center
- How to share azure VHD across different subscription
- .NET 6 Azure KeyVault 403 forbidden error
- How to use SessionId with ServiceBusOutput on Worker Function azure
- KQL merge rows with the same ID into one row