BenjiSec Kudos on a great article. Extremely helpful! I just created and enabled the Logic App yesterday, but wanted to identify some "tips":
1. As you mentioned "Create a service principal to authorize Azure Monitor Logs connector" is not necessary if you already have permissions to authorize the API connection. However, it should be noted that you must at least authorize the API connection (Logic App editor->API connections->azuremonitorlogs-Update-WoodEIUsers-Watchlist-from-AzureAD-Group->Edit API connection->Authorize).
2. Parse JSON Schema can be edited to include more elements, such as Display Name:
{
"properties": {
"@@odata.context": {
"type": "string"
},
"value": {
"items": {
"properties": {
"displayName": {
"type": "string"
},
"id": {
"type": "string"
},
"mail": {
"type": "string"
},
"userPrincipalName": {
"type": "string"
}
},
"required": [
"userPrincipalName",
"id",
"displayName",
"mail"
],
"type": "object"
},
"type": "array"
}
},
"type": "object"
}
3. There appears to be a syntax error in the Log Analytics queries involving UserPrincipalName. The template uses the query _GetWatchlist('WoodEIUsers') | where ["User Principal Name"] ==, but this should actually be _GetWatchlist('WoodEIUsers') | where ["UserPrincipalName"] ==. There are two instances of this query within the Logic App.
Microsoft
