Forum Discussion
Log Analytics Workspace - Minimum Permissions to submit custom events?
I am trying to set up a LA Workspace intended to collect custom events submitted from custom powershell scripts (i.e, via Invoke-WebRequest).
I don't want to use the workspace's Shared Key - I want to use either an app principal and/or a managed identity.
What are the minimum RBAC permissions that I need to assign to successfully submit custom events?
(I tried reading up and down here, it doesn't seem to tackle permissions for writing log events).
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/manage-access?tabs=portal
Hi mindfulrants, as you mentioned workspace key, it means you're probably referring to the (now called) legacy HTTP Data Collector API, which has been deprecated and will be retired in 2026.
As you want to use an app registration, then I suggest that you use the new API, that's based in DCR\DCE: Logs Ingestion API in Azure Monitor - Azure Monitor | Microsoft Learn
Since the permissions are actually given at the DCR level, it does allow a deeper level of granularity, hence you can just use the 'Microsoft.Insights/Telemetry/Write' action:
Once you have everything setup, you can use the sample PowerShell code to get you started: Sample code to send data to Azure Monitor using Logs ingestion API - Azure Monitor | Microsoft Learn
Hope this helps!
2 Replies
joseconsMicrosoft
Hi mindfulrants, as you mentioned workspace key, it means you're probably referring to the (now called) legacy HTTP Data Collector API, which has been deprecated and will be retired in 2026.
As you want to use an app registration, then I suggest that you use the new API, that's based in DCR\DCE: Logs Ingestion API in Azure Monitor - Azure Monitor | Microsoft Learn
Since the permissions are actually given at the DCR level, it does allow a deeper level of granularity, hence you can just use the 'Microsoft.Insights/Telemetry/Write' action:
Once you have everything setup, you can use the sample PowerShell code to get you started: Sample code to send data to Azure Monitor using Logs ingestion API - Azure Monitor | Microsoft Learn
Hope this helps!- Thanks, josecons this is actually very useful.
I dont want to have an app registration because there is a shared secret involved, rather i want to use a Managed Identity, in this particular case assigned to an Azure Arc Enabled Server.
