SOLVED

Authenticate with client credentials - Log Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-104996%22%20slang%3D%22en-US%22%3EAuthenticate%20with%20client%20credentials%20-%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104996%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20it%20possible%20to%20authenticate%20with%20client%20credentials%20to%20access%20the%20log%20analytics%20API%3F%3CBR%20%2F%3EI've%20been%20following%20the%20steps%20on%20%3CA%20href%3D%22https%3A%2F%2Fdev.loganalytics.io%2Fdocumentation%2FAuthorization%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdev.loganalytics.io%2Fdocumentation%2FAuthorization%3C%2FA%3E%20and%20both%20the%20explicit%20and%20the%20implicit%20flow%20is%20working%20fine%20to%20retrieve%20a%20valid%20access%20token.%20When%20I'm%20trying%20the%20client%20credentials%20I%20get%20an%20access%20token%20but%20403%20Forbidden%20when%20used%20to%20the%20API.%20I%20need%20to%20have%20a%20script%20running%20daily%20to%20collect%20data%20from%20the%20API%20so%20no%20user%20interaction%20if%20possible.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20is%20client%20credentials%20supported%2C%20if%20so%20what%20actions%20do%20I%20need%20to%20take%20to%20make%20it%20work%3F%20Or%20is%20there%20a%20work-around%20to%20automate%20the%20authentication%20process%3F%3CBR%20%2F%3E%3CBR%20%2F%3EMany%20thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-104996%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106907%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticate%20with%20client%20credentials%20-%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106907%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20URL%20will%20continue%20to%20work.%20There%20are%20some%20differences%20in%20terms%20of%20routing%20to%20get%20to%20your%20data%20and%20limitations%20to%20the%20size%20of%20calls%20that%20can%20be%20made%20(for%20example%20the%20direct%20API%20can%20return%20a%20higher%20maximum%20row%20count)%2C%20but%20for%20most%20cases%20the%20differences%20should%20not%20be%20significant.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFeel%20free%20to%20let%20me%20know%20if%20you%20have%20further%20questions.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106667%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticate%20with%20client%20credentials%20-%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106667%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Ace%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20a%20lot%2C%20the%20URL%20is%20working%20perfectly%20and%20resolved%20my%20issue!%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20you%20know%20if%20this%20URL%20will%20be%20supported%20long-term%26nbsp%3Bsince%20client%20credentials%20won't%20be%20supported%20for%20the%20direct%20URL%20in%20the%20upcoming%20time%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EOnce%20again%2C%20thanks%20a%20lot!%3CBR%20%2F%3EJohan%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106556%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticate%20with%20client%20credentials%20-%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106556%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Johan%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20direct%20URL%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fapi.loganalytics.io%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapi.loganalytics.io%3C%2FA%3E%2C%20we%20will%20not%20currently%20be%20able%20to%20support%20client%20credentials.%20However%2C%20you%20are%20still%20able%20to%20call%20the%20API%20via%20an%20alternative%20URL.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20this%20method%2C%20the%20URL%20you%20direct%20requests%20at%20is%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3Ehttps%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F%7Bsubscription%7D%2FresourceGroups%2F%7BresourceGroupName%7D%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2F%7BworkspaceName%7D%2Fapi%2F%7Barea%7D%3Fapi-version%3D2017-01-01-preview%26amp%3B%5BqueryParams%5D%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhere%20%E2%80%9Carea%E2%80%9D%20is%20the%20endpoint%20you%20wish%20to%20hit%20(probably%20%E2%80%9Cquery%E2%80%9D)%2C%20and%20queryParams%20are%20as%20usual%20for%20the%20Log%20Analytics%20API.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20case%20you%20can%20use%20the%20client%20credentials%20grant%20as%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-protocols-oauth-service-to-service%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumented%20here.%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EIn%20the%20token%20request%2C%20set%20your%20resource%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmanagement.azure.com%2F%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eincluding%20the%20trailing%20slash.%20%26nbsp%3BWith%20this%20token%20against%20the%20ARM%20url%20above%2C%20you%20should%20be%20able%20to%20query%20successfully.%20Note%20that%20this%20is%20*not*%20the%20v2.0%20endpoint%20as%20I%20had%20previously%20indicated.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20me%20know%20if%20you%20have%20further%20questions%20or%20this%20does%20not%20resolve%20your%20issue.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-105847%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticate%20with%20client%20credentials%20-%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-105847%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Ace%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20the%20reply%20and%20the%20support!%20Looking%20forward%20to%20an%20update%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-105223%22%20slang%3D%22en-US%22%3ERe%3A%20Authenticate%20with%20client%20credentials%20-%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-105223%22%20slang%3D%22en-US%22%3E%3CP%3E(original%20reply%20replaced%20with%20resolution)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20Johan%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20direct%20URL%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fapi.loganalytics.io%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapi.loganalytics.io%3C%2FA%3E%2C%20%3CSTRIKE%3Ewe%20will%20not%20currently%20be%20able%20to%3C%2FSTRIKE%3E%26nbsp%3B%20%26nbsp%3B%3CSTRONG%3E%3CU%3Ewe%26nbsp%3Bnow%20support%3C%2FU%3E%3C%2FSTRONG%3E%20client%20credentials.%26nbsp%3BFollow%20the%20%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdev.int.loganalytics.io%2Fdocumentation%2F1-Tutorials%2FDirect-API%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Etutorial%20here%3C%2FA%3E%3C%2FSTRONG%3E.%20However%2C%20you%20are%20still%20able%20to%20call%20the%20API%20via%20an%20alternative%20URL.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20this%20method%2C%20the%20URL%20you%20direct%20requests%20at%20is%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3Ehttps%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F%7Bsubscription%7D%2FresourceGroups%2F%7BresourceGroupName%7D%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2F%7BworkspaceName%7D%2Fapi%2F%7Barea%7D%3Fapi-version%3D2017-01-01-preview%26amp%3B%5BqueryParams%5D%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhere%20%E2%80%9Carea%E2%80%9D%20is%20the%20endpoint%20you%20wish%20to%20hit%20(probably%20%E2%80%9Cquery%E2%80%9D)%2C%20and%20queryParams%20are%20as%20usual%20for%20the%20Log%20Analytics%20API.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20case%20you%20can%20use%20the%20client%20credentials%20grant%20as%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Factive-directory-protocols-oauth-service-to-service%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumented%20here.%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EIn%20the%20token%20request%2C%20set%20your%20resource%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmanagement.azure.com%2F%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eincluding%20the%20trailing%20slash.%20%26nbsp%3BWith%20this%20token%20against%20the%20ARM%20url%20above%2C%20you%20should%20be%20able%20to%20query%20successfully.%20Note%20that%20this%20is%20*not*%20the%20v2.0%20endpoint%20as%20I%20had%20previously%20indicated.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20me%20know%20if%20you%20have%20further%20questions%20or%20this%20does%20not%20resolve%20your%20issue.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello,

Is it possible to authenticate with client credentials to access the log analytics API?
I've been following the steps on https://dev.loganalytics.io/documentation/Authorization and both the explicit and the implicit flow is working fine to retrieve a valid access token. When I'm trying the client credentials I get an access token but 403 Forbidden when used to the API. I need to have a script running daily to collect data from the API so no user interaction if possible.

So is client credentials supported, if so what actions do I need to take to make it work? Or is there a work-around to automate the authentication process?

Many thanks!

5 Replies
Highlighted

(original reply replaced with resolution)

 

Hi Johan, 

 

For the direct URL https://api.loganalytics.io, we will not currently be able to   we now support client credentials. Follow the tutorial here. However, you are still able to call the API via an alternative URL. 

 

For this method, the URL you direct requests at is 

https://management.azure.com/subscriptions/{subscription}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/api/{area}?api-version=2017-01-01-preview&[queryParams]

 

Where “area” is the endpoint you wish to hit (probably “query”), and queryParams are as usual for the Log Analytics API.

 

In this case you can use the client credentials grant as documented here. In the token request, set your resource to https://management.azure.com/ including the trailing slash.  With this token against the ARM url above, you should be able to query successfully. Note that this is *not* the v2.0 endpoint as I had previously indicated. 

 

Let me know if you have further questions or this does not resolve your issue. 

Highlighted

Hi Ace,

Thank you for the reply and the support! Looking forward to an update :) 

Highlighted
Solution

Hi Johan, 

 

For the direct URL https://api.loganalytics.io, we will not currently be able to support client credentials. However, you are still able to call the API via an alternative URL. 

 

For this method, the URL you direct requests at is 

https://management.azure.com/subscriptions/{subscription}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/api/{area}?api-version=2017-01-01-preview&[queryParams]

 

Where “area” is the endpoint you wish to hit (probably “query”), and queryParams are as usual for the Log Analytics API.

 

In this case you can use the client credentials grant as documented here. In the token request, set your resource to https://management.azure.com/ including the trailing slash.  With this token against the ARM url above, you should be able to query successfully. Note that this is *not* the v2.0 endpoint as I had previously indicated. 

 

Let me know if you have further questions or this does not resolve your issue. 

Highlighted

Hi Ace,

 

Thanks a lot, the URL is working perfectly and resolved my issue!

Do you know if this URL will be supported long-term since client credentials won't be supported for the direct URL in the upcoming time? 

Once again, thanks a lot!
Johan
 

Highlighted

This URL will continue to work. There are some differences in terms of routing to get to your data and limitations to the size of calls that can be made (for example the direct API can return a higher maximum row count), but for most cases the differences should not be significant.

 

Feel free to let me know if you have further questions.