SOLVED

Log Analytics RBAC

%3CLINGO-SUB%20id%3D%22lingo-sub-1142438%22%20slang%3D%22en-US%22%3ELog%20Analytics%20RBAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1142438%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBelow%20is%20my%20requirement%20related%20to%20configuring%20azure%20PAAS%20resources%20to%20Send%20logs%20to%20log%20analytics%20workspace.%3C%2FP%3E%3CP%3ETenant%20Name%3A%20XYZ%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESubscription%20A%20-%20Log%20Analytics%20workspace(Name%3A%20Security)%20is%20provisioned%20and%20on%20top%20of%20it%2C%20the%20azure%20sentinel%20is%20enabled.%3C%2FP%3E%3CP%3EDescription%20A%3A%20This%20log%20analytics%20workspace%20is%20the%20central%20workspace.%20Where%20resources%20running%20in%20different%20subscriptions(B%20%26amp%3B%20C)%20under%20the%20same%20tenant%20need%20to%20send%20logs%20to%20LA%20workspace%20in%20subscription%20A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESubscription%20B%20%26amp%3B%20C%3A%20Have%20a%20couple%20of%20resources%20running%20and%20the%20Owner%2FContributor%20of%20these%20subscriptions%20need%20to%20send%20logs%20to%20LA%20workspace%20in%20Subscription%20A.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20as%20per%20my%20security%20control%2C%20I%20can%20provide%20log%20analytics%20reader%20access%20on%20LA%20workspace%20(running%20in%20sub-A)%20for%20the%20owner%2Fcontributor%20of%20the%20subscription%20B%20%26amp%3B%20C.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20after%20testing%2C%20the%20user%20with%20log%20analytics%20reader%20on%20Security%20workspace%20is%20to%20not%20able%20to%20configure%20resource(in%20sub%20b%20or%20c)%20to%20send%20logs%20to%20Security%20log%20analytics.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20only%20working%20after%20providing%20the%20log%20analytics%20contributor(i%20cant%20provide%20this%20RBAC).%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EASK%3A%20Is%20there%20any%20way%20that%20I%20can%20provide%20specific%20RBAC%20to%20users%20in%20sub%20b%20or%20c%20so%20that%20they%20can%20configure%20resource%20to%20send%20logs%20to%20log%20analytics%20workspace%20in%20sub%20A.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20is%20understandable.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1142438%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELog%20Analytics%20RBAC%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1161040%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20RBAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1161040%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3ECan%20anyone%20answer%20this%3F%20Pl%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1161119%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20RBAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1161119%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F492724%22%20target%3D%22_blank%22%3E%40Pavan_Gelli1910%3C%2FA%3E%2C%20you'll%20have%20to%20create%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fcustom-roles%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ecustom%20role%3C%2FA%3E%20for%20that.%20As%20you%20can%20see%20by%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fbuilt-in-roles%23log-analytics-contributor%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ELog%20Analytics%20Contributor%20role%20details%3C%2FA%3E%2C%20there%20are%20some%20permissions%20that%20relate%20to%20what%20you%20need%20to%20accomplish%2C%20such%20as%20%3CSPAN%3EMicrosoft.Insights%2FdiagnosticSettings%2F*%3C%2FSPAN%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETry%20creating%20a%20custom%20role%20with%20these%20permissions%20and%20assign%20it%20to%20a%20test%20user.%20Beware%20of%20logging%20the%20test%20user%20out%20and%20in%20(in%20a%20new%20browser%20session)%20after%20assigning%20the%20role%2C%20just%20to%20be%20sure%20the%20permissions%20are%20loaded.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20that%20helps!%20If%20it%20doesn't%20work%2C%20then%20you'll%20probably%20need%20to%20add%20other%20permissions%20to%20the%20custom%20role.%20See%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fresource-provider-operations%23microsoftoperationalinsights%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20a%20complete%20list%20of%20available%20permissions%20for%20Log%20Analytics.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1163941%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20RBAC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1163941%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F453722%22%20target%3D%22_blank%22%3E%40hspinto%3C%2FA%3E%26nbsp%3BThank%20you%20for%20your%20support.%20To%20address%20my%20requirement%20I%20need%20to%20go%20with%20custom%20RBAC%20creation%20only.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Team,

 

Below is my requirement related to configuring azure PAAS resources to Send logs to log analytics workspace.

Tenant Name: XYZ

 

Subscription A - Log Analytics workspace(Name: Security) is provisioned and on top of it, the azure sentinel is enabled.

Description A: This log analytics workspace is the central workspace. Where resources running in different subscriptions(B & C) under the same tenant need to send logs to LA workspace in subscription A

 

Subscription B & C: Have a couple of resources running and the Owner/Contributor of these subscriptions need to send logs to LA workspace in Subscription A.

 

But as per my security control, I can provide log analytics reader access on LA workspace (running in sub-A) for the owner/contributor of the subscription B & C.

 

But after testing, the user with log analytics reader on Security workspace is to not able to configure resource(in sub b or c) to send logs to Security log analytics.

 

It's only working after providing the log analytics contributor(i cant provide this RBAC).   

 

ASK: Is there any way that I can provide specific RBAC to users in sub b or c so that they can configure resource to send logs to log analytics workspace in sub A.

 

Hope this is understandable. 

 

 

3 Replies

Hi,

Can anyone answer this? Pl

best response confirmed by hspinto (Microsoft)
Solution

@Pavan_Gelli1910, you'll have to create a custom role for that. As you can see by the Log Analytics Contributor role details, there are some permissions that relate to what you need to accomplish, such as Microsoft.Insights/diagnosticSettings/*.

 

Try creating a custom role with these permissions and assign it to a test user. Beware of logging the test user out and in (in a new browser session) after assigning the role, just to be sure the permissions are loaded.

 

Hope that helps! If it doesn't work, then you'll probably need to add other permissions to the custom role. See here a complete list of available permissions for Log Analytics.

@hspinto Thank you for your support. To address my requirement I need to go with custom RBAC creation only.