Table Level RBAC In Azure Sentinel

Published Oct 30 2019 01:17 AM 9,823 Views

Table level RBAC allows you to define more granular control to data in a Log Analytics workspace in addition to the other permissions is now available for Log analytics and for Azure sentinel.


Earlier this year, my colleague @Tiander Turpijn published a great post on Best practices for designing an Azure Sentinel or Azure Security Center Log Analytics workspace 

His post shares in great detail the architecture and confederation for centralizing log analytics workspace vs multi workspaces in Sentinel and Azure security center.

On this blog post, we will review how the Table level RBAC lets you ingest your collected data into a centralize workspace and still keep your data segregate for a specific user or group.


Example use case

Contoso installed several Windows servers and wants to send their performance logs into a centralized workspace that combines Security logs and operational logs.
The Contoso OPS team that manage the performance monitor workload in the organization need access only to the performance log table and not to Other sensitive data like the security events logs that store on the same workspace.


Configure RBAC table Level Access

To configure the RBAC table level access we need to:


  1. Define a RBAC custom role by creating custom JSON file that looks like this:



    "Name": "Contoso Performance Monitor Team",
    "Id": null,
    "IsCustom": true,
    "Description": "Enable users to monitor Linux servers performance logs",
    "Actions": [
    "NotActions": [
    "AssignableScopes": [




2. Add the custom role to our subscription, run the above PS command New-AzRoleDefinition and Point to the custom role JSON file from the preview step.


To run AZ PowerShell commands first install the AZ PS module



New-AzRoleDefinition -InputFile "C:\Users\yanivsh\OneDrive\Demos\Custom_RBAC.json"

Name             : Perf Monitor Team
Id               : ab403341-d1f6-4cea-ae97-aea203b895a1
IsCustom         : True
Description      : Enable users to monitor Linux server performance logs
Actions          : {Microsoft.OperationalInsights/workspaces/read, Microsoft.OperationalInsights/workspaces/query/read, Microsoft.OperationalInsights/workspaces/query/Perf/read}
NotActions       : {}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/subscriptions/8f153238-e602-427e-a7c0-xxxxxxx50918} 




3. Add user that part of the OPs team to the new custom role a at the subscription level:



4. When Ops user opens Log Analytics logs tab and queries the pref table he can retrieve the results:




When the same user tries to query the SecurityEvent table or any other tables in Azure Sentinel workspace, no results found.




In this blog post, we reviewed the benefit of RBAC table permission and how to configure it in a real-Life scenario.

This feature can leverage Azure users to send their collected data to a centralize workspace and enjoy The advance analytic, hunting and ML and keep their data segregation.


Occasional Contributor

@Yaniv ShashaGood article and explanation is crystal clear. 


Hi @Yaniv Shasha 

Please could you explain why we grant the sentinel reader permission at the sub level and not at the RG?

Thanks alot,



@Guy_P your comment is relevant and current for must of the cases.

If the need is only to retrieve the logs so RG level RBAC is ok.

but if your playbook or workbook ii on other RG's so you need wider permission than the subscription.

Occasional Contributor

Very interesting and useful use case !!! 

New Contributor

Hi @Yaniv Shasha, thank you for your article.


I'd like to ask you if you faced any issues when configuring RBAC to tables.

I have faced several issues when I have applied permissions to a custom role, where the users inside of this role are only allowed query-specific tables.

The defined users inside of this custom role don't have access to the sentinel subscription, only to the log-analytics workspace, until here everything is working as expected.


When they try to access the data inside of log-analytics workspace, they started to receiving issues with the permissions even with the correct permissions, now this is fixed but I'm having another issue and is related to access to the Azure Diagnostics data.

The users have permissions to access 3 tables one of these tables is the Azure Diagnostics when they try to query it no data is displayed but for the remaining tables they are able to see the data.


Any thoughts on why this is happening?


Thank you.


Senior Member

Great article @Yaniv Shasha. I'd like to know whether it's possible to go one step deeper and limit access to specific rows? I know there's no way to do it natively, but maybe there's a hack I can consider, other than having specific logs in custom tables based on access level etc.

Version history
Last update:
‎May 17 2020 12:23 AM
Updated by: