SOLVED

Log Analytics into Azure Lighthouse

%3CLINGO-SUB%20id%3D%22lingo-sub-1400262%22%20slang%3D%22en-US%22%3ELog%20Analytics%20into%20Azure%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1400262%22%20slang%3D%22en-US%22%3E%3CP%3EI%20had%20a%20look%20at%20the%20community%20pages%2C%20but%20can't%20find%20a%20section%20specific%20to%20Lighthouse%2C%20so%20pardon%20me%20for%20posting%20here.%20If%20there%20is%20a%20dedicated%20space%2C%20I%20would%20appreciate%20a%20link.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20an%20issue%20pulling%20customer%20log%20information%20from%20Log%20Analytics%20into%20our%20Lighthouse%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20group%20that%20gets%20assigned%20Contributor%20rights%20to%20the%20customer%20environment%20at%20subscription%20level.%20I%20am%20able%20to%20browse%20all%20resources%2C%20and%20I%26nbsp%3B%20have%20verified%20that%20I%20can%20create%20resources.%20However%2C%20when%20I%20access%20the%20Log%20Analytics%20workspace(s)%2C%20I%20am%20unable%20to%20run%20any%20queries%20(or%20query%20any%20VM%20performance%20data%20through%20Azure%20Monitor)%2C%20and%20it's%20as%20if%20it%20just%20hangs%20there%20trying%20to%20retrieve%20the%20log%20data.%20Attached%20is%20a%20snip%20of%20what%20I%20see.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3ELogging%20in%20to%20the%20customer%20tenant%20directly%20with%20Owner%20permissions%20I%20am%20able%20to%20successfully%20query%20the%20logs%20and%20view%20VM%20performance%20data.%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20advise%20if%20there%20are%20any%20specific%20considerations%20in%20terms%20of%20permissions.%20I%20assumed%20Contributor%20role%20at%20subscription%20level%20would%20have%20sufficed.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3CBR%20%2F%3E%3CBR%20%2F%3ESebastiaan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1400262%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMonitoring%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1445665%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20into%20Azure%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1445665%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F513150%22%20target%3D%22_blank%22%3E%40SebastiaanR%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApply%20%22Log%20Analytics%20Reader%22%20role.%20%22%3CSPAN%3EContributor%22%20rights%20will%20not%20give%20access%20to%20read%2Fquery%20logs.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EHope%20this%20helps!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-Azeem%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1483822%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20into%20Azure%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1483822%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20guidance.%3C%2FP%3E%3CP%3EI've%20changed%20this%2C%20and%20I%20now%20get%20the%20LA%20Reader%20role%20assigned%20(at%20subscription%20level).%20Whenever%20I%20run%20any%20query%2C%20I%20still%20get%20the%20following%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22header-block%22%3E%3CSTRONG%3E%3CSPAN%20class%3D%22ai-tip-tests-error-message%20ng-binding%22%3EERROR%20RETRIEVING%20DATA%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%20class%3D%22details-block%20ng-binding%22%3E%3CEM%3ERegister%20resource%20provider%20'Microsoft.Insights'%20for%20this%20subscription%20to%20enable%20this%20query%20If%20issue%20persists%2C%20please%20open%20a%20support%20ticket.%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%20class%3D%22details-block%20ng-binding%22%3E%3CEM%3ERequest%20id%3A%26nbsp%3B%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%20class%3D%22details-block%20ng-binding%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22details-block%20ng-binding%22%3EI've%20confirmed%20that%20the%20provider%20is%20registered%20against%20the%20subscription.%3C%2FDIV%3E%3CDIV%20class%3D%22details-block%20ng-binding%22%3EWhen%20running%20this%20same%20query%20when%20logged%20in%20directly%20to%20the%20subscription%2C%20I%20get%20a%20successful%20result.%3C%2FDIV%3E%3CDIV%20class%3D%22details-block%20ng-binding%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22details-block%20ng-binding%22%3EThis%20is%20the%20case%20with%20multiple%20subscriptions%2C%20which%20leads%20me%20to%20believe%20it%20is%20either%20still%20a%20permission%20issue.%20Especially%20considering%20the%20following%20alert%20I%20get%20via%20e-mail%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CEM%3E%7B%22statusCode%22%3A%22Unauthorized%22%2C%22serviceRequestId%22%3Anull%2C%22statusMessage%22%3A%22%7B%5C%22error%5C%22%3A%7B%5C%22code%5C%22%3A%5C%22AuthorizationRequiredError%5C%22%2C%5C%22message%5C%22%3A%5C%22Valid%20authentication%20was%20not%20provided%5C%22%7D%7D%22%2C%22eventCategory%22%3A%22Administrative%22%7D%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%20class%3D%22details-block%20ng-binding%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22details-block%20ng-binding%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1621890%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20into%20Azure%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1621890%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F513150%22%20target%3D%22_blank%22%3E%40SebastiaanR%3C%2FA%3E%26nbsp%3BDid%20you%20get%20a%20resolution%20for%20this%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI've%20mirrored%20your%20scenario%20by%20setting%20up%20my%20provider%20with%20ONLY%20log%20analytics%20reader%20access%20to%20a%20test%20customer%20subscription%2C%20and%20I%20can%20successfully%20query%20log%20analytics%20(via%20Lighthouse%20delegation)%20with%20no%20errors.%20This%20suggests%20it's%20something%20specific%20to%20your%20provider%20tenant%2C%20which%20would%20require%20a%20support%20ticket%20for%20Microsoft%20to%20investigate.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-Sonia%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1621901%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20into%20Azure%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1621901%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%20note%20the%20doc%20on%20managing%20access%20to%20Log%20Analytics%20workspaces%20states%20at%20the%20bottom%20that%20if%20a%20user%20is%20granted%20the%20global%20Reader%20or%20Contributor%20roles%2C%20they%20will%20be%20granted%20access%20to%20all%20log%20data%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%3FWT.mc_id%3Dmodinfra-5682-socuff%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fmanage-access%3FWT.mc_id%3Dmodinfra-5682-socuff%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1656306%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20into%20Azure%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1656306%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170596%22%20target%3D%22_blank%22%3E%40Sonia%20Cuff%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESame%20error%20in%20my%20case.%20I%20gave%20Sentinel%20Contributor%20and%20Logs%20Analytics%20Reader%20(also%20tried%20w%2F%20Contributor)%20access%20to%20the%20same%20PrincipalId%20through%20Lighthouse.%20I%20can%20see%20alerts%2Fincidents%20but%20not%20perform%20queries%20or%20see%20tables%20from%20the%20managing%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EManaged%20tenant%20did%20enable%20Microsoft.Insights.%20Any%20idea%20on%20how%20to%20debug%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1656984%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20into%20Azure%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1656984%22%20slang%3D%22en-US%22%3EIn%20case%20anyone%20else%20ran%20into%20the%20same%20issue%3A%20Microsoft.Insights%20needs%20to%20be%20applied%20on%20the%20managing%20tenant%2C%20not%20the%20managed%20one.%20This%20was%20confusing%20as%20the%20error%20message%20only%20mentions%20%22this%20subscription%22%20while%20you're%20accessing%20a%20managed%20one.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1671393%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20into%20Azure%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1671393%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20detective%20work%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F779640%22%20target%3D%22_blank%22%3E%40milkmix_%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EI've%20reached%20out%20internally%20to%20see%20if%20we%20can%20get%20the%20Doc%20updated%20to%20mention%20this%20pre-req.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1717225%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20into%20Azure%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1717225%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F779640%22%20target%3D%22_blank%22%3E%40milkmix_%3C%2FA%3E%26nbsp%3BThanks%20for%20this%20feedback.%20This%2C%20however%2C%20did%20not%20resolve%20my%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20tenant%20I%20am%20accessing%20the%20customer%20subscriptions%20from%20does%20not%20have%20its%20own%20subscription%20associated%2C%20and%20the%20registered%20providers%20are%20added%20at%20subscription%20level%2C%20so%20not%20entirely%20sure%20how%20to%20then%20go%20about%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20perhaps%20something%20I%20am%20doing%20wrong%3F%20Do%20I%20need%20to%20have%20a%20subscription%20(albeit%20even%20an%20unused%20one)%20in%20the%20managing%20tenant%20for%20this%20to%20work%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1718229%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20into%20Azure%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1718229%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F513150%22%20target%3D%22_blank%22%3E%40SebastiaanR%3C%2FA%3E%26nbsp%3B%20I%20never%20even%20thought%20of%20a%20scenario%20where%20the%20managing%20tenant%20wouldn't%20have%20a%20subscription!%20Add%20even%20an%20Azure%20Free%20Account%20sub%20to%20it%20and%20see%20if%20that%20works.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1718656%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20Analytics%20into%20Azure%20Lighthouse%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1718656%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F170596%22%20target%3D%22_blank%22%3E%40Sonia%20Cuff%3C%2FA%3E%26nbsp%3B%20Bingo!%20This%20sorted%20it%20right%20out!%20It%20is%20a%20little%20vague%2C%20although%20I%20suppose%20I%20could%20have%20mentioned%20this%20configuration%20from%20the%20get%20go.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F779640%22%20target%3D%22_blank%22%3E%40milkmix_%3C%2FA%3E%26nbsp%3Bfor%20nudging%20the%20thought%20process%20in%20this%20direction.%20Much%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I had a look at the community pages, but can't find a section specific to Lighthouse, so pardon me for posting here. If there is a dedicated space, I would appreciate a link.

 

I have an issue pulling customer log information from Log Analytics into our Lighthouse tenant.

 

I have a group that gets assigned Contributor rights to the customer environment at subscription level. I am able to browse all resources, and I  have verified that I can create resources. However, when I access the Log Analytics workspace(s), I am unable to run any queries (or query any VM performance data through Azure Monitor), and it's as if it just hangs there trying to retrieve the log data. Attached is a snip of what I see.

Logging in to the customer tenant directly with Owner permissions I am able to successfully query the logs and view VM performance data.

Please advise if there are any specific considerations in terms of permissions. I assumed Contributor role at subscription level would have sufficed.

Thanks

Sebastiaan

10 Replies

@SebastiaanR 

Apply "Log Analytics Reader" role. "Contributor" rights will not give access to read/query logs.

Hope this helps!

-Azeem

Thanks for the guidance.

I've changed this, and I now get the LA Reader role assigned (at subscription level). Whenever I run any query, I still get the following error:

 

ERROR RETRIEVING DATA
Register resource provider 'Microsoft.Insights' for this subscription to enable this query If issue persists, please open a support ticket.
Request id: 
 
I've confirmed that the provider is registered against the subscription.
When running this same query when logged in directly to the subscription, I get a successful result.
 
This is the case with multiple subscriptions, which leads me to believe it is either still a permission issue. Especially considering the following alert I get via e-mail:

{"statusCode":"Unauthorized","serviceRequestId":null,"statusMessage":"{\"error\":{\"code\":\"AuthorizationRequiredError\",\"message\":\"Valid authentication was not provided\"}}","eventCategory":"Administrative"}
 
 

@SebastiaanR Did you get a resolution for this?

 

I've mirrored your scenario by setting up my provider with ONLY log analytics reader access to a test customer subscription, and I can successfully query log analytics (via Lighthouse delegation) with no errors. This suggests it's something specific to your provider tenant, which would require a support ticket for Microsoft to investigate.

 

-Sonia

Also note the doc on managing access to Log Analytics workspaces states at the bottom that if a user is granted the global Reader or Contributor roles, they will be granted access to all log data:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access?WT.mc_id=modinfra-5682-s...

Hi @Sonia Cuff 

 

Same error in my case. I gave Sentinel Contributor and Logs Analytics Reader (also tried w/ Contributor) access to the same PrincipalId through Lighthouse. I can see alerts/incidents but not perform queries or see tables from the managing tenant.

 

Managed tenant did enable Microsoft.Insights. Any idea on how to debug this?

In case anyone else ran into the same issue: Microsoft.Insights needs to be applied on the managing tenant, not the managed one. This was confusing as the error message only mentions "this subscription" while you're accessing a managed one.

Great detective work @milkmix_ 
I've reached out internally to see if we can get the Doc updated to mention this pre-req.

@milkmix_ Thanks for this feedback. This, however, did not resolve my problem.

 

The tenant I am accessing the customer subscriptions from does not have its own subscription associated, and the registered providers are added at subscription level, so not entirely sure how to then go about that.

 

Is this perhaps something I am doing wrong? Do I need to have a subscription (albeit even an unused one) in the managing tenant for this to work?

Best Response confirmed by SebastiaanR (Occasional Contributor)
Solution

@SebastiaanR  I never even thought of a scenario where the managing tenant wouldn't have a subscription! Add even an Azure Free Account sub to it and see if that works.

@Sonia Cuff  Bingo! This sorted it right out! It is a little vague, although I suppose I could have mentioned this configuration from the get go.

 

Thanks again @milkmix_ for nudging the thought process in this direction. Much appreciated!