Azure Log Analytics API permissions on west-us2 region
We try to create an AAD service principal for retrieving data from out Log Analytics workspace.
- Our AAD region is located in
Germany - Log Analytics is located in
North Europe
When attempting to create API permissions, the address to the API itself is mentioning westus2.api.loganalytics.io (west US region) which is a no go for our company data privacy.
Is there any reason of this default and not editable settings ? Is there any way to overcome it ?
Well, if so, you could get the token for ARM API endpoint, then call the ARM API.
In this way, no need to add the API permission for your AD App, just make sure your AD App has an RBAC role e.g. Contributor, Log Analytics Reader in the Access control (IAM) of your workspace, if not, follow this doc to add it.
Then use the client credential flow to get the token.
POST /YOUR_AAD_TENANT/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&resource=https://management.azure.com/
&client_secret=YOUR_CLIENT_SECRET
After getting the token, use it to call the api like the sample below.
GET https://management.azure.com/subscriptions/6c3ac85e-59d5-4e5d-90eb-27979f57cb16/resourceGroups/demo/providers/Microsoft.OperationalInsights/workspaces/demo-ws/api/query
Authorization: Bearer <access_token>
Prefer: response-v1=true
{
"query": "AzureActivity | limit 10"
}
For more details, refer to this link.
- Get all user properties from Microsoft graph
- ASP.NET Azure AD / Entra Authentication - App roles in token, but not being assigned to principal
- How to do azure single sign on with next.js 14 and App Router
- Azure ClientCertificateCredential - Using SNI
- Entra ID Schema Extension with custom Namespace
- MSAL Node service & The Partner Center API
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Authenticating to Sharepoint Online Site via React SPA in MS Teams personal Tab
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- MSAL library fails to parse token in Chromium based browsers
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- EntraID: how to pass application roles downstream
- During signIn receiving B2C error code ‘AADB2C99059’
- How can I read local MS Teams status
- How to find the tenant where a multi-tenant AAD application was registered
- Azure AD permissions for MS Forms
- ASP.NET Core app running on IIS gives Http Error 401.2-Unauthorize
- Azure Active Directory skip account selection on logout
- Azure active directory - Get access token using Azure CLI
- Azure B2C / WPF - Handling a failed MFA verification flow
- How do I display Job Title in my Next Auth app
- Login failed for user identified principal
- What does "grant admin consent" button do in azure Azure Active Directory application?
- Azure AD Graph API or Powershell Graph: Gathering all the assigned roles that are associated to a group
- Azure AD user unable to connect to Azure SQL Error: 18456,State:1,Class:14
- Is there a way to add the sam_account_name of a user in the id_token claims?
- No users to select from the list in Azure Role assignments using Resource Group Owner
- Azure pipelines cannot connect to Azure SQL via AD/Entra using a custom console application