Issue granting consent to access AppInsights Data
We have too many instances of AppInsights configured, so I am trying to determine the most-recent log entry in each instance to learn which are no longer being used. Here is my code.
namespace EnumerateAppInsights
{
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.Monitor.Query;
using Azure.Monitor.Query.Models;
using Azure.ResourceManager;
using Azure.ResourceManager.ApplicationInsights;
using System;
using System.Net;
using System.Threading.Tasks;
class Program
{
static async Task Main()
{
var credentials = new UsernamePasswordCredential(username, password, tenantId, clientId);
try
{
var armClient = new ArmClient(credentials);
var subscriptionCollection = armClient.GetSubscriptions();
foreach (var subscriptionResource in subscriptionCollection.GetAll())
{
foreach (var resourceGroup in subscriptionResource.GetResourceGroups())
{
var appInsightsCollection = resourceGroup.GetApplicationInsightsComponents();
foreach (var appInsightsComponentResource in appInsightsCollection.GetAll())
{
var queryClient = new LogsQueryClient(credentials);
string resourceId =
$"/subscriptions/{subscriptionResource.Data.SubscriptionId}" +
$"/resourceGroups/{resourceGroup.Data.Name}" +
$"/providers/Microsoft.Insights/AppInsights" +
$"/{appInsightsComponentResource.Data.Name}";
Response<LogsQueryResult> results = await queryClient.QueryResourceAsync(
new ResourceIdentifier(resourceId),
WebUtility.UrlEncode("traces | top 1 by timestamp desc | project timestamp"),
new QueryTimeRange(TimeSpan.FromDays(1)));
...
}
}
}
}
catch (Exception ex)
{
Console.WriteLine($"Error: {ex.Message}");
}
Console.ReadLine();
}
}
}
And here is the output.
Error: UsernamePasswordCredential authentication failed:
AADSTS65001: The user or administrator has not consented to use the application with
ID '3d5d70e8-2249-4979-b5ea-6892e9a7ce4e' named 'EnumerateAppInsights'.
Send an interactive authorization request for this user and resource.
I was originally receiving this exception from the ArmClient() but solved that problem by adding Api Permissions & Admin Consent for Azure Server Management to the App Registration.
But now I am getting it from the LogsQueryClient() and even after adding permissions/consent for:
- Applications Insight
- API Azure Analysis Services
- Azure DevOps
it's still happening. Anyone have any thoughts to share?
Adding the missing permissions - Log Analytics API - solved this problem. But now I am getting "SEM0100": Failed to resolve table expression named 'traces'". Is it possible this is because we have not yet updated to Workspace-based Application Insights?
The error usually occurs if the service principal does not have required permissions or roles to perform the operation.
I registered one Azure AD application and added below API permissions by granting admin consent like this:
When I ran your code in my environment, I too got same error as you like below:
namespace EnumerateAppInsights
{
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.Monitor.Query;
using Azure.Monitor.Query.Models;
using Azure.ResourceManager;
using Azure.ResourceManager.ApplicationInsights;
using System;
using System.Net;
using System.Threading.Tasks;
class Program
{
static async Task Main()
{
var credentials = new UsernamePasswordCredential(username, password, tenantId, clientId);
try
{
var armClient = new ArmClient(credentials);
var subscriptionCollection = armClient.GetSubscriptions();
foreach (var subscriptionResource in subscriptionCollection.GetAll())
{
foreach (var resourceGroup in subscriptionResource.GetResourceGroups())
{
var appInsightsCollection = resourceGroup.GetApplicationInsightsComponents();
foreach (var appInsightsComponentResource in appInsightsCollection.GetAll())
{
var queryClient = new LogsQueryClient(credentials);
string resourceId =
$"/subscriptions/{subscriptionResource.Data.SubscriptionId}" +
$"/resourceGroups/{resourceGroup.Data.Name}" +
$"/providers/Microsoft.Insights/AppInsights" +
$"/{appInsightsComponentResource.Data.Name}";
Response<LogsQueryResult> results = await queryClient.QueryResourceAsync(
new ResourceIdentifier(resourceId),
WebUtility.UrlEncode("traces | top 1 by timestamp desc | project timestamp"),
new QueryTimeRange(TimeSpan.FromDays(1)));
...
}
}
}
}
catch (Exception ex)
{
Console.WriteLine($"Error: {ex.Message}");
}
Console.ReadLine();
}
}
}
Response:
To resolve the error, you need to add Log Analytics API permission in your application as below:
Make sure to grant admin consent to added API permissions as below:
When I ran the same code again after granting consent to above permission, I got response like this:
In your case, make sure to add Log Analytics API permission and grant admin consent for it to resolve the error.
Reference: API access and authentication - Azure Monitor | Microsoft
- Error 403 User not authorized when trying to access Azure Databricks API through Active Directory
- Add Azure Active Directory User to Azure SQL Database
- How to use stored procedure parameters as dynamic content in copy activity using ADF
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- “That Microsoft account doesn’t exist” for Microsoft logins on Auth0
- You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'
- .Net Core - Use AzureAD/EntraID Authentication to Access Azure DevOps REST APIs
- Issue with Azure Automation Account and Key Vault Certificate Retrieval
- OpenAI remove key access while using AAD authentication
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- Add tenant specific roles in Azure AD multitenant app
- Allow App Service to be called by just a test user and another App Service using a system assigned managed identity
- How to automatically refresh access token
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- How to get user's attributes from Identity in Blazor Server with organization authentication
- Correlation failed in net.core / asp.net identity / openid connect
- I'm unable to Login to VM with Azure AD user credentials
- I need to add co-organizer in teams meeting through graph api
- MSAL for non-SPA? Server side authentication?
- Entra ID - Adding actor claim to the token via client credential flow
- Roles for a SPA and API setup in Microsoft Intra ID
- Getting a token from Microsoft Intra ID with PostMan using MFA
- Unable to patch businessPhones of Entra External ID user, Insufficient privileges to complete the operation
- How to create dynamic groups in AzureAD/EntraID from a csv import?
- Creating a user in Azure AD B2C through Microsoft SSO
- Azured AD JWT authentication doesn't work for Web API hosted in docker using TestContainer
- How do I connect locally to Azure SQL database with Microsoft Entra ID registered app in C#?
- How to fix 'Unable to Obtain Authentication Token' in Active Directory Authentication to Azure Analysis Server
- Error OrganizationFromTenantGuidNotFound and 401 Unauthorized when Sending Email via Microsoft Graph API in React App
- Fetch employee id from from job description properties .NET 8