azureazure-diagnosticsazure-entra-id

Reading Azure Entra ID Diagnostic Settings


we have a multi-tenant application that we deploy in our clients' environments. As part of our software solution, we will collect various data from your environment via Microsoft Graph and Azure PowerShell cmdlets.

We are trying to read the Diagnostic settings in Entra ID, what works by running the below code snipped:

$accessToken = (Get-AzAccessToken -ResourceUrl "https://management.azure.com").Token
$apiEndpoint = "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings?api-version=2017-04-01-preview"

$headers = @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type" = "application/json"
}

$response = Invoke-RestMethod -Uri $apiEndpoint -Headers $headers -Method Get

We currently deploy our multi-tenant application in our clients' environments using an ARM template to assign the necessary permissions. However, we are encountering issues with successfully adding the permissions required to read the Diagnostic settings. If we run it without any modifications we get the error:

"message": "The client 'blabla' with object id 'blabla' does not have authorization to perform action 'microsoft.aadiam/diagnosticSettings/write' over scope '/providers/microsoft.aadiam/diagnosticSettings/testDiagSetting' or the scope is invalid. If access was recently granted, please refresh your credentials."

When we manually run the command below, it works. However, we would like to avoid asking IT administrators to run this command manually. Is there a way to assign these permissions via an ARM template? Alternatively, can we use the Graph API to assign the scope to the application and request the client to consent to it?

New-AzRoleAssignment -ObjectId "e348be5c-fc9b-4852-8e04-540093bd461b" -Scope "/providers/Microsoft.aadiam" -RoleDefinitionName 'Contributor' -ObjectType 'ServicePrincipal'

Solution

  • To read the Diagnostic settings in Entra ID specifically, you need to assign permissions at the tenant level. You can automate the assignment of permissions to read the Diagnostic settings in Entra ID using Microsoft.Authorization/roleAssignments. Create a RoleAssignmentTemplate.json to assign the necessary role

    {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "principalId": {
          "type": "string",
          "metadata": {
            "description": "The principal (user or application) ID to assign the role to."
          }
        },
        "roleDefinitionId": {
          "type": "string",
          "defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c",
          "metadata": {
            "description": "The role definition ID for the role to assign."
          }
        }
      },
      "resources": [
        {
          "type": "Microsoft.Authorization/roleAssignments",
          "apiVersion": "2020-04-01-preview",
          "name": "[guid(parameters('principalId'), parameters('roleDefinitionId'))]",
          "properties": {
            "roleDefinitionId": "[tenantResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
            "principalId": "[parameters('principalId')]",
            "scope": "/providers/Microsoft.aadiam"
          }
        }
      ]
    }
    
    

    Deploy the ARM Template

    RESOURCE_GROUP_NAME="YourResourceGroupName"
    TEMPLATE_FILE_PATH="path/to/your/template.json"
    PRINCIPAL_ID="your-principal-id"
    
    az deployment group create --resource-group $RESOURCE_GROUP_NAME --template-file $TEMPLATE_FILE_PATH --parameters principalId=$PRINCIPAL_ID
    

    enter image description here