Thursday, April 14, 2022

How to query Azure Monitor Log Analytics in Logic Apps with a Managed Identity

tl;dr - why would I care?

 

Connectors are often not only limited in their actions but also in terms of authentication. By calling the respecting API you have more freedom and can call a service with a Managed Identity. This sample shows how to deploy a simple Logic App that queries a Log Analytics workspace and connects to a SharePoint list

 

Intro

Azure Monitor Log Analytics is super powerful to collect data and give you insights on what’s going on with your apps and resources. There is even an Azure Monitor Logs connector for Logic Apps.

 

:high_voltage: Very unfortunately, the connector doesn’t support authentication with a Managed Identity - which means that you’d need either to be a signed-in user or use an app registration, which comes with its own challenges on secret handling. I explained in my previous blog posts why Managed Identities are a way superior way to authenticate.

 

 

Azure Log Analytics REST API to the rescue!

We can call the Azure Log Analytics REST API from Logic Apps with the generic HTTP action - and authenticate with a Managed Identity. For this example, I chose a user-assigned Managed Identity, so that you can reuse it across resources, but of course you can go with a system-assigned Managed Identity as well.

 

I wanted to create a sample on how to create a Logic App that queries Log Analytics with a user-assigned Managed Identity that has the Log Analytics Reader assigned. The Managed Identity also has Microsoft Graph permissions with scope Sites.ReadWrite.All assigned in order to create new items in a SharePoint list about the result of a query of Azure Monitor logs. That could be beneficial for users who don’t have access to the logs but should be notified or similar.

Deployment

  1. Fork and clone this repository
  2. Browse to the root folder in your clone
  3. Connect to the Azure subscription that you want this to run in
  4. Run the deploy.ps1 script, it will
    • create the resource group
    • create the resources
    • assign the Log Analytics role to the Managed Identity
    • assign Graph API Sites.ReadWrite.All permissions to the Managed Identity
  5. You will be prompted to provide
    • a location for your resources
    • a Resource group name
    • the siteID of the site your list lives in
    • the listId of the list in which new rows shall be created

Validate deployment

  1. Check in the Azure Portal after you read the success-message Resources deployed successfully, role assigned

    • Resource group
    • Logic App
    • Azure Log Workspace
    • Managed Identity
 

 

  1. In the Logic App, the Authentication works with the Managed Identity 

     

    logicapp-auth.png

  2. Our Managed Identity has the Log Analytics Reader role assigned 

     

    ManagedIdentity-role.png

  3. Our Managed Identity has the SitesReadWrite.All permission assigned 

     

    ManagedIdentity-permissions.png

Our LogicApp should look like this: 

 

LogicApp-full.png

 

Please make sure that you insert a query into the Logic app that makes sense depending on your scenario. Also adjust the body of the Create list item action to match your SharePoint list. 

 

Conclusion

 

Connectors can be a good way to easily achieve what you need in Logic Apps. However, they sometimes don’t fit your scenario or don’t support your way of doing things - like I really like Managed Identities. Therefore, it's always worth a try to call the API directly so that you do not need to rely on the wrapper.

Questions?

 

If you have questions, want to use this, make it better - please do! Find me either on twitter or on GitHub

sharing is caring

Posted at https://sl.advdat.com/3KKkWpMhttps://sl.advdat.com/3KKkWpM