Before starting this article, let me wish you a happy end of the year and wish you all the best for 2023.

One of the big problems for many companies is access to logs. If you have one log analytics for all of your resources in Azure, this article is for you 😊

In this article, I will send all logs to one log analytics workspace. I have logs for different types, like Azure Application Gateway, Azure Virtual Desktop, App Service Plan, App Service, Storages, etc.

Before starting, we will create 4 Custom RBAC roles, to give these permissions:

  • AVD Log Reader
  • Storage Log Reader
  • App Service Log Reader
  • Application Gateway Log Reader

AVD Log Reader:

Storage Log Reader:

App Service Log Reader:

Application Gateway Log Reader:

After that, you can apply permissions at resource level or at the subscription level, depending of your needs.

For example, for the AVD Log Reader, I applied it at the subscription level:

Microsoft Azure Sponsorship - Dev | Access control (IAM)

If I logged in with this user, I can only see the log analytics resource:

Microsoft Azure | All Resources

If I try to browse logs I should not have access, I have no results:

Microsoft Azure | All Resources | Logs

But for logs of AVD, I can access them, because I have the rights:

Microsoft Azure | All Resources | Logs AVD

After adding the permissions for the Storage logs, I can now access them:

Microsoft Azure Sponsorship - Dev | Access control (IAM) | Storage Logs

Microsoft Azure Sponsorship - Dev | Access control (IAM) | Storage Logs Access

And for App service plan:

Microsoft Azure Sponsorship - Dev | Access control (IAM) | App Service Plan

Microsoft Azure Sponsorship - Dev | Access control (IAM) | App Service Plan Access

Finally, for Application Gateway logs:

Microsoft Azure Sponsorship - Dev | Access control (IAM) | Application Gateway Logs

Graphical user interface, text, application, email Description automatically generated

It is very interesting to put this in your administration, to have a centralized Log Analytics workspace, with all logs, but with the right permissions for each team.

One problem that I can see, is for example the network part. Logs are common for all disagnostics components, you can’t at this time, give access to a team to a specific part in Azure for a specific team in diagnostics.

I gave you 4 examples of custom RBAC roles, but of course, you can do this with all logs in your Log Analytics workspace.

Back to blog