Authenticating to Log Analytics via Azure App Service delegated permissions

Question

I've created a application in Azure App Service which uses Entra ID authentication (Easy auth). Part of this application accesses log analytics and needs to run queries on behalf of the user.

I've already setup delegated permissions under 'API Permissions' in the application.

The application currently uses a managed identity to authenticate to log analytics @ https://api.loganalytics.io

I'm not sure how I can get the user who has logged in to the application's bearer token to log analytics?

I did try to use X-MS-TOKEN-AAD-ACCESS-TOKEN but that doesn't work (and doesn't seem correct)

Could someone help me out?

Answer 1

Thanks for posting your question in the Microsoft Q&A forum.

To proceed, follow these steps:

• Obtain a token specifically for Log Analytics on behalf of the user. Implement MSAL in your application to manage token acquisition. This library facilitates obtaining tokens for different Azure resources.
• Verify that your app registration has the appropriate delegated permissions configured for Log Analytics. Typically, you will need the "Data.Read" permission for Log Analytics.
• basic example using C# and MSAL:

using Microsoft.Identity.Client;
// Configure the MSAL client
var app = ConfidentialClientApplicationBuilder
    .Create(clientId)
    .WithClientSecret(clientSecret)
    .WithAuthority(AzureCloudInstance.AzurePublic, tenantId)
    .Build();
// Get the user's access token from Easy Auth
string userAccessToken = HttpContext.Request.Headers["X-MS-TOKEN-AAD-ACCESS-TOKEN"];
// Use the user's access token to get a token for Log Analytics
string[] scopes = new string[] { "https://api.loganalytics.io/Data.Read" };
var result = await app.AcquireTokenOnBehalfOf(scopes, new UserAssertion(userAccessToken))
    .ExecuteAsync();
string logAnalyticsToken = result.AccessToken;

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful