Share via

Azure Monitor Agent authentication

Hans Weihe 1 Reputation point
2022-09-20T12:20:36.7+00:00

I know that the Azure Monitor Agent uses a managed identity to authenticate to Azure, and it all works well.

But what kind of permission is this managed identity granted behind the scene to Azure Monitor, the Log Analytics Workspace, and so on? I can't see that this managed identity is granted any permissions within Azure or Azure AD.
I expect that some permissions are required for it all to work out.

Does anyone have insights on how this works out?

/Hansi

Azure Monitor
Azure Monitor

An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hans Weihe 6 Reputation points
    2022-09-29T13:20:51.627+00:00

    I'm not sure what happened to my reply from the other day, let me post it again.

    No, @Maxim Sergeev you are not right about the IAM on the DCR. There are absolutely no permissions assigned to the managed identity on the DCR.

    But here is how I think it works out. From Azure AD sign-in logs I can see that my user assigned managed identity is used for logging on the 3 services: "Azure Monitor Restricted", "Azure Monitor Control Service" and "Windows Azure Service Management API". I believe that these services are the one that handles and authorizes the access from the VM to the Log Analytics Workspace - all based on what DCR is assigned to the VM.

    I hope it makes sense and that someone else can make use of it.

    1 person found this answer helpful.
    0 comments
  2. Maxim Sergeev 6,591 Reputation points Microsoft Employee
    2022-09-20T19:40:23.103+00:00

    Azure Monitoring Agent is just a bridge from a Virtual Machine to other things like Data Collection Rules\Data Collection Endpoints.

    AMA without DCRs does nothing.

    Data Collection Rules - this is a place where the magic happens. As an example, just open DCR and its IAM, you will be able to check all permissions to the resources where it needs to be

    https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview#permissions

    0 comments
  3. Hans Weihe 1 Reputation point
    2022-09-20T14:08:07.453+00:00

    Still can't believe that no permissions are in play somewhere.

    Imagine that you have 2 Log Analytics Workspaces. One is for VM diagnostics and the other is for top secret security logging.

    How is it controlled that the Azure Monitor Agent can access the first Workspace, but has no access to the top secret security workspace?

    A VM can't access e.g. a Storage account or a Key Vault, without the managed identity is granted permissions on the resource level.

    The same must apply when an Azure Monitor Agent through a managed identity accesses a Log Analytics Workspace.

    0 comments
  4. Andrew Blumhardt 10,071 Reputation points Microsoft Employee
    2022-09-20T13:36:57.587+00:00

    I am not certain if any additional access is required for Azure Monitor: "You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code."

    https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage
    https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.