Invoke-AzOperationalInsightsQuery: Operation returned an invalid status code 'NotFound'

asked 2022-12-23T05:10:36.353+00:00
Germain, Yves 6 Reputation points

Invoke-AzOperationalInsightsQuery: Operation returned an invalid status code 'NotFound'

I am running a query in the portal which works fine. When I try to reproduce this in PowerShell I get the previous error message.

This is the kusto query:

AuditLogs
| where OperationName == "Update conditional access policy"
| where TimeGenerated > ago(5d)

I have the right workspaceID, same name, and Resourcegroup in the same Subscription.
$workspaceid = get-azoperationalInsightsWorkspace -Name *******-cac-ws-security-01 -ResourceGroupName *******-cac-rg-security-logs-01
$query = 'AuditLogs
| where OperationName == "Update conditional access policy"
| where TimeGenerated > ago(5d)'

C:\temp> Invoke-AzOperationalInsightsQuery -Query $query -WorkspaceId $WorkspaceID
Invoke-AzOperationalInsightsQuery: Operation returned an invalid status code 'NotFound'
Here is the result in the portal
273535-image.png
Any idea what I could be doing wrong?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
1,804 questions
1 vote

2 answers

Sort by: Most helpful
  1. answered 2022-12-27T15:17:41.14+00:00
    Monalla-MSFT 6,231 Reputation points Microsoft Employee

    Hello @Germain, Yves - Welcome to Microsoft Q&A and thanks for reaching out to us.

    Please try adding the service principal to Directory readers using this command and see if it helps:

    > Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Directory Readers"}).Objectid -RefObjectId <object-id>  
    

    Hope this helps. and please feel free to reach out if you have any further questions.

    ------------------------------------------------------------------

    If the above response was helpful, please feel free to "Accept as Answer" and "Upvote" the same so it can be beneficial to the community.

    No comments

  2. answered 2023-01-21T01:43:23.4266667+00:00
    Nathan Oyama 0 Reputation points Microsoft Employee

    You have to select the workspace ID ($workspace.CustomerId), not the whole object ($workspace).

    $workspace = Get-AzoperationalInsightsWorkspace `
      -Name *******-cac-ws-security-01 `
      -ResourceGroupName *******-cac-rg-security-logs-01
    

    I changed the variable name in your question from "$workspaceid" into "$workspace" without changing what's in it. And assume you've defined $query for the same KQL query.

    Then run a very similar command:

     Invoke-AzOperationalInsightsQuery -Query $query -WorkspaceId $workspace.CustomerId
    
    No comments