Invoke-AzOperationalInsightsQuery: Operation returned an invalid status code 'NotFound'

Germain, Yves 6 Reputation points
2022-12-23T05:10:36.353+00:00

Invoke-AzOperationalInsightsQuery: Operation returned an invalid status code 'NotFound'

I am running a query in the portal which works fine. When I try to reproduce this in PowerShell I get the previous error message.

This is the kusto query:

AuditLogs
| where OperationName == "Update conditional access policy"
| where TimeGenerated > ago(5d)

I have the right workspaceID, same name, and Resourcegroup in the same Subscription.
$workspaceid = get-azoperationalInsightsWorkspace -Name *******-cac-ws-security-01 -ResourceGroupName *******-cac-rg-security-logs-01
$query = 'AuditLogs
| where OperationName == "Update conditional access policy"
| where TimeGenerated > ago(5d)'

C:\temp> Invoke-AzOperationalInsightsQuery -Query $query -WorkspaceId $WorkspaceID
Invoke-AzOperationalInsightsQuery: Operation returned an invalid status code 'NotFound'
Here is the result in the portal
273535-image.png
Any idea what I could be doing wrong?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
1,955 questions

2 answers

Sort by: Oldest
Most helpful Newest Oldest
  1. Monalla-MSFT 6,656 Reputation points Microsoft Employee
    2022-12-27T15:17:41.14+00:00

    Hello @Germain, Yves - Welcome to Microsoft Q&A and thanks for reaching out to us.

    Please try adding the service principal to Directory readers using this command and see if it helps: 

    > Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Directory Readers"}).Objectid -RefObjectId <object-id>

    Hope this helps. and please feel free to reach out if you have any further questions.

    ------------------------------------------------------------------

    If the above response was helpful, please feel free to "Accept as Answer" and "Upvote" the same so it can be beneficial to the community.

  2. Nathan Oyama 0 Reputation points Microsoft Vendor
    2023-01-21T01:43:23.4266667+00:00

    You have to select the workspace ID ($workspace.CustomerId), not the whole object ($workspace).

    $workspace = Get-AzoperationalInsightsWorkspace `
  -Name *******-cac-ws-security-01 `
  -ResourceGroupName *******-cac-rg-security-logs-01

    I changed the variable name in your question from "$workspaceid" into "$workspace" without changing what's in it. And assume you've defined $query for the same KQL query.

    Then run a very similar command:

     Invoke-AzOperationalInsightsQuery -Query $query -WorkspaceId $workspace.CustomerId