How to convert Central Log Analytics Workspace to use Resource Access Control?

Mihir Raj Singh 120 Reputation points
2023-07-14T12:30:59.53+00:00

I have a central log analytics workspace. I need it to use resource access control instead of workspace access control.

Is it possible to convert?If yes then-

will the existing monitors and query continue to function?

what access does people be granted that they dont currently have?

will sensitive data be exposed?

is there a cost impact to making this change?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,689 questions
{count} votes

1 answer

Sort by: Most helpful
  1. AnuragSingh-MSFT 18,666 Reputation points
    2023-07-17T09:51:40.9266667+00:00

    @Mihir Raj Singh , Thank you for this question on Microsoft Q&A. I have tried to cover all the answers in the points below.

    Is it possible to convert?If yes then-

    To access log in Log Analytics workspace with Resource level access control, LA workspace itself does not change. There is nothing required on LA workspace to make this change effective. This whole concept is taken care of by permission of the end user. For example, if the end user has read access on LA workspace, then all the logs are available for the user to view. However, if the end user does not have permission to LA workspace, but only read access to the resource (say a VM) then user can only view logs related to that VM.

    will the existing monitors and query continue to function?

    Yes, as there are no changes to LA workspace itself, the existing monitors and query do not get impacted.

    what access does people be granted that they dont currently have?

    I am not sure if I understand this question correctly. I assume you are enquiring about the permission that users might need to access logs for a particular resource. If yes, then the user needs read access for the resource (not the LA workspace). This permission can be granted at subscription, resource group or at resource level.

    will sensitive data be exposed?

    I am not sure if I understand this question, I assume that your question is related to the logs stored in the LA workspace itself. If a user has a minimum of read access to VM (and not to LA workspace), then the user can view all logs related to that VM which is stored in LA workspace. Also, "sensitive data" classification varies from usage to usage. For example, in certain scenario VM name, IP are considered sensitive depending on context or audience, and in some case it is not. Therefore, it is better to understand what sensitive data in your use case are and check the logs if they contain that information.

    is there a cost impact to making this change?

    No. There is no impact on cost, as the changes are related to RBAC on LA workspace and monitored resource.

    Hope this helps.

    If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.

    0 comments No comments