Azure Monitor Alert Multi-Tenant Secure Webhook

Mathias Sundman 5 Reputation points

Is it possible to have an Azure Monitor action group action use a Secure Webhook to call an EntraID authenticated Azure Function in a different tenant? As long as my Azure Function is in the same tenant, I can successfully select the ObjectID of my Function App's App Registration in the Action Group configuration after making myself owner of that application. However if I create the function app in a different tenant as a Multi-Tenant app and request admin consent from my parent tenant with Azure Monitor, it only appears as an Enterprise App, not as an App Registration, so I'm unable to make myself owner of the application, and therefor unable to select it in the Azure Monitor action group. Why this "Owner" restriction? Wouldn't it make sense to be able to use a cross-tenant authenticated Secure Webhook?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,692 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Ryan Hill 24,546 Reputation points Microsoft Employee

    Apologies for the late reply @Mathias Sundman. I've reached out to the product group regarding your specific issue. That limitation is by design and there isn't a work around. The reasoning behind it addresses a security concern. Without checking the ownership, anyone can configure a securewebhook action under his/her action group that's pointing to another customer's securewebhook. This can allow them to take advantage of the action Group to make http call to the webhook service.

    0 comments No comments

  2. Pinaki Ghatak 2,225 Reputation points Microsoft Employee

    Hello @Mathias Sundman

    The “Owner” restriction you’re encountering is due to how Azure handles permissions and security across tenants. When you create an Azure Function in a different tenant as a Multi-Tenant app, it appears as an Enterprise App in the parent tenant because it’s considered a service provided by another tenant.

    Admin consent in Azure is designed to protect the data and resources of a tenant. It’s a mechanism that ensures only authorized administrators can grant permissions to applications, especially when those applications request access to sensitive data or resources.

    In the case of a multi-tenant application, admin consent can only be provided for the tenant where the application is registered in the first place1.

    Users or Administrators of other tenants cannot consent via Azure Portal. It has to be done either when a user/administrator accesses the multi-tenant application for the first time, or by constructing the Admin Consent URL and sharing it with the Administrators of the other tenants.

    As for Azure Monitor action groups, they are designed to work within the context of a single tenant. The “Owner” restriction ensures that the person configuring the action group has the necessary permissions to access and manage the resources involved. While it might seem logical to use a cross-tenant authenticated Secure Webhook, it would introduce complexities around security, data privacy, and compliance. Each tenant in Azure is a boundary that isolates access to resources and data. Allowing cross-tenant access would require careful management of these aspects.

    However, your feedback about the “Owner” restriction and the desire for cross-tenant authenticated Secure Webhooks is valuable. I recommend providing this feedback directly to Microsoft through their UserVoice or feedback forums. We are always here for ways to improve their services based on user needs.

    If this information provided here helps solve your issue, please tag this as answered, so it helps further community readers, who may have similar questions.

    0 comments No comments