This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 41%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
I'm getting the following error when querying the Azure Tenant Activity logs:
GET
https://management.azure.com/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2024-03-19T12:00:00Z' and resourceUri eq '/providers/Microsoft.Authorization' and eventChannels eq 'Operation'
{ "error": { "code": "AuthorizationFailed", "message": "The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Insights/eventtypes/values/read' over scope '/providers/Microsoft.Insights/eventtypes/management' or the scope is invalid. If access was recently granted, please refresh your credentials." } }
I´ve granted the user both Reader and Monitoring Reader RBAC role at the root management group level. To get the access token I´m using:
[https://login.microsoftonline.com/
The error message indicates that the client, with a specific object ID, does not have the required permissions to read Azure management events. Given that you have already assigned both Reader and Monitoring Reader RBAC roles at the root management group level, there might be other reasons causing the issue. Here are some troubleshooting steps and considerations to address this error:
Role Assignment Confirmation: Double-check that the Reader and Monitoring Reader roles have been correctly assigned to the user at the root management group level. Make sure these roles are correctly inherited by all child resources.
Propagation Time: If you recently assigned the roles, ensure that sufficient time has passed for the changes to propagate throughout Azure. It might take a few minutes for new role assignments to take effect.
Correct Scope: Ensure that the assigned RBAC roles are at the correct scope. Assigning roles at the root management group should provide access to all resources, but verify that the roles are correctly inherited by the scope you're querying.
Resource Permissions: Some resources require specific permissions beyond the Reader role. Review the required permissions for accessing management event logs and ensure they align with the roles assigned.
Refresh Tokens: As the error message suggests, if you've recently granted access, try refreshing your authentication token to ensure you're using the updated credentials. This can be done by re-authenticating or renewing the access token.
Clear Cache: If you're using a cache for tokens, clear it to avoid using stale credentials.
Check Management Group Hierarchy: Ensure that there are no unusual hierarchies or scopes that might interfere with RBAC inheritance. If there's a custom hierarchy, verify that the roles are inherited correctly.
Azure Resource Providers: The error message refers to "Microsoft.Insights," suggesting the scope might involve accessing a specific Azure resource provider. Verify that the Reader and Monitoring Reader roles provide adequate permissions for this resource provider.
Access Policy: Certain resource providers may have specific access policies or configurations. Ensure that the current setup aligns with these requirements.
Assign Specific Roles: If Reader and Monitoring Reader roles are insufficient, consider assigning roles like Contributor or a custom role with the necessary permissions.
Custom Role with Specific Permissions: If a custom role is required, create one that includes the specific permissions needed to access the desired resource scope. This approach provides more granular control over permissions.
Azure CLI: If you're using a specific method to get the access token, try obtaining it through Azure CLI to see if that resolves the issue.
Use the following command to log in: az login
After logging in, try running the query with Azure CLI.
PowerShell: Similarly, you can use PowerShell to interact with Azure and verify permissions.
I was able to solve this by assigning the RBAC Reader role at the root level:
az role assignment create --assignee <assignee> --role Reader --scope "/"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 43%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
@Agustin Sabelli - I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
@Agustin Sabelli - Welcome to Microsoft Q&A and thanks for reaching out to us.
In order to query the Azure tenant activity logs, please assign the RBAC reader role at the root level.
az role assignment create --assignee <assignee> --role Reader --scope "/"
Hope this helps. and please feel free to reach out if you have any further questions.
Please don't forget to "Accept as Answer" and click "Yes" if the above response is helpful, so it can be beneficial to the community.