![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 26%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMY%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @Murarisetty Yamuna , user-assigned managed identities and app registrations are both used to provide identities for Azure resources, but they have some differences in terms of their lifecycle and usage.
An app registration is a representation of an application in Entra ID. It consists of two components: an application object and a service principal object. The application object represents the application and its metadata, while the service principal object represents the application's identity and its permissions to access resources. App registrations are typically used to authenticate and authorize access to APIs and other resources.
A user-assigned managed identity is a standalone Azure resource that can be assigned to one or more Azure resources. It provides an identity for the resource to use to authenticate and authorize access to other resources. Managed identities are typically used to authenticate and authorize access to Azure resources, such as storage accounts, Key Vault, and Azure SQL Database.
The scope of the service connection can affect the permissions that are required. In your case, the service principal-based service connection has a scope at the subscription level, while the managed identity-based service connection has a scope at the management group level. This means that the managed identity-based service connection may require additional permissions to access resources at the management group level.
As you mentioned with your error, the managed identity did not have the necessary permissions to perform the 'Microsoft.OperationalInsights/workspaces/sharedKeys/action' action. This action is part of the Log Analytics Contributor role, which grants permissions to manage Log Analytics workspaces. The app registration-based service connection had this role assigned to it, while the managed identity-based service connection did not. So make sure in the future you assign the role to both.
Some helpful docs:
- https://learn.microsoft.com/en-us/entra/architecture/secure-service-accounts
- https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-faq
- https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview
I hope this helps! Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James