Authentication Issues in Logic App due to Managed Identity Issues

Question

I am trying to send a http request to one of my log analytics workspaces to get the availability status . I am using an system assigned managed identity for authentication but facing issues . This is the below request . We are using this to fetch weekly availability statuses .

The get request through cloud shell is working

az rest --method get --uri "https://management.azure.com/subscriptions/xxxxx/resourceGroups/xxx/providers/Microsoft.OperationalInsights/workspaces/xxx/providers/Microsoft.ResourceHealth/availabilityStatuses/current?api-version=2022-10-01"

Response
---------

{
  "id": "/subscriptions/xxx/resourcegroups/xxxx/providers/microsoft.operationalinsights/workspaces/xxx/providers/Microsoft.ResourceHealth/availabilityStatuses/current",
  "location": "westeurope",
  "name": "current",
  "properties": {
    "availabilityState": "Available",
    "category": "Not Applicable",
    "context": "Not Applicable",
    "occuredTime": "2024-09-02T00:00:00Z",
    "reasonChronicity": "Persistent",
    "reasonType": "",
    "reportedTime": "2024-10-02T07:08:47.0496396Z",
    "summary": "No workspace issues detected.",
    "title": "Available"
  },
  "type": "Microsoft.ResourceHealth/AvailabilityStatuses"
}

But failing through http request action in logic app and getting this error

BadRequest

Http request failed as there is an error getting AD OAuth token: 'AADSTS500011: The resource principal named https://management.azure.com/.default was not found in the tenant named XX . This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: c65ed944-bbea-4a4b-8062-c618246e2000 Correlation ID: 856b900a-2dc7-40e7-9071-59b2e80147df Timestamp: 2024-10-15 18:09:43Z'.

{
  "type": "Http",
  "inputs": {
    "uri": "https://management.azure.com/subscriptions/xxxxx-cexx-xxxx-aaxe-xxxxxxx/resourceGroups/xr-p-xx-xx-xg-0x/providers/Microsoft.OperationalInsights/workspaces/xxxxxxx/providers/Microsoft.ResourceHealth/availabilityStatuses/current?api-version=2022-10-01",     
    "method": "GET",
    "headers": {
      "Content-Type": "application/json"
    },
    "authentication": {
      "type": "ManagedServiceIdentity",
      "audience": "https://management.azure.com/.default"
    }
  },
  "runAfter": {},
  "runtimeConfiguration": {
    "contentTransfer": {
      "transferMode": "Chunked"
    }
  }
}

Answer 1

Hi @Majumder, Purbayan Greetings! Welcome to Microsoft Q&A forum. Thank you for posting this question here.

Once you create a System Assigned Identity on your Logic App, you would need to add Log Analytics Reader role assignment to the system identity to grant the resource Read permissions to the analytics workspace.

You can add this permissions by navigating to your Logic App >> Identity >> Click Azure role assignments under System assigned tab. Refer the below image

Once you click the Azure Role Assignments button above, you should be able to add a role assignment that can either be granted at Subscription level or resource group level. Assign the role Log Analytics Reader

Once you add the permission, you should be able to hit the Log Analytics Workspace end point using System-assigned managed identity without any issues.

Hope this helps! Please let us know if you have any additional questions or need further assistance.

---

If the response helped, please do click Accept Answer and Yes for the answer provided. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.