Share via

View indexer status without viewing admin keys

maapinho 50 Reputation points
2025-10-02T10:39:21.9933333+00:00

Hi. I am trying to give an operations team a way to check the history and status of indexers. When I give the reader status it does not work. It requires the listAdminKeys permissions.

Is there a way to give the ability to view these stats without giving the contributor role and the ability to view the primary and secondary admin keys? Azure CLI does not seem to have commands to view indexers.

Thanks

Azure AI Search
Azure AI Search

An Azure search service with built-in artificial intelligence capabilities that enrich information to help identify and explore relevant content at scale.

0 comments

Answer accepted by question author

Alex Burlachenko 22,120 Reputation points MVP Volunteer Moderator
2025-10-02T14:03:07.7533333+00:00

hi maapinho,

you want your ops team to monitor the indexers without handing them the master keys to the kingdom. the reader role should be enough, but it often fails for deep operational data.

the issue is that the indexer execution history and detailed status are considered administrative information by the azure ai search service. the built in reader role is often too broad at the resource level but too narrow for these specific operational details.

you can create a custom azure role. this lets you define very specific permissions. you can create a role that only has the Microsoft.Search/searchServices/indexers/read action and the Microsoft.Search/searchServices/indexers/status/action permission. this would allow users to list indexers and check their status without being able to see the api keys.

another approach is to use azure monitor. you can enable diagnostic settings for your search service to send logs, including indexer execution logs, to a log analytics workspace. you can then give your operations team reader access to just that log analytics workspace. they can run kusto queries to see the indexer history and status without ever needing access to the search service itself.

this pattern of using a dedicated monitoring workspace is a very secure and scalable way to grant access to operational data.

to summarize. your two best options are to create a custom role with just the indexer status permission, or to use azure monitor and grant access to the logs in a log analytics workspace.

regards,

Alex

and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

https://ctrlaltdel.blog/

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.