After migrating to Open Telemetry the Monitor in the VM Blade gives me Access Denied

Question

After migrating to Open Telemetry the Monitor in the VM Blade gives me Access Denied

Csaba Sari 0

Good day to you. When I saw the the call to action on the portal to migrate to the Open Telemetry our virtual machines, I was happy to do it. It was giving me an option to run parallel with the log-based legacy option, so I kept this one also.

I created an Azure Monitoring Workspace in the same region where the test machine was located, and then onboarded a single machine over the UI. Worked pretty well, I got metrics on the VM View/Monitor blade, and I also played around to extend the metrics with a few more, and everything seemed fine.

After that I cleaned up everything, and started from scratch. Then, I created two AMW in two separate regions, and I created two DCRs with proper/internal naming conventions in the same regions, and I assigned all of our machines with scripts. While I got metrics in the AMW, the VM view / Monitor blade gave me an error: "Access Denied: You do not have the necessary permissions to view the data in this section. Please contact your administrator to request access." I have PIM activated Global Admin, Global Resource owner permissions, Global reader assigned permanently, and I also assigned Monitor Contributor to myself. The error is the same, after 24 hours.

So I thought, might be subscription issue. So I cleaned up everything again, created the two AMW in separate regions, I also created ~11 DCRs per our subscriptions and assigned the machines. And the error is the same. "Access Denied: You do not have the necessary permissions to view the data in this section. Please contact your administrator to request access."

Some "visual" explanations of the structure:

- Tenant
|- Subscription (Cloud Infra)
 |- Resource Group for AMW 1 (WEU)
  |- AMW WEU
 |- Resource Group for AMW 2 (GWC)
  |- AMW GWC
|- Subscription (Customer 1)
 |- Resource Group - Infra (WEU)
  |- DCR (WEU)
 |- Resource Group - VMs (WEU)
  |- Virtual Machine (WEU)
|- Subscription (Customer 2)
 |- Resource Group - Infra (GWC)
  |- DCR (GWC)
 |- Resource Group - VMs (GWC)
  |- Virtual Machine (WEU)

To be honest, it drives me crazy. I have metrics in AMW, so they are arriving properly, but not having the same metrics in VM view/Monitor blade - so that's not ok. If I do the clickety-clickety over the UI, it works, but it generates some random named DCRs per machine and that's not feasible.

I would like to ask you, if you can point out any problem in my configuration if I made any mistake, and happy to provide further information if needed. Thank you.

Siva shunmugam Nadessin 5,875 Reputation points Microsoft External Staff Moderator

2026-02-12T13:08:05.2033333+00:00
Hello Csaba Sari,

Thank you for reaching out to the Microsoft Q&A forum.

It sounds like you're having a frustrating time with the "Access Denied" error after migrating to Open Telemetry for your VMs. Based on what you've described, it seems you've done quite a bit of troubleshooting already. Here are a few things you might want to check or try:

Verify Permissions

Make sure that you have the necessary permissions not only at the VM level but also on the Data Collection Rule (DCR) and Azure Monitor Workspace. The Monitor Contributor role is generally required to view the relevant metrics in the Azure portal. You might also need to ensure you have the following permissions:

Reader Role for the Virtual Machine

Reader Role for the Log Analytics Workspace

Reader Role for the DCR associated with the VM

Check Network Settings

Ensure that your Azure Monitor Workspace has the right networking configurations. Specifically:

Go to your Azure Monitor Workspace in the Azure portal.

Select Networking from the settings menu.

If you want to access data over the internet, set Public Network Access to "Enable public access from all networks." If you need private access, ensure that you’re connected to a VNET configured for private access.

Review DCR Configuration

Double-check the Data Collection Rules (DCR) for your VMs. Make sure they are correctly configured under the respective Azure Monitor Workspaces. You should check:

If the DCR is properly associated with your VMs.

The DCR settings to ensure the right metric collection is enabled.

Refresh or Re-assign Permissions

Since you mentioned that PIM is activated and you have multiple roles assigned, sometimes it helps to refresh your permissions:

Try signing out and back into the Azure portal, or refreshing your session.

You may want to remove and reassign your roles to reset any potential issues.

Let me know if you need further information!
Csaba Sari 0 Reputation points

2026-02-14T10:10:00.4866667+00:00

Hi, thank you for your reply too. I was a little bit lost around here - and I posted below a few replies. I makes no sense to repeat them, if you could take a look below, I would appreciate that. Thank you

2 answers

Your answer

Csaba Sari 0 Reputation points

2026-02-14T10:10:00.4866667+00:00

Hi, thank you for your reply too. I was a little bit lost around here - and I posted below a few replies. I makes no sense to repeat them, if you could take a look below, I would appreciate that. Thank you

Answer 1

Hello Csaba Sari,

It looks like you're working with a complex Azure monitoring setup using Data Collection Rules (DCRs) and OpenTelemetry (Otel) metrics. Based on the details you’ve shared, here's a summary of what might be happening and some potential steps to resolve or further investigate the situation:

Role and Permissions Issue:

Initially, you encountered an "Access Denied" error, which suggests there might have been some permission issues with the "Monitoring Contributor" role not being fully propagated yet. Even though you added the necessary roles, sometimes changes like this can take a while to fully reflect across the platform.

The "Access Denied" message is now gone, which means that permission propagation likely completed. However, you still face issues with the metrics not displaying.

Metrics Display in AMW vs. Insights:

You mentioned that you can see metrics when you go directly to the Azure Monitor Workspace (AMW), but not in the "Insights" tab. This suggests that there may be a difference in the way these two views are pulling or visualizing data.

The "Insights" blade may still be in preview and could have some limitations or bugs. This might explain why metrics are visible in one view but not the other.

Missing Metrics in Insights:

Since you're still seeing "No data returned matching the selected filters" in the "Insights" blade, it’s possible the system isn't recognizing or properly pulling the Otel data for display.

One thing to check is whether the correct filters or time window are selected in the Insights view. Sometimes, the data might not be immediately visible depending on the configuration.

Preview Features:

As you've noted, this setup seems to be quite "preview" (in a testing or early access phase), so it's possible there are bugs or limitations in the user interface or data syncing between different sections of Azure Monitor.

It’s worth considering that the Insights view might not yet support all the same capabilities or data that AMW can show, especially since Otel metrics are somewhat newer in Azure Monitor.

Next Steps

Double-Check Filters: Ensure that the filters applied in the "Insights" view (e.g., time range, metrics selected) are correct. Sometimes missing data is due to overly restrictive filters.
Check Otel Metrics Settings: In AMW, verify the setup for the Otel-based metrics (especially the ones you're seeing) to ensure that they are being collected correctly and there are no missing data points.
Check Preview Limitations: Since the "Insights" section is still in preview, it might not support all metrics or data collection sources yet, or there could be some bugs. You could check the Azure documentation for any updates on supported data sources or known limitations.

Let me know if you need more help as you investigate further!

Siva shunmugam Nadessin 5,875 Reputation points Microsoft External Staff Moderator

2026-02-24T02:25:39.14+00:00

Hello Csaba Sari

Just checking in to see if the solution shared above help you to resolve your issue. please reach out to us If you have any further questions.

Thanks

Answer 2

Alex Burlachenko 19,530 Volunteer Moderator

hey hey,

what you are seeing is usually not a VM permission issue but a data permission issue, VM Monitor blade reads metrics from the Azure Monitor Workspace, not directly from the VM, even if you are Global Admin or Monitor Contributor, you still need data access on the workspace itself.

Check the Azure Monitor Workspace and open Access control. Make sure you have Monitoring Reader or Monitoring Contributor assigned at the workspace level, if the workspace uses data plane RBAC, you must have explicit data access there. Being Global Admin in Entra does not automatically grant data access to Azure Monitor Workspace. Check whether the DCR is actually linked to the correct workspace and region that the VM Monitor blade expects. The portal UI creates additional hidden DCR associations when you onboard through the click method. When you create DCRs manually, the VM blade may not recognise the association in the same way.

If metrics are visible inside the workspace but not in the VM blade, that usually means the workspace RBAC is missing or the VM is not properly associated with the workspace for the Monitor view scenario. I would first verify workspace level RBAC, then verify DCR association to the VM, and finally confirm that the VM and workspace are in supported regions for that Monitor blade experience.

This is almost always an RBAC scope issue at workspace level rather than a telemetry problem.

rgds,

Alex

Csaba Sari 0

Hi Alex, thank you for your reply. I checked the DCRs, they are connected to the right AMW, sending their data to the right monitoring accounts, here is one of the JSONs (specific information changed):


{
  "location": "westeurope",
  "properties": {
    "dataSources": {
      "performanceCountersOTel": [
        {
          "streams": ["Microsoft-OtelPerfMetrics"],
          "samplingFrequencyInSeconds": 60,
          "counterSpecifiers": [
            "system.cpu.load_average.15m",
            "system.cpu.load_average.1m",
            "system.cpu.load_average.5m",
            "system.cpu.time",
            "system.cpu.utilization",
            "system.disk.io",
            "system.disk.operation_time",
            "system.disk.operations",
            "system.filesystem.usage",
            "system.filesystem.utilization",
            "system.memory.limit",
            "system.memory.usage",
            "system.memory.utilization",
            "system.network.dropped",
            "system.network.errors",
            "system.network.io",
            "system.uptime"
          ],
          "name": "OtelDataSource"
        }
      ]
    },
    "destinations": {
      "monitoringAccounts": [
        {
          "accountResourceId": "/subscriptions/a1234567-12b3-4c56-de78-910a123b4567/resourcegroups/example_infra_weu/providers/microsoft.monitor/accounts/example-infra-azuremonitorworkspace-weu",
          "accountId": "1ab2c34d-5efa-6789-a1b2-34cd567efa89",
          "name": "MonitoringAccountDestination"
        }
      ]
    },
    "dataFlows": [
      {
        "streams": ["Microsoft-OtelPerfMetrics"],
        "destinations": ["MonitoringAccountDestination"]
      }
    ]
  }
}

I created an Entra Group, added all admin users there, and granted Monitoring Contributor permission to the group on both AMWs. I'll wait now for the propagation.

Csaba Sari 0 Reputation points

2026-02-14T09:44:48.29+00:00

Hi Alex, and thank you for reply. I'm pretty new around here - so I posted a new answer, instead of reply to you. I added Monitoring Contributor roles to a new admin group "Internal Monitoring Contributors", and I waited a day to get out of the 6 hours time window.

On Thursday, the issue was still there, and it was driving me even further crazy on this topic. Friday I had no chance to take a look, but today - after reboot my machine, logout / login to browser and Azure portal, the whole "Monitor" blade is gone from the VMs view, just the legacy is there now, and I don't even have the option to see anything. But, if I go to the AMW itself, I still can see the OTel metrics (with and without the Monitoring Contributor role.

However, after some clicking around, I found that the OTel based monitoring "moved" to Monitoring/Insights. I don't have anymore the "Access Denied" message.

BUT, there are not metrics in this view at all!

SO it seems to me, this things is very very "Preview", right? Because from AMW view, I have the metrics:

Share via

After migrating to Open Telemetry the Monitor in the VM Blade gives me Access Denied

2 answers

Your answer