![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 93%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 7.000000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hi @ritmo2k
Thanks for outlining your scenario — this is a common requirement when exposing operational data to external consumers, and it’s good you’re thinking about access control early.
At a high level, Azure App Service and Azure Monitor don’t natively support restricting log access based on request parameters (such as {name}) or Entra ID group membership at the log store level. Azure RBAC controls who can access an Application Insights or Log Analytics resource, but once access is granted, users can query all logs in that scope.
Because of this, the recommended and supported approach is to enforce fine‑grained access within your application, rather than exposing logs directly from Azure Monitor.
A common pattern that works well is:
- Ensure that structured logs are sent to Application Insights, incorporating {name} as a custom dimension or property with each request. This approach enables clear filtering of logs by consumer.
- Please ensure that direct access to Application Insights and Log Analytics remains restricted, allowing only internal operators or a managed identity to access these resources.
- Provide access to logs via a custom API endpoint, for example, GET /logs/{name}, and ensure it is secured using Microsoft Entra ID.
- For this endpoint, check the caller’s group membership using your custom authorization handler, and then run a filtered Application Insights or Log Analytics query that returns logs where {name} equals x.
This keeps Azure RBAC responsible for protecting the logging resources themselves, while your API enforces the business rule that “a user can only see logs for the {name} they’re authorized for.” That separation of concerns aligns with Azure security best practices and avoids over‑exposing telemetry.
Reference:
https://learn.microsoft.com/en-us/azure/azure-monitor/app/data-model-complete
https://learn.microsoft.com/en-us/azure/azure-monitor/app/create-workspace-resource?tabs=portal
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/monitor
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
If the answer is helpful, Please do click "Accept the answer” and Yes, this can be beneficial to other community members.
If you have any other questions, let me know in the "comments" and I would be happy to help you