custom role in Azure AD for Provisioning logs is not working

Kumkuse 21 Reputation points
2022-08-29T12:46:12.56+00:00

I have created a custom role with global admin credentials to read the provisioning logs when an user is assigned with custom role. i have assigned user to that custom role where when he opens his azure portal he is able to view the provisioning logs, but when i tried testing it is showing below error.

Note : The main function of this role (microsoft.directory/provisioningLogs/allProperties/read)is to Read all properties of provisioning logs[https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-enterprise-app-permissions] .

Please assist on this . Thanks in advance .235765-error.jpg

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
717 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,544 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,336 Reputation points Microsoft Employee
    2022-08-30T00:36:01.267+00:00

    Hi @Kumkuse ,

    You say, "I have assigned the user to that custom role where when he opens his azure portal he is able to view the provisioning logs, but when I tried testing it is showing below error." To clarify, do you mean that you are logging in with an account with the same permissions and receiving that error, or with different permissions than the ones you described? Are you accessing with both a global admin role and a custom role or just one or the other?

    I am not sure which permissions you have applied in your custom role, but if you only have "microsoft.directory/applicationPolicies/allProperties/read" applied, the issue might be that there is more data showing in the portal provisioning logs and you need to apply additional permissions as documented here and here.

    The documentation details that these are the roles that provide access to the provisioning logs:

    • Application owners (logs for their own applications)
    • Users in the Security Administrator, Security Reader, Report Reader, Security Operator, Application Administrator, and Cloud Application Administrator roles
    • Users in a custom role with the provisioningLogs permission
    • Global administrators

    Please also confirm whether you are using a Guest or Member account to access this page, and whether you are accessing portal.azure.com or aad.portal.azure.com. If possible, you can create cloud-only account and add the permissions to that account to see if you get different results.

    I have asked the product team to see if there is anything that could cause that error while you have those correct permissions applied, but let me know if I should supply additional details for them.

    -

    If the information helped you, please Accept the answer. This will help us and other community members as well.