Edit

Azure AD authentication for Azure Monitor Logs

  • Article

Azure Monitor can collect data in Azure Monitor Logs from multiple sources. These sources include agents on virtual machines, Application Insights, diagnostic settings for Azure resources, and the Data Collector API.

Log Analytics agents use a workspace key as an enrollment key to verify initial access and provision a certificate further used to establish a secure connection between the agent and Azure Monitor. To learn more, see Send data from agents. The Data Collector API uses the same workspace key to authorize access.

These options might be cumbersome and pose a risk because it's difficult to manage credentials, specifically workspace keys, at a large scale. You can opt out of local authentication and ensure that only telemetry that's exclusively authenticated by using Managed Identities and Azure Active Directory (Azure AD) is ingested into Azure Monitor. This feature enhances the security and reliability of the telemetry used to make critical operational and business decisions.

To enable Azure AD integration for Azure Monitor Logs and remove reliance on these shared secrets:

  1. Migrate to Azure Monitor Agent from the Log Analytics agents. Azure Monitor Agent doesn't require any keys but instead requires a system-managed identity.
  2. Disable local authentication for Log Analytics workspaces.
  3. Ensure that only authenticated telemetry is ingested in your Application Insights resources with Azure AD authentication for Application Insights (preview).

Disable local authentication for Log Analytics

After you've removed your reliance on the Log Analytics agent, you can disable local authentication for Log Analytics workspaces. Then you can ingest and query telemetry authenticated exclusively by Azure AD.

Disabling local authentication might limit the availability of some functionality, specifically:

  • Existing Log Analytics agents will stop functioning. Only Azure Monitor Agent will be supported. Azure Monitor Agent will be missing some capabilities that are available through the Log Analytics agent. Examples include custom log collection and IIS log collection.
  • The Data Collector API (preview) won't support Azure AD authentication and won't be available to ingest data.
  • VM insights and Container insights will stop working. Local authorization will be the only authorization method supported by these features.

You can disable local authentication by using Azure Policy. Or you can disable it programmatically through an Azure Resource Manager template, PowerShell, or the Azure CLI.

Azure Policy

Azure Policy for DisableLocalAuth won't allow you to create a new Log Analytics workspace unless this property is set to true. The policy name is Log Analytics Workspaces should block non-Azure Active Directory based ingestion. To apply this policy definition to your subscription, create a new policy assignment and assign the policy.

The policy template definition:

{
  "properties": {
    "displayName": "Log Analytics Workspaces should block non-Azure Active Directory based ingestion.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Deny",
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.OperationalInsights/workspaces"
          },
          {
            "field": "Microsoft.OperationalInsights/workspaces/features.disableLocalAuth",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e15effd4-2278-4c65-a0da-4d6f6d1890e2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e15effd4-2278-4c65-a0da-4d6f6d1890e2"
}

Azure Resource Manager

The DisableLocalAuth property is used to disable any local authentication on your Log Analytics workspace. When set to true, this property enforces that Azure AD authentication must be used for all access.

Use the following Azure Resource Manager template to disable local authentication:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspaces_name": {
            "defaultValue": "workspace-name",
            "type": "string"
        },
        "workspace_location": {
          "defaultValue": "region-name",
          "type": "string"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.OperationalInsights/workspaces",
            "apiVersion": "2020-08-01",
            "name": "[parameters('workspaces_name')]",
            "location": "[parameters('workspace_location')]",
            "properties": {
                 "sku": {
                    "name": "PerGB2018"
                },
                "retentionInDays": 30,
                "features": {
                    "disableLocalAuth": false,
                    "enableLogAccessUsingOnlyResourcePermissions": true
                }
            }
        }
    ]
}

Azure CLI

The DisableLocalAuth property is used to disable any local authentication on your Log Analytics workspace. When set to true, this property enforces that Azure AD authentication must be used for all access.

Use the following Azure CLI commands to disable local authentication:

    az resource update --ids "/subscriptions/[Your subscription ID]/resourcegroups/[Your resource group]/providers/microsoft.operationalinsights/workspaces/[Your workspace name]--api-version "2021-06-01" --set properties.features.disableLocalAuth=True

PowerShell

The DisableLocalAuth property is used to disable any local authentication on your Log Analytics workspace. When set to true, this property enforces that Azure AD authentication must be used for all access.

Use the following PowerShell commands to disable local authentication:

    $workspaceSubscriptionId = "[You subscription ID]"
    $workspaceResourceGroup = "[You resource group]"
    $workspaceName = "[Your workspace name]"
    $disableLocalAuth = $false
    
    # login
    Connect-AzAccount
    
    # select subscription
    Select-AzSubscription -SubscriptionId $workspaceSubscriptionId
    
    # get private link workspace resource
    $workspace = Get-AzResource -ResourceType Microsoft.OperationalInsights/workspaces -ResourceGroupName $workspaceResourceGroup -ResourceName $workspaceName -ApiVersion "2021-06-01"
    
    # set DisableLocalAuth
    $workspace.Properties.Features | Add-Member -MemberType NoteProperty -Name DisableLocalAuth -Value $disableLocalAuth -Force
    $workspace | Set-AzResource -Force

Next steps

See Azure AD authentication for Application Insights (preview).