Microsoft Entra authentication for Azure Monitor Logs

Azure Monitor can collect data in Azure Monitor Logs from multiple sources. These sources include agents on virtual machines, Application Insights, diagnostic settings for Azure resources, and the Data Collector API.

Log Analytics agents use a workspace key as an enrollment key to verify initial access and provision a certificate further used to establish a secure connection between the agent and Azure Monitor. To learn more, see Send data from agents. The Data Collector API uses the same workspace key to authorize access.

These options might be cumbersome and pose a risk because it's difficult to manage credentials, specifically workspace keys, at a large scale. You can opt out of local authentication and ensure that only telemetry that's exclusively authenticated by using Managed Identities and Microsoft Entra ID is ingested into Azure Monitor. This feature enhances the security and reliability of the telemetry used to make critical operational and business decisions.

To enable Microsoft Entra integration for Azure Monitor Logs and remove reliance on these shared secrets:

  1. Disable local authentication for Log Analytics workspaces.
  2. Ensure that only authenticated telemetry is ingested in your Application Insights resources with Microsoft Entra authentication for Application Insights.
  3. Follow best practices for using Entra authentication.

Prerequisites

Permissions required

To disable local authentication for a Log Analytics workspace, you need microsoft.operationalinsights/workspaces/write permissions on the workspace, as provided by the Log Analytics Contributor built-in role, for example.

Disable local authentication for Log Analytics workspaces

Disabling local authentication might limit the availability of some functionality, specifically:

  • Existing Log Analytics agents will stop functioning. Only Azure Monitor Agent will be supported. Azure Monitor Agent will be missing some capabilities that are available through the Log Analytics agent. Examples include custom log collection and IIS log collection.
  • The Data Collector API (preview) won't support Microsoft Entra authentication and won't be available to ingest data.
  • VM Insights is supported only with Azure Monitor Agent (AMA).

You can disable local authentication by using Azure Policy. Or you can disable it programmatically through an Azure Resource Manager template, PowerShell, or the Azure CLI.

Azure Policy for DisableLocalAuth won't allow you to create a new Log Analytics workspace unless this property is set to true. The policy name is Log Analytics Workspaces should block non-Azure Active Directory based ingestion. To apply this policy definition to your subscription, create a new policy assignment and assign the policy.

The policy template definition:

{
  "properties": {
    "displayName": "Log Analytics Workspaces should block non-Azure Active Directory based ingestion.",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system.",
    "metadata": {
      "version": "1.0.0",
      "category": "Monitoring"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Deny",
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.OperationalInsights/workspaces"
          },
          {
            "field": "Microsoft.OperationalInsights/workspaces/features.disableLocalAuth",
            "notEquals": "true"
          }
        ]
      },
      "then": {
        "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e15effd4-2278-4c65-a0da-4d6f6d1890e2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e15effd4-2278-4c65-a0da-4d6f6d1890e2"
}

Next steps

See Microsoft Entra authentication for Application Insights.