Enable Traffic Analytics in NSG flow log

Murali R 245

Hi Team,

Iam currently working on a process for creating NSG flow log with Traffic Analytics Enabled through bicep. When i have tested the pipeline i have received the below error "TAUserDoesNotHavePermissions: User does not have permissions to enable Traffic Analytics".

For this i have all the custom roles available provided as per Microsoft Document. Link [https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics-faq#what-are-the-prerequisites-to-use-traffic-analytics-].

Kindly help me on this regard.

Thanks,

Murali

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-07-17T13:27:18.3833333+00:00

@Murali R

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are facing permission issues while trying to enable Traffic Analytics using Pipeline with Bicep code.

I doubt the permissions mentioned in the documentation are up to date.

As you can see, all the roles are in READ only.

Is it possible you can give this a try using "Network Contributor" permission and see if this works.

Cheers,

Kapil
Murali R 245 Reputation points

2023-07-17T14:07:13.6833333+00:00
Hi Kapil,

Iam unable to add Network Contributor as per the policy. But i have added the below Custom roles

Microsoft.Network/applicationGateways/read

Microsoft.Network/connections/read

Microsoft.Network/loadBalancers/read

Microsoft.Network/localNetworkGateways/read

Microsoft.Network/networkInterfaces/read

Microsoft.Network/networkSecurityGroups/read

Microsoft.Network/publicIPAddresses/read"

Microsoft.Network/routeTables/read

Microsoft.Network/virtualNetworkGateways/read

Microsoft.Network/virtualNetworks/read

Microsoft.Network/expressRouteCircuits/read

Still it says the same error
cs8com 0 Reputation points

2023-07-17T21:02:32.2733333+00:00

how about cleaning cash memorie and browser history with cookies
Murali R 245 Reputation points

2023-07-18T08:00:26.2633333+00:00

Hi Leijen,

The error remains the same "TAUserDoesNotHavePermissions: User does not have permissions to enable Traffic Analytics"
Murali R 245 Reputation points

2023-07-18T10:58:40.12+00:00

Hi @KapilAnanth-MSFT One doubt, when this Network contributor role has been created as per Microsoft
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-07-19T07:27:40.63+00:00

@Murali R

It appears the permissions listed are not enough.

I am checking this internally, and once we have an update, I shall provide it here

Cheers,

Kapil
Murali R 245 Reputation points

2023-07-19T07:33:39.2966667+00:00

Thanks @KapilAnanth-MSFT
Murali R 245 Reputation points

2023-07-20T14:16:59.7366667+00:00

Hi @KapilAnanth-MSFT Any possibilities to resolve the error
Murali R 245 Reputation points

2023-07-21T07:44:46.3033333+00:00

HI @KapilAnanth-MSFT I have added Network Contributor role to the Vnet today. After adding i have did the deployment but still its getting failed with the same error "TAUserDoesNotHavePermissions: User does not have permissions to enable Traffic Analytics"
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-07-21T10:50:26.7366667+00:00
@Murali R

Apologies for the delay, I was trying to reproduce the issue from my end.

This permission issue is tracked here : https://github.com/MicrosoftDocs/azure-docs/issues/110447

Now, as a prerequisite,

You must have few additional permissions with respect to linked resources.

And by linked resources, I mean

The NSG for which the flow logs are enabled - Contributor

or Network Contributor at Subscription level

The Storage Account in which the flow logs are stored - Contributor

or Storage Account Contributor at Subscription level

The Log Analytics Workspace - Contributor

or Log Analytics Workspace Contributor at Subscription level

In addition to the Network Contributor which you have already added at the Subscription Level, can you also add these and give it a try.

You can also use Contributor at Subscription level

Cheers,

Kapil
Murali R 245 Reputation points

2023-07-21T10:59:12.1233333+00:00

Hi @KapilAnanth-MSFT I have all the roles which you have mentioned above but still the error remains the same.
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-07-21T11:02:43.37+00:00

@Murali R

To troubleshoot this issue further, I think we will need a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue.

If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Cheers,

Kapil
Murali R 245 Reputation points

2023-07-21T11:15:42.3433333+00:00

Hi @KapilAnanth-MSFT Understood, i have raised the MS Support Ticket right now to solve this issue with 1:1 session
Murali R 245 Reputation points

2023-07-21T11:15:59.2166667+00:00

Thank you very much for all your help
Brian 0 Reputation points

2023-07-24T19:46:09.1933333+00:00

Were you able to resolve this? I'm facing the same issue.
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-07-25T04:07:05.0766667+00:00
Brian ,

This permission issue is tracked here : https://github.com/MicrosoftDocs/azure-docs/issues/110447

The below should work according to the documentations,

You must have few additional permissions with respect to linked resources.

And by linked resources, I mean

The NSG for which the flow logs are enabled - Contributor

or Network Contributor at Subscription level

The Storage Account in which the flow logs are stored - Contributor

or Storage Account Contributor at Subscription level

The Log Analytics Workspace - Contributor

or Log Analytics Workspace Contributor at Subscription level

In addition to the Network Contributor which you have already added at the Subscription Level, can you also add these and give it a try.

In case the above did not help, I would suggest you to please raise a support incident to get this resolved.

Cheers,

Kapil.
Murali R 245 Reputation points

2023-07-25T08:09:10.7866667+00:00

Brain,

I have raised the MS Support ticket for this issue
Ben Roberts 0 Reputation points

2023-07-27T04:04:12.4166667+00:00

Murali R, Brian did you get any traction on your support tickets? I'm facing the same error on a sub even using the Contributor role.
Murali R 245 Reputation points

2023-07-27T10:40:48.96+00:00

No Ben, Still working with Microsoft
Murali R 245 Reputation points

2023-07-27T15:25:49.3+00:00

Brian & Ben, the error which you are getting is it on ADO release. Have u checked in Azure Portal after ADO fails whether the flow log is created in Azure Portal
David Hancocks 0 Reputation points

2023-08-01T17:02:46.2033333+00:00

Any further movement on this?

I have one tenant where this works - I have owner at tenant root. And other with also owner at tenant root where I get this annoying error.

Unfortunately the working one is my sandbox tenant where I don't care. And the live tenant is the one where it's refusing.
Murali R 245 Reputation points

2023-08-01T17:08:21.8+00:00
David, i have received a suggestion from Microsoft support is that to provide a custom roles to the subscription scope in app registration, which iam currently working on it. I will keep posted if the issue gets resolved

Microsoft.Network/applicationGateways/read

Microsoft.Network/connections/read

Microsoft.Network/loadBalancers/read

Microsoft.Network/localNetworkGateways/read

Microsoft.Network/networkInterfaces/read

Microsoft.Network/networkSecurityGroups/read

Microsoft.Network/publicIPAddresses/read"

Microsoft.Network/routeTables/read

Microsoft.Network/virtualNetworkGateways/read

Microsoft.Network/virtualNetworks/read

Microsoft.Network/expressRouteCircuits/read
David Hancocks 0 Reputation points

2023-08-01T17:20:55.1366667+00:00

Thanks Murali - I have raised ticket also. I'm literally clicking through the portal for this just to figure out if it's possible and I have owner at root which will have all of that and more, so it's unlikely to be permissions for me unless it's is something very odd
Murali R 245 Reputation points

2023-08-01T17:44:11.7+00:00

David, for me the problem is iam receiving error in the pipeline, but the NSG flow log gets created in the Azure Portal
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-08-02T04:29:38.2766667+00:00

@Murali R , David Hancocks ,

The document has been updated and we have to add "Microsoft.OperationalInsights/workspaces/*" action to the custom role as well.

Can you give that a try along with the listed roles and let me know.

Refer : https://github.com/MicrosoftDocs/azure-docs/issues/110447

Cheers,

Kapil
David Hancocks 0 Reputation points

2023-08-02T07:57:53.17+00:00

@KapilAnanth-MSFT I am using Owner role not a custom role to eliminate any potential permission problems. The same error remains
Ben Roberts 0 Reputation points

2023-08-02T08:09:59.4266667+00:00

To get around the problem I had to add the owner directly to the subscription. It seems like the inheritance from the root tenant/management group isn't working properly.
David Hancocks 0 Reputation points

2023-08-02T08:51:59.19+00:00

Unbelievable. That's worked.

@KapilAnanth-MSFT can we get this looked at? This is a problem for scale - I want to use policy and managed identity to deploy these flow logs. I wouldn't want to assign the permission to every one of my subscriptions - 350+ of them, that's not sustainable.
David Hancocks 0 Reputation points

2023-08-02T08:56:27.3133333+00:00

No way - that's worked. Thanks Ben!

@KapilAnanth-MSFT can we raise this as a bug? it's not sustainable to do this at subscription level if you have anything more than a trivial number of subscriptions.

CAF is pushing towards many subscriptions - I have 350+ already. I don't really want to manage each individually just for this.
Murali R 245 Reputation points

2023-08-02T18:10:28.0866667+00:00

Thanks @KapilAnanth-MSFT The error got resolved after adding the custom role to the service principal into the subscription scope
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-08-04T11:49:55.0933333+00:00
David Hancocks -

I would suggest you raise a support incident, where a support engineer can have a screen share session.

If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

In case you need a one-time free technical support could you please send an email to AzCommunity[At]Microsoft[Dot]Com with the below details.

Subject : Attn Kaananth

Thread URL: Link to this thread.

Subscription ID : of Traffic Analytics Cheers,

Kapil
David Hancocks 0 Reputation points

2023-08-04T12:11:20.1666667+00:00

@KapilAnanth-MSFT - I have raised and they have worked around this for me - for some reason the permission needs to be at subscription level explicitly and inheritance from management group does not work. which is very annoying for working at scale. But I have a solution of sorts.
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-08-04T12:52:59.6266667+00:00
David Hancocks ,

Can you please share the SR number to AzCommunity[At]Microsoft[Dot]Com ?

Subject of Mail : Attn Kaananth

Thread URL: Link to this thread.

Subscription ID : of Traffic Analytics

I shall have a look internally and see if this is a known issue.

Cheers,

Kapil
KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-08-16T16:12:41.5233333+00:00

@Murali R

Reaching out to check if there are any questions on this.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
Murali R 245 Reputation points

2023-08-16T17:03:08.4933333+00:00

No @KapilAnanth-MSFT I dont have any further questions, my issue is resolved

Accepted answer

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2023-08-11T04:55:25.25+00:00

@Murali R

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are facing permission issues while trying to enable Traffic Analytics using Pipeline with Bicep code.

While I tried to reproduce the error, I came across the below :

There is a permission issue and is being tracked here : https://github.com/MicrosoftDocs/azure-docs/issues/110447

The document was recently updated to include : Microsoft.OperationalInsights/workspaces/* actions.

With further investigation from Azure Support, it was revealed that the Azure roles (permissions) should be at the subscription scope, and is not inherited from MG scope.

The document also highlights this,

Your account must have any one of the following Azure roles at the subscription scope: owner, contributor, or network contributor.

David Hancocks , however, I understand it does not specifically state that the permissions should be exclusively assigned at subscription level and inheritance from MG would not work.

I have informed our Product Group about this and hopefully, we should update the document stating that the exclusive assignment of permissions at subscription level is required.

This is being tracked in : https://github.com/MicrosoftDocs/azure-docs/issues/113313

Thanks for your contribution on Q&A and appreciate much for taking the time to share your feedback and working with us.

Cheers,

Kapil

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Enable Traffic Analytics in NSG flow log

0 additional answers

Your answer