-1

I am currently streaming my Azure AD sign-in logs to Log Analytics (as described in this MS Doc). I also have a separate Azure Function that retrieves all Users from Graph API, performs some lookup operations, and creates a "CompanyTeam" value for each user. The Function runs once per day.

My goal is to combine the AAD sign-in Logs Analytics with the "CompanyTeam" data, so that I can perform queries like SigninLogs | join kind=inner CompanyTeam on UserPrincipalName

  1. What is the best storage option for Azure Function outputting User+CompanyTeam data? It is a daily refresh that overwrites previous values.
  2. How do I connect that storage option to the existing AAD Sign-in Log Analytics workspace?

Thanks for any guidance.

Zacharious
  • 515
  • 4
  • 13
  • For `azure function`, you should enable `application insights` as per [this doc](https://learn.microsoft.com/en-us/azure/azure-functions/configure-monitoring?tabs=v2#enable-application-insights-integration). Then in `azure log analytics`, you can use the [cross query](https://learn.microsoft.com/en-us/azure/azure-monitor/log-query/cross-workspace-query) to join `application insights`. – Ivan Glasenberg Jan 14 '21 at 09:32
  • If you haven't enabled `application insights` for `azure function`, then you can [create a new application insights with azure log analytics enabled](https://learn.microsoft.com/en-us/azure/azure-monitor/app/create-workspace-resource#create-workspace-based-resource), then all the data from `azure functions` will flow into that `azure log analytics`. – Ivan Glasenberg Jan 14 '21 at 09:35
  • Hello, if the answer is helpful, could you please accept it as answer? Thanks:). – Ivan Glasenberg Jan 27 '21 at 07:14

1 Answers1

0

For azure function, you should enable application insights as per this doc. Then in azure log analytics or application insights, you can use the cross query to join the related application insights or azure log analytics.

Another solution is that, you can create a new application insights with azure log analytics enabled(here, the azure log analytics is the existing AAD Sign-in Log Analytics workspace), then all the data from azure functions will flow into that azure log analytics. Next, you can write a proper query to fetch the data.

Please let me know if you have any questions.

Ivan Glasenberg
  • 29,865
  • 2
  • 44
  • 60