0

I am trying to read insights of a resource in azure. I am getting the error as:

Operation returned an invalid status code 'Forbidden'

The service principle has been given 'Log Analytics Reader' role on the subscription of the workspace.

Microsoft.Azure.Management.ResourceManager.Fluent.Authentication.AzureCredentials credentials =
 Microsoft.Azure.Management.ResourceManager.Fluent.SdkContext.AzureCredentialsFactory.FromServicePrincipal(
 "clientId", 
 "clientSecret", 
 "tenantId", 
 Microsoft.Azure.Management.ResourceManager.Fluent.AzureEnvironment.AzureGlobalCloud);

var client = new Microsoft.Azure.OperationalInsights.OperationalInsightsDataClient(credentials);
client.WorkspaceId = @"workspaceId";
var results = client.QueryWithHttpMessagesAsync("union * | take 5").Result;

The solution to status code: unauthorised is using delegated permissions, but I need an authentication token without userinteraction.

Richard S
  • 3
  • 2
  • https://learn.microsoft.com/en-us/azure/marketplace/cloud-partner-portal-api-troubleshooting-authentication-errors#forbidden-error ..May it helps – AjayKumarGhose Dec 15 '21 at 10:07
  • Thank you Ajay, I have read your link and verified I am using the correct clientId and clientsecret: using the same AzureCredentials with a Microsoft.Azure.Management.Fluent.Azure client – Richard S Dec 15 '21 at 10:59

1 Answers1

0

As you have given the service principle 'Log Analytics Reader' role on the subscription .Need to give the API permission for your service principle as well.

  • Go to your service principle> API permission >Add permission > APIs my organization uses. Search for Log analytics API .

enter image description here

  • And Add the below permission to your service principle.

enter image description here

  • And grant admin consent permission to your service principle for the API permission.

enter image description here

once you have granted the permission for service principle you would be able to read the logs .

For more information on the same thing using powershell please refer this Blog .

AjayKumarGhose
  • 4,257
  • 2
  • 4
  • 15
  • Thank you very much! The blog was very informative, and it took me a 2nd try to actually get it to work. (the powershell is missing a call to Get-AzureAuthN ($resource)) But what actually tripped me up was the error: Message: AADSTS500113: No reply address is registered for the application. When registering a new application, theres an optional field for redirect uri. The platform i selected 1st was 'Public client/native (mobile&desktop)' and i left it blanc. The powershell assumes a 'Web app' with localhost as redirectUri. Can you confirm that this, or am I still not understanding somet – Richard S Dec 16 '21 at 11:59