0

https://api.applicationinsights.io/v1/query I am using above endpoint to send a post request in powershell script and getting errors in below script.

# Set the ID of the Application Insights resource you want to query
$appId = "app id"

# Set the access token for the Application Insights resource
$accessToken = "access token"

# Encode the access token as a URL-safe string
$accessToken = [System.Uri]::EscapeDataString($accessToken)

# Set the query you want to execute
$query = "customEvents"

# Construct the request body for the Application Insights query endpoint
$requestBody = @{
    appId = $appId
    query = $query
} | ConvertTo-Json

# Execute the query and retrieve the results
$queryResponse = Invoke-WebRequest -Method POST -Uri "https://api.applicationinsights.io/v1/query" -Headers @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type" = "application/json"
} -Body $requestBody

# Extract the results from the response
$results = $queryResponse.Content | ConvertFrom-Json

# Print the results
$results

ERROR :

Invoke-WebRequest : {"error":{"message":"The requested path does not exist","code":"PathNotFoundError","correlationId":"1e33e5cd-43a4-4108-b28d-0b0ef4c3942c"}}
At line:26 char:18
+ ... yResponse = Invoke-WebRequest -Method POST -Uri "https://api.applicat ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

The access token i am generating through postman for testing purpose and it is correct. Query is just customevents, not sure what is the issue here.

Edit: 9 Jan 2023

Granted read permission like this api permission but getting below error Invoke-WebRequest : {"error":{"message":"The provided credentials have insufficient access to perform the requested operation","code":"InsufficientAccessError","correlationId":

Yogesh Sharma
  • 15
  • 5

1 Answers1

0

I tried to reproduce the same in my environment and got below results:

I registered one Azure AD application and granted API permissions like below:

enter image description here

Now I generated the access token via Postman with below parameters:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:client_credentials
client_id: <appID>
client_secret: <secret>
scope: https://api.applicationinsights.io/.default

Response:

enter image description here

I got the ID of the Application Insights resource from here:

enter image description here

When I ran the same code by including above details, I got same error as below:

# Set the ID of the Application Insights resource you want to query
$appId = "xxxxxxxxxxxxxxxx"

# Set the access token for the Application Insights resource
$accessToken = "xxxxxxxxxxxxxxxxxxx"

# Encode the access token as a URL-safe string
$accessToken = [System.Uri]::EscapeDataString($accessToken)

# Set the query you want to execute
$query = "customEvents"

# Construct the request body for the Application Insights query endpoint
$requestBody = @{
    appId = $appId
    query = $query
} | ConvertTo-Json

# Execute the query and retrieve the results
$queryResponse = Invoke-WebRequest -Method POST -Uri "https://api.applicationinsights.io/v1/query" -Headers @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type" = "application/json"
} -Body $requestBody

# Extract the results from the response
$results = $queryResponse.Content | ConvertFrom-Json

# Print the results
$results

Response:

enter image description here

To resolve the error, modify your code by changing the request URI like below:

# Set the ID of the Application Insights resource you want to query
$appId = "ID"

# Set the access token for the Application Insights resource
$accessToken = "token"

# Encode the access token as a URL-safe string
$accessToken = [System.Uri]::EscapeDataString($accessToken)

# Set the query you want to execute
$query = "customEvents"

# Construct the request body for the Application Insights query endpoint
$requestBody = @{
    query = $query
} | ConvertTo-Json

# Execute the query by giving right URI and retrieve the results
$queryResponse = Invoke-WebRequest -Method POST -Uri "https://api.applicationinsights.io/v1/apps/$appID/query" -Headers @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type" = "application/json"
} -Body $requestBody

# Extract the results from the response
$results = $queryResponse.Content | ConvertFrom-Json 

# Print the results
$results

Response:

enter image description here

When I ran $queryResponse, I got the results of the query successfully like below:

enter image description here

Reference: Query - Execute - REST API (Azure Application Insights)

UPDATE:

You are getting InsufficientAccessError as Data.Read permission is removed like below:

enter image description here

If API permissions are removed, they will appear under Other permissions granted for tenant till their admin consent is revoked.

To resolve the error, make sure to add Data.Read permission again and grant admin consent to it.

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • Thanks a lot, Sridevi for the solution and effort. Can we get the access token without using tenant id and using service principle ? – Yogesh Sharma Jan 05 '23 at 07:43
  • No, it's not possible to get access token without using tenant id. You will get [error](https://i.imgur.com/u4FGeLi.png) saying `AADSTS50059: No tenant-identifying information found in either the request or implied by any provided credentials` if tenant ID is not included. – Sridevi Jan 05 '23 at 07:56
  • I have added the same read permission to the application and using the correct end point but still getting error, do you know what could be missing ? `"Invoke-WebRequest : {"error":{"message":"The provided credentials have insufficient access to perform the requested operation","code":"InsufficientAccessError","correlationId":` – Yogesh Sharma Jan 09 '23 at 08:03
  • Could you include the screenshot of both API permission and error by editing your question? – Sridevi Jan 09 '23 at 08:07
  • Yes, I have added at the bottom of the question. – Yogesh Sharma Jan 09 '23 at 08:16
  • Data.Read permission is under **Other permissions granted for tenant** which means permission is removed. – Sridevi Jan 09 '23 at 08:30
  • @YogeshSharma You can check updated answer for more details. – Sridevi Jan 09 '23 at 10:28
  • thanks for the reply. Permission is now under configured permission, I updated the screenshot in questions. But it still gives the same error. I have to get it done through someone else as not have the admin access, so takes little time. – Yogesh Sharma Jan 09 '23 at 10:46
  • Make sure to assign **`Reader`** role to your Azure AD application under Application Insights. Refer [this](https://stackoverflow.com/questions/74364487/azure-monitor-query-client-library-the-provided-credentials-have-insufficient#:~:text=The%20provided%20credentials%20have%20insufficient%20access%20to%20perform,Status%20403%20as%20error%20code%20without%20complete%20sync.). – Sridevi Jan 09 '23 at 11:23
  • Yes, infact contributor roles is assigned. Reading the post, observed that **Data.Read (Read Log Analytics data permission** permission is also needed to read the logs. – Yogesh Sharma Jan 09 '23 at 11:42
  • Are you still getting error even after assigning roles and permissions? – Sridevi Jan 09 '23 at 12:17
  • I have requested admin to add Data.Read (Read Log Analytics data) permission as well which is not assigned yet but apart from that roles and permissions looks fine but yet not working. – Yogesh Sharma Jan 09 '23 at 12:30
  • Data.Read (Read Log Analytics data) permission is required in your case. You can check after having that permission assigned. – Sridevi Jan 09 '23 at 12:36
  • Yes, I would try that but i realized that we don't have dedicated log analytics workspace for Application Insights resource, I think the Data.Read permission for application Insights should work. – Yogesh Sharma Jan 09 '23 at 12:42
  • 1
    There were some issues with roles and permissions, its working now. Thanks for the effort and solution. – Yogesh Sharma Jan 10 '23 at 18:02