I am trying to access the Directory activity log in my Azure tenant, but I am getting the error that I don't have permission to view Directory log.
I am trying to figure out if anyone know the permission required to view those logs.
Also, I am trying to have the least privilege possible.
Note that, Azure RBAC roles under subscription won't work for accessing Directory Activity logs.
To access the Directory activity log, you need to have Global Administrator role on your Azure tenant.
When I tried to access Directory activity log with user having Contributor role, I got same error as you like below:
To resolve the error, I assigned Global Administrator role to the user under Azure AD tenant like below:
Go to Azure Portal -> Azure Active Directory -> Roles and Administrators -> All roles -> Global Administrator
After assigning above role, you can also check Assigned roles of the user like below:
You need to wait for 5-10 minutes after assigning the directory role as there will be delay.
When I tried to access Directory Activity logs with above user after few minutes, I can see the logs successfully like below:
Reference: Azure Active Directory activity logs in Azure Monitor - Microsoft