Unable to archive to a storage account in Diagnostic Settings

Question

Hi all! I am trying to save some sign-in logs to a storage account that I have via the Diagnostic Settings tab in azure. I am a Global Admin,so I should be able to.

However, when I try to save it, I get this:

Failed to update diagnostics for '/providers/microsoft.aadiam'.{"error":{"code":"AuthorizationFailed","message":"The client 'user@keyman .com' with object id 'GUID' does not have authorization to perform action 'Microsoft.Insights/register/action' over scope '/subscriptions/GUID' or the scope is invalid. If access was recently granted, please refresh your credentials."}}.

Should I have the authorization to do this as a global admin?

thanks

Answer 1

Sounds so similar to this https://learn.microsoft.com/en-gb/archive/blogs/azure4fun/common-problem-when-using-azure-resource-groups-rbac

Answer 2

@Aaron Gallardo Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

Firstly let me explain how RBAC works, please check this thread which provides detailed information Access control, Roles, service principle and what role we need to provided.

We need to provide "Azure Storage Contributor role" and then try again and let me know the status?

Also, please refer to this article: Send resource logs to Azure storage to retain it for archiving

If you are Global admin you should be able to archive the the sign- logs

Archive Azure AD logs to an Azure storage account:

Hope this helps!

Kindly let us know if the above helps or you need further assistance on this issue.

--------------------------------------------------------------------------------------------------------------------------

Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.