question

BenjaminGraus-6602 avatar image
0 Votes"
BenjaminGraus-6602 asked BenjaminGraus-6602 commented

Enable Log access from managing tenant

Hi,

anyone of you tried to access LAW of customers from the managing tenant?
Our managing tenant does not have a subscription itself, so we tried to add the service principals like described here:
https://docs.microsoft.com/en-us/azure/lighthouse/how-to/monitor-at-scale#create-log-analytics-workspaces


We received the error:

 *New-AzADServicePrincipal: Scope '/subscriptions' should have even number of parts.*

We were able to set it like this:

 *New-AzADServicePrincipal -ApplicationId 1215fb39-1d15-4c05-b2e3-d519ac3feab4 -Role Contributor -Scope "/subscriptions/*"*

But we still cannot access the logs of the customers.

Error:

To run this query, register resource provider 'Microsoft.Insights' for this subscription
Register resource provider 'Microsoft.Insights' for this subscription to enable this query


Anyone of you have seen this?

Thanks

Regards,
Ben















azure-lighthouse
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndrewBlumhardt-1137 avatar image
0 Votes"
AndrewBlumhardt-1137 answered BenjaminGraus-6602 commented

The instructions are a bit confusing.

I think you need to register the provider first using the following instructions. You are trying to create service principals for App IDs that do not yet exist. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenjaminGraus-6602 avatar image BenjaminGraus-6602 ·

Thanks for your answer.
But please correct me if I'm wrong, if I do not have a subscription, I cannot register providers?
And at the other side, I simply don't get it how i could assign a subscription to our CSP Tenant...

In fact the instructions are confusing

0 Votes 0 ·
SwathiDhanwada-MSFT avatar image SwathiDhanwada-MSFT BenjaminGraus-6602 ·

@BenjaminGraus-6602 Yes , you need to have subscription. Registration of resource providers is done on subscription. For more information, on creating or assigning azure subscription to CSP Tenant, I would suggest you to check below documents.

0 Votes 0 ·
BenjaminGraus-6602 avatar image BenjaminGraus-6602 SwathiDhanwada-MSFT ·

We have onboarded two different customer subscriptions and ran again the New-AzADServicePrincipal commands. It completed successfully but we are still not able to access / query the (customer) log analytics workspaces from out managing partner tenant.

Like I said, i don't see an option to add a subscription directly to our managing csp tenant.

0 Votes 0 ·