Authorization while querying ADB2C logs from LogAnalyticsWorkspace

Question

I have setup a LogAnalyticsWorkspace to fetch logs from Azure ADB2C, to do that I have followed this microsoft tutorial

Everything works fine, logs are getting to the workspace and from the Logs section I can query with no issues.

The problem occurs when I try to query those logs from my API, using Azure Monitor Query client library for .NET, I have the following code:

        string clientId = "X";//Obtained from the B2C tenant (App registration)
        string clientSecret = "X";//Obtained from the B2C tenant(App registration)
        string tenantId = "X";//Obtained from the B2C tenant(App registration)

        var credentials = new ClientSecretCredential(tenantId, clientId, clientSecret);
        var client = new LogsQueryClient(credentials);

        var response = await client.QueryWorkspaceAsync(
            "MY_WORKSPACE_ID",//Obtained from the tenant where I have LogAnalytics workspace
            "AuditLogs",
            new QueryTimeRange(TimeSpan.FromDays(1)));

The error I am obtaining it's the following:

Valid authentication was not provided Status: 401 (Unauthorized) ErrorCode: AuthorizationRequiredError Content: {"error":{"message":"Valid authentication was not provided","code":"AuthorizationRequiredError","correlationId":"X","innererror": {"code":"AuthorizationRequiredError","message":"Register resource provider 'Microsoft.Insights' for this subscription to enable this query"}}}

I have checked that Microsoft.insights it's registered in the subscription used in the LogAnalyticsWorkspace.

Any clue what can be the issue? or is there a different way I should use to authenticate?

Answer 1

Note that: To query Azure AD B2C logs from Log Analytics Workspace, you have to grant Log Analytics API Data.Read API permission, this API permission is not present in AD B2C tenant.

In the Azure AD B2C app only Microsoft Graph API permissions are supported not other permissions which are linked to subscription.

• Features of the subscription in your B2C tenant shouldn't be used.
• Hence as a workaround, create an Azure AD application in Azure AD tenant.

And assign Log Analytics Reader to the application:

And make use of below c# code to access Log Analytics logs

For sample, I used the sample code to access Logs:

using System;
using System.Net.Http;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;

class Program
{
    static async Task Main()
    {
        string tenantId = "TenantID";
        string clientId = "ClientID";
        string clientSecret = "ClientSecret";
        string workspaceId = "WorkspaceID";
        
        var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
        var token = await credential.GetTokenAsync(new TokenRequestContext(new[] { "https://westus2.api.loganalytics.io/.default" }));

        using (var httpClient = new HttpClient())
        {
            httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {token.Token}");

            var apiUrl = $"https://api.loganalytics.io/v1/workspaces/{workspaceId}/query?";

            var response = await httpClient.GetAsync(apiUrl);

            if (response.IsSuccessStatusCode)
            {
                var result = await response.Content.ReadAsStringAsync();
                Console.WriteLine(result);
            }
            else
            {
                Console.WriteLine($"Error: {response.StatusCode} - {response.ReasonPhrase}");
            }
        }
    }
}