Azure Log Analytics API permissions on west-us2 region

Question

We try to create an AAD service principal for retrieving data from out Log Analytics workspace.

• Our AAD region is located in Germany
• Log Analytics is located in North Europe

When attempting to create API permissions, the address to the API itself is mentioning westus2.api.loganalytics.io (west US region) which is a no go for our company data privacy.

Is there any reason of this default and not editable settings ? Is there any way to overcome it ?

Answer 1

Well, if so, you could get the token for ARM API endpoint, then call the ARM API.

In this way, no need to add the API permission for your AD App, just make sure your AD App has an RBAC role e.g. Contributor, Log Analytics Reader in the Access control (IAM) of your workspace, if not, follow this doc to add it.

Then use the client credential flow to get the token.

POST /YOUR_AAD_TENANT/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_REDIRECT_URI
&resource=https://management.azure.com/
&client_secret=YOUR_CLIENT_SECRET

After getting the token, use it to call the api like the sample below.

GET https://management.azure.com/subscriptions/6c3ac85e-59d5-4e5d-90eb-27979f57cb16/resourceGroups/demo/providers/Microsoft.OperationalInsights/workspaces/demo-ws/api/query

Authorization: Bearer <access_token>
Prefer: response-v1=true

{
    "query": "AzureActivity | limit 10"
}

For more details, refer to this link.