How to give read-only access to Azure application insight logs to a user?

Question

I have a problem with permissions and roles. I need to give read-only access to all logs in my infrastructure to a user. My infrastructure is done by different Management groups:

I am working at Techical area management group level... it is like i am working at root level.

Initially, the user had the Reader role. Now I have given him a lot of *** reader roles. At the end I have given him also some contributor role. But no success:

Now, when he tries to open some log I receive this error:

The client '' with object id '' does not have authorization to perform action 'microsoft.web/sites/config/list/action' over scope '/subscriptions//resourcegroups/-rg-westeu/providers/microsoft.web/sites/*****-func-westeu/config/appSettings' or the scope is invalid. If access was recently granted, please refresh your credentials.

The error is about listing appSettings.

Well, honestly I do not understand why he need that kind of permission. However, which is the minimum role I can give him for that permission? Does a way exist to know hich role has some permissions?

Thank you

Answer 1

As mentioned in the MSDoc, Application Insights Component Contributor role has an option to Read Transactions.

You can check the same in Roles => Application Insights Component Contributor

• Create a new custom role with the action Microsoft.Insights/transactions/read and assign this custom role to the user.

• Make sure you have owner or User access Admin role to create a custom role.

• Here Iam creating the custom role on Resource Group level.

Navigate to your Resource Group => Access control (IAM) => click on Add => Add custom role.

• Select clone a role and search for Application Insights Component Contributor role => Review + create.

• Now assign this role to the users whom you want to give read access.

Refer this Azure built-in roles for more info.