Update permissions details for log alert rules #210
Conversation
Had a customer recently and I'm sending this change based on the discoveries made after discussing with the Alerts PG. This gap was missing here. Clarified the permissions requirements for alert rules, especially regarding managed identities and Log Analytics workspaces. Added an example to illustrate the access needed for resource-centric alerts.
|
@didiergbenou-ms : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
prmerger-automator
bot
added
alerts/subsvc
azure-monitor/svc
Change sent to author
labels
|
Learn Build status updates of commit 492ecd3: ✅ Validation status: passed
For more details, please refer to the build report. |
There was a problem hiding this comment.
Pull Request Overview
This PR clarifies permissions requirements for log alert rules, specifically addressing access needs when using managed identities or relying on user/service principal permissions. The update emphasizes that resource-centric alerts require reader access to all Log Analytics workspaces containing data for resources within the alert's scope, even across different subscriptions.
Key Changes:
- Clarified that alert rules inherit permissions from the last editor (user or service principal) when managed identities are not used
- Expanded permissions guidance for resource-centric alerts to explicitly cover cross-subscription workspace access scenarios
- Added a concrete example demonstrating required workspace access for subscription-scoped alerts
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| * If the query is accessing a Log Analytics workspace, the identity must be assigned a *reader* role for all workspaces that the query accesses. If you're creating resource-centric log search alerts, the alert rule might access multiple workspaces, and the identity must have a reader role on all of them. | ||
| * If the query is accessing a Log Analytics workspace, the identity must be assigned a *reader* role for all workspaces that the query accesses. If you're creating resource-centric log search alerts (scoped to a subscription or resource group), if the alert rule is scoped to a subscription for example, the identity must have reader access to all Log Analytics workspaces containing data for any resource within that subscription, even if those workspaces are in different subscriptions. This requirement also applies when a managed identity is not used and the alert is relying on the permissions of the user or service principal that last edited it. | ||
| **Example:**<br> |
There was a problem hiding this comment.
The <br> HTML tag is unnecessary here. Markdown formatting with a blank line before the example content will provide proper spacing without requiring HTML.
| **Example:**<br> | |
| **Example:** |
| Workspace-1 (located in Subscription-A) | ||
| Workspace-2 (located in Subscription-B) | ||
| Workspace-3 (located in Subscription-C) |
There was a problem hiding this comment.
These list items lack proper Markdown formatting. They should use either bullets (- or *) or numbered list syntax for better readability and consistent rendering.
| Workspace-1 (located in Subscription-A) | |
| Workspace-2 (located in Subscription-B) | |
| Workspace-3 (located in Subscription-C) | |
| * Workspace-1 (located in Subscription-A) | |
| * Workspace-2 (located in Subscription-B) | |
| * Workspace-3 (located in Subscription-C) |
|
Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
prmerger-automator
bot
added
the
aq-pr-triaged
3 participants
Had a customer recently and I'm sending this change based on the discoveries made after discussing with the Alerts PG. This gap was missing here. Clarified the permissions requirements for alert rules, especially regarding managed identities and Log Analytics workspaces. Added an example to illustrate the access needed for resource-centric alerts.