Log Analytics API Data Access with Service Principals

As IT Professionals start to look to the cloud for solutions, more and more of us are starting to utilise Log Analytics, weather that be to underpin other services & solutions or writing our own custom log collection scripts, it is becoming a very key piece of many deployments.

As much as I love using Kusto (KQL), Log Analytics Workbooks are very tedious to create and can take a log time to get right, those that have gone to the effort of doing so, I tip my hat to you!!

Because of this tedious nature, I decided I wanted to get the dara into Power BI, which is easy enough when you authenticate with your organisational account, but the problem with this, is just that, it ties it to that org account. Using service principals (App Registrations), removes such reliance.

This post will not focus on getting the data into Power BI, there will be further post’s to follow on such subjects, it will focus on Authenticating and Retrieving the data using the API, with the tool shown in my case been PowerShell.


For this post we will need the following;

Granting Authorisation

Log Analytics Data

When you create an Application Registration, you will have a service principal that you can use to grant access to resources, for example, If I created a a registration with the name EUC365 - Reporting it would show as below.

Service Principal Display

This is the principal we will be using to grant access to the log analytics workspace to consume your data. The only thing we can do with this data is read it, so we will only be granting Reader access to the data, to grant authorisation follow the below steps.

  1. Locate the Log Analytics workspace you wish to use
  2. In the left-hand pane select Access Control (IAM).
  3. Select the Role Assignments tab
  4. Click Add ? Add role assignment
  5. Select Reader from the Role pane, then click Next
  6. Member type should be User, group, or service principal
  7. Click + Select Members
  8. Search for the name of the service principal you created earlier, then click Select
  9. Click Review + assign, and then click it again

The principal now has access to read the data, however we have not yet granted access to the actual API from the Service Principal, so lets take a look at that in the next section.

API Authorisation

Lets dive straight into this, to grant authorisation to the Log Analytic APIs, follow the below steps;

  1. Locate the Application Registration
  2. In the left-hand pane, select API permissions
  3. Click Add a permission
  4. Select the APIs my organisation uses tab
  5. Start typing Log Analytics in the search bar
  6. Select the Log Analytics API result
Log Analytics API Selection
  1. Select Application permissions.
  2. Select the Data.Read permission
  3. Click Add permissions
  4. Click Grant admin consent for
  5. Click Yes

This will now allow you to use the service principal to call the API.

Testing it out

Now that we have granted the service principal access to the data and the API, we can now test it out. For this I will be using PowerShell, but you can use any client you wish, such as PostMan, Python, etc.


Below is a quick script to gather the data in PowerShell, it will prompt you the Tenant ID, Client ID, Client Secret and Workspace ID, it will then connect to Azure with the Service Principal and retrieve the data from the API.

param (
    [Parameter(Mandatory = $true)]
    [Parameter(Mandatory = $true)]
    [Parameter(Mandatory = $true)]
    [Parameter(Mandatory = $true)]


#Create the Service Principal Credential object
$SPCredentials = [System.Management.Automation.PSCredential]::new($ClientId, (ConvertTo-SecureString $ClientSecret -AsPlainText -Force))
#Connect to Azure with the Service Principal
Connect-AzAccount -Tenant $TenantId -Credential $SPCredentials -ServicePrincipal | Out-Null
$AccessToken = (Get-AzAccessToken -ResourceUrl "https://api.loganalytics.io").Token

#Get WUfB Reports Data
$WUfBReportsData = Invoke-RestMethod -Method Get "https://api.loganalytics.io/v1/workspaces/$workspaceId/query?query=UCClient | summarize arg_max(TimeGenerated,*) by AzureADDeviceId | project-away TenantId, TimeGenerated, AzureADTenantId, SourceSystem, Type" -Headers @{Authorization = "Bearer $AccessToken"}
#Display Columns
#Display Data Rows

The data you gather back from the API will be broken down into Columns and Rows, and the matching up of such data can be a bit of a pain, however this post is focusing on simply getting the data, not manipulating it, as the manipulation of the data will be done in Power BI which will be covered in a future post.


This post has shown how to grant access to the Log Analytics API using a Service Principal, and how to retrieve the data using PowerShell. The returned data directly from the API needs some work to match it up to the columns, but this is usable data that can be used in Power BI or any other tool you wish to use.

I hope you found this post useful, and if you have any questions, please feel free to reach out to me!! If you have a function or code snippet that you think would be useful to others, please feel free to reach out to me and I will add it to the post.

comments powered by Disqus