Search
  • Shannon

Switch Log Analytics Permissions Model

So far, this series has consisted of the previous blog posts:


Log Analytics Design and Access

Create Inventory of Existing Log Analytics Workspaces


Next up, we'll focus on how to switch the permissions model for Log Analytics workspaces. By now, you may recall that Log Analytics workspaces used to be harder to permission for a number of years ago. If someone had access to a Log Analytics workspace, they could see every log generated for each resource. This may not be a desire for larger companies, as different business units may never need to see logs generated for all resources in the Azure environment.


Resource-context is the access mode more and more enterprises are selecting when building out their Log Analytics workspaces. We've also covered that it's a great design selection for brand new Log Analytics workspaces. What about existing customers that may have some legacy Log Analytics workspaces deployed?


As a quick aside, until the end of this series, I'll be showcasing the actual scripts. By the end of this series, you'll have a number of PowerShell scripts and a function that does the heavy lifting for you. It'll all live in a GitHub repo...afterall, sharing is caring. If you're not as savvy with PowerShell, that should be where you pay the most attention (i.e. how to run the script or function from within the command prompt). If you're trying to learn PowerShell, hopefully showcasing my scripts help you understand everything I'm doing, which is why I wanted to show more of what's going on inside what each script does!


After taking my inventory script, you should have an idea of which Log Analytics workspaces are using resource-context and which aren't using resource-context. You may want to make changes to the Log Analytics workspaces one at a time vs. looping through each workspace and making all changes at once. The beauty is you can do it either way! There is no downtime in making this change, nor any type of service interruption.


So how do you change 1 Log Analytics workspace at a time? To start, You can change it within the Azure Portal or via PowerShell. Since not everyone is as savvy with PowerShell, let's start by editing this configuration from within the Azure Portal.


Inside the Azure Portal, find the Log Analytics workspace that you need to switch the permissions model for. Use the workspaces from the inventory script to help you locate the names used for older workspaces. Once you have selected the workspace, under General, select Properties. In the window that expands to the right, you will see things like Workspace ID, Resource ID, Subscription Name, and Subscription ID. If you move down to the bottom of that screen, you will see Access control mode. If you're on Workspace-context, you will see Use resource or workspace permissions (click to change). Click the hyperlink and that will switch the access mode to resource-context for the Log Analytics workspace you selected.

You may find that you want a more programmatic way of switching your Log Analytics workspace access modes. Please reference the following script:

Here is the actual script so you can copy/paste:

[CmdletBinding()]
    param(
    [Parameter(Mandatory=$true)]
    [string]$workspaceName
    )

    $workspace = Get-AzResource -Name $workspaceName -ExpandProperties
if($workspace.Properties.features.enableLogAccessUsingOnlyResourcePermissions -eq $null)
{
    $workspace.Properties.features | Add-Member  enableLogAccessUsingOnlyResourcePermissions $true -Force
}
else
{
$workspace.Properties.features.enableLogAccessUsingOnlyResourcePermissions = $true
}

This PowerShell script takes the workspace name, queries the resource, checks to see what the access mode is, and if not at the resource permissions, the script switches that for a singular Log Analytics workspace.


If you have a number of Log Analytics workspaces, you may want to switch all at once. Going into the portal and switching this for the number of workspaces you have will be time consuming. Additionally, running this script for each Log Analytics workspace will also take time.


You may now be wondering if there's a way to loop through all workspaces and switch the context. Good news! THERE IS A WAY TO ACCOMPLISH THIS TASK! Remember, my examples will lean on PowerShell and I'm pretty positive you can accomplish the same task with the Az-CLI. Also, the offer still stands: if you want to help me create the same scripts for the Az-CLI, please message me or comment on this post.


Please reference the following script:

If you want to copy/paste before this series is in its final form, please reference the text below in the code block.

$workspaces = Search-AzGraph -Query "where type =~ 'Microsoft.OperationalInsights/workspaces'"

ForEach ($workspace in $workspaces) { if($_.properties.features.features.enableLogAccessUsingOnlyResourcePermissions -eq $false)
{
   $workspace.Properties.features | Add-Member enableLogAccessUsingOnlyResourcePermissions $true -Force
}
else
{   $workspace.Properties.features.enableLogAccessUsingOnlyResourcePermissions = $true 
}

Set-AzResource -ResourceId $workspace.ResourceId -Properties $workspace.Properties -Force
}    

As you may recall, the "enableLogAccessUsingOnlyResourcePermissions" is hidden a few levels deep within the "Microsoft.OperationalInsights/workspaces" objects. Dotted notation brings the specific objects to the surface for you to both query and configure. It's pretty cool!


So this leaves us with what's left...and that's at least 2 more blog posts:

1) How to change the SKU of your Log Analytics workspace. Since everything now defaults to the per GB model for net new workspaces, you will need to lean on a script to change the SKU (at least as far as I can tell - I'm willing to alter my perspective if you tell me you can change this from within the portal).

2) How to switch Azure Resources from 1 Log Analytics workspace to another Log Analytics workspace, with the hope of consolidating all resources into a new resource-context workspace.


Hopefully you're finding these blog posts insightful. My hope (as always) is to showcase some of the stuff that you may not really know about so you can continue to optimize on into the future of your digital transformation.


...and with that...until next time!

176 views0 comments

Recent Posts

See All

ConvertFrom-SecureString Explained!

Hey folks! As you find yourself doing more and more with PowerShell, you may want to automate some tasks on servers you're running on-premises. A big reason behind this is to potentially establish a r