Uncategorized

Create AAD Logs redirection from another tenant with Azure CLI in Bash

julkaissut Joosua Santasalo
Comments 0

I often need to send logs to Log Analytics from a demo tenant which does not have Azure Subscription.

✅ This guide is based on deep-diver-azure-ad-b2c-azure-monitor which is based on Azure AD B2C guide for similar use case

pre-reqs

  • Azure Cloud shell (bash) – or suitable linux distribution and Azure CLI installed

Guide

In the AAD tenant where you want the logs to be redirected FROM

  1. Create group and take the note of the objectId
  2. Copy tenantId of the group

In The subscription where the logs will be redirected TO

  1. Create new RG and Log Analytics space, and take note of the resource group depl.sh
#Define starting variables
rnd=$RANDOM
autodg=redirectLogs-$rnd
rg=RG-redirectLogs-$rnd
location=westeurope
# Create Resource Group
az group create -n $rg \
-l $location \
--tags="svc=autoDiag"
az monitor log-analytics workspace create --location $location -g $rg  -n laws${autodg}
  1. Populate redirectLogsParams.json with the values gathered in steps 1-2-3
{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "mspOfferName": {
            "value": "SecureCloudBlog AAD log redirect"
        },
        "rgName": {
            "value": "rg-redirectlogs-11978"
        },
        "mspOfferDescription": {
            "value": "Provide Azure Monitor for B2C resource"
        },
        "managedByTenantId": {
            "value": "<✅tenantId"
        },
        "authorizations": {
            "value": [
                {
                    "principalId": "<✅GroupObjectId>",
                    "principalIdDisplayName": "Monitoring Contributor",
                    "roleDefinitionId": "749f88d5-cbae-40b8-bcfc-e573ddc772fa"
                }
            ]
        }
    }
}
  • Create the deployment
az deployment create --location $location --template-file redirectLogsTemplate.json  --parameters @redirectLogsParams.json

In the AAD tenant where you want the logs to be redirected FROM

  • Go to Azure AD and send the logs you want to be exported to the log analytics workspace and configure the export settings

https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

image

0 comments on “Create AAD Logs redirection from another tenant with Azure CLI in Bash

Jätä kommentti