Insufficient permission to see Log Analytics logging step in Standard Logic App

Question

I have a Standard Logic App that uses the Azure Log Analytics Data Collector connector to send logs to Log Analytics (LA).

In the 'connections.json' definition, I am referencing most of the values from Environment Variables

{
    "managedApiConnections": {
        "azureloganalyticsdatacollector": {
            "api": {
                "id": "@appsetting('log_connection_api_id')"
            },
            "authentication": {
                "type": "ManagedServiceIdentity"
            },
            "connection": {
                "id": "@appsetting('log_connection_id')"
            },
            "connectionRuntimeUrl": "@appsetting('log_connection_runtime_url')"
        }
    }
}

I have the app deployed in multiple environments. On TST, I am the Owner of the application and when I open any run, I can see and investigate the logging step and its inputs

However, I am only a Reader and Monitoring Reader in the ACC and PRD environment. When I open the app, I see all the steps successfully except for the logging step. It is throwing an error that it is apparently not able to access Environment Variables somehow.

In the Network tab, I see this strange request done by Azure Designer.

I've tried to assign a Logic Apps Standard Reader (Preview) role, but it didn't help. It works when I assign myself either Logic Apps Standard Developer (Preview), Contributor, or Owner. But this also gives me a permission to modify the app, which I don't want.

Is there some role that allows me to see the run without issues and also restricts me from doing any modification to PRD apps? After all, I just want to see the app details, not modifying anything.

Answer 1

Hello Michal Pipal

Since Logic Apps Standard Reader (Preview) already includes Microsoft.Web/sites/config/appsettings/read, but you're still unable to access the logging step, it might not be a missing permission issue but rather how log access is handled in your environment.

You might need additional permissions like:

• Microsoft.Insights/logProfiles/read – This allows access to log profiles.
• Microsoft.OperationalInsights/workspaces/query/read – This grants permission to query Log Analytics workspaces.

If your logs are being sent to Azure Monitor Log Analytics, you might need explicit access to the Log Analytics workspace itself. You can refer to this Microsoft document for details on managing Log Analytics workspace permissions: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/manage-access?tabs=portal

Could you check if you have the necessary permissions there? That might resolve the issue.

Answer 2

Hi @Michal Pipal,

When you are giving Logic Apps Standard Reader (Preview) role, you will not be having privileges to read the Environment Variables, Parameters, Read/write app settings.

Even Logic App Standard Operator (Preview) role, allows you to Trigger/resubmit runs but not access the variables.

So, only option is that you have to use Logic App Standard Operator Developer or Contributor Role as it gives the Log Analytics connector to access the Variables.

Also refer this Microsoft-Tech-Blog by @WSilveira, which says the same.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.