Hi All. I granted a user monitoring reader role but found out that they are still unable to access the application service log stream. Can someone confirm what permissions are required for access to the application service log stream.

Hi @MrFlinstone Thanks for posting the question. I see that you are trying to understand the minimum permission required to access the "AppService Log Stream". Please note that the "Monitoring Reader" role provides access to "monitoring" data i.e., the metrics and AppServiceHTTPLogs and AzureMetrics table in Logs. However, the log files can contain sensitive information, such as IP addresses or usernames. In order to avoid unauthorized access to such sensitive information, Contributor or Owner roles are required. You may refer to the following link for more details on it - Security considerations for monitoring data . Please let me know if you have any questions. --- Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Granting access to Azure application service log stream

Accepted answer

AnuragSingh-MSFT 21,486 Reputation points

2022-06-07T08:16:33.607+00:00

Hi @MrFlinstone

Thanks for posting the question.

I see that you are trying to understand the minimum permission required to access the "AppService Log Stream". Please note that the "Monitoring Reader" role provides access to "monitoring" data i.e., the metrics and AppServiceHTTPLogs and AzureMetrics table in Logs. However, the log files can contain sensitive information, such as IP addresses or usernames. In order to avoid unauthorized access to such sensitive information, Contributor or Owner roles are required. You may refer to the following link for more details on it - Security considerations for monitoring data.

Please let me know if you have any questions.

---
Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.
Please sign in to rate this answer.

2 people found this answer helpful.
Martin 31 Reputation points

2024-02-14T08:42:12.69+00:00

So to read, I must have roles that have ability to make changes? Seems less secure to me.

Pascal Batzli Jr 35 Reputation points

2024-04-26T12:01:35.63+00:00

That does not make any sense whatsoever.
A Contributor can make chances to the entire subscription.
I trust the user to see the sensitive information, but I don't want the user to be able to make changes to the environment.
What an awful, terrible and nonsensical way to handle this

Vector BCO 146 Reputation points

2024-09-02T07:43:16.3766667+00:00

I agree that this answer have no sense
We could have contributor role with PIM, but would be nice to read logs without PIM

Shahjahan T 10 Reputation points

2024-12-10T05:37:53.6433333+00:00

This seems to be less secure. Just with assumption that log files may contain sensitive information, you have to give the developers contributor role, which make it less secure. We may not have those "sensitive" or may not want them to be protected in non-production.

This is like "Big Brother" stepping in and outlawing bacon to protect the one person that eats too much bacon, ruining it for everybody else.

Just add a big warning somehow. Or include a special role like "Azure Functions Reader-WithConfigVisibility", followed by "Azure Functions Reader-WithoutConfigVisibility"

MichaelSilverman-1518 11 Reputation points

2025-02-19T19:47:14.5366667+00:00

Couldn't agree more! Read access is intended to provide the ability to see what's there, period. To give someone the ability to see what's there requiring the additional ability to make changes is absolute nonsense! This would fail an audit instantly! On top of that, what if we needed to have these logs ingested into a SIEM? The SIEM would need write access? Yikes.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Granting access to Azure application service log stream

0 additional answers

Your answer