I'm trying to call above API provider via REST with the following URL: https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings with api-version=2017-04-01-preview

However, even though the Service Principal I am using is a member of the "Global Administrator" role in my AAD tenant I am getting a does not have authorization to perform action error.

This endpoint doesn't seem to be documented though. Anybody know what is required to call this API endpoint with a service principal?

Thanks, David

Try to add a custom role with the action of microsoft.aadiam/diagnosticsettings/write in your AD App.

According to doc, you can use the custom role to do the operation.

This article lists the operations available for each Azure Resource Manager resource provider. These operations can be used in custom roles to provide granular role-based access control (RBAC) to resources in Azure.

For more details to create the custom role, refer to this link.

Sample:

{
  "Name":  "Test Operator",
  "Id":  "88888888-8888-8888-8888-888888888888",
  "IsCustom":  true,
  "Description":  "xxxxxx",
  "Actions":  [
                  microsoft.aadiam/diagnosticsettings/write,
                  microsoft.aadiam/diagnosticsettings/read
  ],
  "NotActions":  [

                 ],
  "DataActions":  [

                  ],
  "NotDataActions":  [

                     ],
  "AssignableScopes":  [
                           "/subscriptions/{subscriptionId1}",
                           "/subscriptions/{subscriptionId2}",
                           "/subscriptions/{subscriptionId3}"
                       ]
}

Update:

You can use a user account with global admin role, refer to the steps below.

1.Navigate to Azure Active Directory -> Diagnostic settings -> Add diagnostic setting -> set the properties and open the Developer Tools(F12) ->Save.

2.In the request we caught, copy the Bearer token.

3.Then we can test the api in the postman.

Request URL:

Put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview

Request Header:

Request Body:

{
  "properties": {
    "logs": [
      {
        "category": "AuditLogs",
        "enabled": true,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      },
      {
        "category": "SignInLogs",
        "enabled": true,
        "retentionPolicy": {
          "days": 0,
          "enabled": false
        }
      }
    ],
    "metrics": [],
    "storageAccountId": "/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxx"
  }
}

It works on my side.

I test it with global administrator user, it works correctly for me.

The following is the detail steps:

1. Create an native azure AD application and grant permission for it.

2.create an global administrator user, please also change the default password.

Note: the user format should be xxxx@xxx.onmicrosoft.com, or you can't use the password way to get the token based on my test

3.Assign the owner role to the subscription

4.Then we could use the following way to get the access token

Post  https://login.windows.net/<tenant-id>/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource={resource}
&username={username}
&password={password}
&client_id={client-id}

4.Try to operate the diagnosticSettings

put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview

{"properties":{"logs":[{"category":"AuditLogs","enabled":true,"retentionPolicy":{"days":0,"enabled":false}},{"category":"SignInLogs","enabled":false,"retentionPolicy":{"days":0,"enabled":false}}],"metrics":[],"storageAccountId":"/subscriptions/{subscriptionId}/resourceGroups/{groupname}/providers/Microsoft.Storage/storageAccounts/{accountName}"}}