diff --git a/Workbooks/Azure Monitor - Workspaces/Enable MSFT tenant access/Enable MSFT tenant access.workbook b/Workbooks/Azure Monitor - Workspaces/Enable MSFT tenant access/Enable MSFT tenant access.workbook index e8363a8362..dc1b7835a4 100644 --- a/Workbooks/Azure Monitor - Workspaces/Enable MSFT tenant access/Enable MSFT tenant access.workbook +++ b/Workbooks/Azure Monitor - Workspaces/Enable MSFT tenant access/Enable MSFT tenant access.workbook @@ -5,6 +5,9 @@ "type": 9, "content": { "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], "parameters": [ { "id": "a4d95587-00b7-4d45-abf1-feb520150be4", @@ -36,26 +39,59 @@ "queryType": 1, "resourceType": "microsoft.resourcegraph/resources" }, + { + "id": "e7b3a1d4-5f9c-4b2e-8d6a-1c0f3e7b9a5d", + "version": "KqlParameterItem/1.0", + "name": "apiVersion", + "type": 1, + "query": "resources | where id =~ \"{Workspace}\" | extend endpoint = tostring(properties.metrics.prometheusQueryEndpoint) | extend cloud = case(endpoint endswith \"prometheus.monitor.azure.us\", \"FF\", endpoint endswith \"prometheus.monitor.azure.cn\", \"MC\", \"AME\") | project iff(cloud == \"AME\", \"2025-05-01-preview\", \"2025-05-03-preview\")", + "crossComponentResources": [ + "{Workspace}" + ], + "isHiddenWhenLocked": true, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, { "id": "f1ef748f-0cc7-4378-a7cb-11a53b5d229d", "version": "KqlParameterItem/1.0", "name": "allowedTenants", "type": 1, - "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace}\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2023-04-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.properties.allowedTenantsForQuery\",\"columns\":[]}}]}", + "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace}\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"{apiVersion}\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.properties.allowedTenantsForQuery\",\"columns\":[]}}]}", "isHiddenWhenLocked": true, "queryType": 12 + }, + { + "id": "c3e5a7d1-8f6b-4c2a-9e1d-7a3b5f9d2e4c", + "version": "KqlParameterItem/1.0", + "name": "selectedTenant", + "label": "Target Tenant(s)", + "type": 2, + "description": "Tenants available for cross-tenant query access, auto-detected from workspace cloud. AME workspaces → CORP. Fairfax/Mooncake workspaces → AME and/or Torus.", + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "resources | where id =~ \"{Workspace}\" | extend endpoint = tostring(properties.metrics.prometheusQueryEndpoint) | extend cloud = case(endpoint endswith \"prometheus.monitor.azure.us\", \"FF\", endpoint endswith \"prometheus.monitor.azure.cn\", \"MC\", \"AME\") | extend corp = pack(\"label\", \"CORP (72f988bf-86f1-41af-91ab-2d7cd011db47)\", \"value\", \"72f988bf-86f1-41af-91ab-2d7cd011db47\") | extend ame = pack(\"label\", \"AME (33e01921-4d64-4f8c-a055-5bdaffd5e33d)\", \"value\", \"33e01921-4d64-4f8c-a055-5bdaffd5e33d\") | extend torus = pack(\"label\", \"Torus (cdc5aeea-15c5-4db6-b079-fcadd2505dc2)\", \"value\", \"cdc5aeea-15c5-4db6-b079-fcadd2505dc2\") | project tenants = iff(cloud == \"AME\", pack_array(corp), pack_array(ame, torus)) | mv-expand tenants | project value = tostring(tenants.value), label = tostring(tenants.label)", + "crossComponentResources": [ + "{Workspace}" + ], + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "queryType": 1 } ], "style": "above", - "queryType": 0, - "resourceType": "microsoft.monitor/accounts" + "queryType": 1 }, "name": "Workbook parameters" }, { "type": 1, "content": { - "json": "# Enable Microsoft tenant access on your Azure Monitor workspace\r\n\r\nCurrently, only cross tenant access to Microsoft is permitted. Follow the steps below to enable MSFT tenant access on the Azure Monitor Workspace. " + "json": "# Enable cross-tenant query access on your Azure Monitor workspace\r\n\r\nSelect one or more target tenants from the **Target Tenant(s)** dropdown above, then follow the steps below to enable cross-tenant query access on the Azure Monitor Workspace.\r\n\r\n- **AME workspaces**: select CORP\r\n- **FF / MC workspaces**: select AME and/or Torus" }, "name": "header message" }, @@ -77,7 +113,7 @@ "id": "4746e96a-f82b-42c2-9060-d3efa5134dd8", "cellValue": "selectedTab", "linkTarget": "parameter", - "linkLabel": "1. Configure MSFT Tenant access", + "linkLabel": "1. Configure Tenant access", "subTarget": "one", "style": "primary" }, @@ -102,22 +138,17 @@ { "type": 1, "content": { - "json": " # Configure MSFT tenant access" + "json": " # Configure tenant access" }, "name": "step 1 header" }, { "type": 1, "content": { - "json": "Microsoft is already added to the list of allowed tenants", - "style": "success" - }, - "conditionalVisibility": { - "parameterName": "allowedTenants", - "comparison": "isEqualTo", - "value": "72f988bf-86f1-41af-91ab-2d7cd011db47" + "json": "Use the button below to set the target tenant(s) in `allowedTenantsForQuery` on the workspace. This is a PUT operation and will replace the current list.", + "style": "info" }, - "name": "step 1 success message" + "name": "step 1 info message" }, { "type": 11, @@ -129,7 +160,7 @@ "id": "e5dba35e-7a2a-44a9-a818-1d435fb9be70", "cellValue": "Allow", "linkTarget": "ArmAction", - "linkLabel": "Allow Microsoft tenant access", + "linkLabel": "Allow tenant access", "style": "primary", "linkIsContextBlade": true, "armActionContext": { @@ -138,24 +169,19 @@ "params": [ { "key": "api-version", - "value": "2023-04-01" + "value": "{apiVersion}" } ], - "body": "{ \r\n \"id\": \"{Workspace:id}\",\r\n \"location\": \"{location}\",\r\n \"name\": \"{Workspace:name}\",\r\n \"type\": \"microsoft.monitor/accounts\",\r\n \"properties\": {\r\n \"allowedTenantsForQuery\": [\"72f988bf-86f1-41af-91ab-2d7cd011db47\"]\r\n }\r\n}\r\n ", + "body": "{ \r\n \"id\": \"{Workspace:id}\",\r\n \"location\": \"{location}\",\r\n \"name\": \"{Workspace:name}\",\r\n \"type\": \"microsoft.monitor/accounts\",\r\n \"properties\": {\r\n \"allowedTenantsForQuery\": [\"{selectedTenant}\"]\r\n }\r\n}\r\n ", "httpMethod": "PUT", - "title": "Allow Microsoft tenant access", - "description": "{Workspace:grid}\n\nTenant to allow access: **72f988bf-86f1-41af-91ab-2d7cd011db47**\n\nClick on `Allow` to confirm adding MSFT tenant access to `{Workspace:name}`", - "actionName": "Allowing read access to Microsoft tenant", + "title": "Allow tenant access", + "description": "{Workspace:grid}\n\nTenant(s) to allow access: **{selectedTenant:label}**\n\nClick `Allow` to confirm updating allowed tenants on `{Workspace:name}`.", + "actionName": "Allowing read access to selected tenant(s)", "runLabel": "Allow" } } ] }, - "conditionalVisibility": { - "parameterName": "allowedTenants", - "comparison": "isNotEqualTo", - "value": "72f988bf-86f1-41af-91ab-2d7cd011db47" - }, "name": "allow" } ] @@ -186,7 +212,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace}/accessPolicies\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2023-04-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value[*]\",\"columns\":[{\"path\":\"$.name\",\"columnid\":\"PolicyName\",\"columnType\":\"string\"},{\"path\":\"$.properties.principal.principalType\",\"columnid\":\"PrincipalType\",\"columnType\":\"string\"},{\"path\":\"$..properties.principal.objectId\",\"columnid\":\"ObjectId\",\"columnType\":\"string\"},{\"path\":\"$..id\",\"columnid\":\"Manage\",\"columnType\":\"string\"}]}}]}", + "query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace}/accessPolicies\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"{apiVersion}\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value[*]\",\"columns\":[{\"path\":\"$.name\",\"columnid\":\"PolicyName\",\"columnType\":\"string\"},{\"path\":\"$.properties.principal.principalType\",\"columnid\":\"PrincipalType\",\"columnType\":\"string\"},{\"path\":\"$..properties.principal.objectId\",\"columnid\":\"ObjectId\",\"columnType\":\"string\"},{\"path\":\"$..id\",\"columnid\":\"Manage\",\"columnType\":\"string\"}]}}]}", "size": 1, "title": "Active access policies", "noDataMessage": "No access policies found", @@ -236,7 +262,7 @@ "params": [ { "key": "api-version", - "value": "2023-04-01" + "value": "{apiVersion}" } ], "httpMethod": "DELETE", @@ -258,7 +284,7 @@ { "type": 1, "content": { - "json": "# Add Access Policy\r\n\r\nFor the current workspace,\r\n\r\n{Workspace:grid}\r\n\r\nCreate or update `microsoft.monitor/accounts/data/metrics/read` access policy for the Object id from Microsoft Tenant." + "json": "# Add Access Policy\r\n\r\nFor the current workspace,\r\n\r\n{Workspace:grid}\r\n\r\nCreate or update `microsoft.monitor/accounts/data/metrics/read` access policy for the Object id from the selected tenant." }, "name": "Access policies action text" }, @@ -309,6 +335,25 @@ "description": "The AAD Object Id of the object you want to add an access policy for", "isRequired": true, "value": "" + }, + { + "id": "d2a1e9b3-7c4f-4a8e-b5d6-3f1c9e2a7b0d", + "version": "KqlParameterItem/1.0", + "name": "policyTenant", + "label": "Tenant", + "type": 10, + "description": "The tenant the principal belongs to. Auto-detected from workspace cloud: AME workspaces → CORP, Fairfax/Mooncake workspaces → AME or Torus.", + "isRequired": true, + "query": "resources | where id =~ \"{Workspace}\" | extend endpoint = tostring(properties.metrics.prometheusQueryEndpoint) | extend cloud = case(endpoint endswith \"prometheus.monitor.azure.us\", \"FF\", endpoint endswith \"prometheus.monitor.azure.cn\", \"MC\", \"AME\") | extend corp = pack(\"label\", \"CORP (72f988bf-86f1-41af-91ab-2d7cd011db47)\", \"value\", \"72f988bf-86f1-41af-91ab-2d7cd011db47\") | extend ame = pack(\"label\", \"AME (33e01921-4d64-4f8c-a055-5bdaffd5e33d)\", \"value\", \"33e01921-4d64-4f8c-a055-5bdaffd5e33d\") | extend torus = pack(\"label\", \"Torus (cdc5aeea-15c5-4db6-b079-fcadd2505dc2)\", \"value\", \"cdc5aeea-15c5-4db6-b079-fcadd2505dc2\") | project tenants = iff(cloud == \"AME\", pack_array(corp), pack_array(ame, torus)) | mv-expand tenants | project value = tostring(tenants.value), label = tostring(tenants.label)", + "crossComponentResources": [ + "{Workspace}" + ], + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" } ], "style": "formHorizontal", @@ -335,13 +380,13 @@ "params": [ { "key": "api-version", - "value": "2023-04-01" + "value": "{apiVersion}" } ], - "body": "{\r\n \"id\": \"{Workspace}/accessPolicies/{policyName}\",\r\n \"name\": \"{policyName}\",\r\n \"type\": \"microsoft.monitor/accounts/accessPolicies\",\r\n \"location\": \"{location}\",\r\n \"properties\": {\r\n \"principal\": {\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\r\n \"objectId\": \"{objectId}\",\r\n \"principalType\": \"{principalType}\",\r\n \"azureCloud\": \"Public\"\r\n },\r\n \"actions\": [\r\n \"microsoft.monitor/accounts/data/metrics/read\"\r\n ]\r\n }\r\n}", + "body": "{\r\n \"id\": \"{Workspace}/accessPolicies/{policyName}\",\r\n \"name\": \"{policyName}\",\r\n \"type\": \"microsoft.monitor/accounts/accessPolicies\",\r\n \"location\": \"{location}\",\r\n \"properties\": {\r\n \"principal\": {\r\n \"tenantId\": \"{policyTenant}\",\r\n \"objectId\": \"{objectId}\",\r\n \"principalType\": \"{principalType}\",\r\n \"azureCloud\": \"Public\"\r\n },\r\n \"actions\": [\r\n \"microsoft.monitor/accounts/data/metrics/read\"\r\n ]\r\n }\r\n}", "httpMethod": "PUT", "title": "Add access policy", - "description": "\nClicking `Add` below create an access policy called `{policyName}` and will enable `microsoft.monitor/accounts/data/metrics/read` access for tenant `72f988bf-86f1-41af-91ab-2d7cd011db47` for Entra Object id `{objectId}` with principal type `{principalType}`.\n\nPlease double check these before completing.\n", + "description": "\nClicking `Add` below will create an access policy called `{policyName}` and enable `microsoft.monitor/accounts/data/metrics/read` access for tenant `{policyTenant}` for Entra Object id `{objectId}` with principal type `{principalType}`.\n\nPlease double check these before completing.\n", "actionName": "Add access policy", "runLabel": "Add" }