Skip to content

Update Enable MSFT tenant access workbook #3162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
yves-chan wants to merge 1 commit into
base: master
Choose a base branch
from
+76 −31
Draft

Update Enable MSFT tenant access workbook #3162

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 76 additions & 31 deletions ...nitor - Workspaces/Enable MSFT tenant access/Enable MSFT tenant access.workbook
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,9 @@
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"{Workspace}"
],
"parameters": [
{
"id": "a4d95587-00b7-4d45-abf1-feb520150be4",
Expand Down Expand Up @@ -36,26 +39,59 @@
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "e7b3a1d4-5f9c-4b2e-8d6a-1c0f3e7b9a5d",
"version": "KqlParameterItem/1.0",
"name": "apiVersion",
"type": 1,
"query": "resources | where id =~ \"{Workspace}\" | extend endpoint = tostring(properties.metrics.prometheusQueryEndpoint) | extend cloud = case(endpoint endswith \"prometheus.monitor.azure.us\", \"FF\", endpoint endswith \"prometheus.monitor.azure.cn\", \"MC\", \"AME\") | project iff(cloud == \"AME\", \"2025-05-01-preview\", \"2025-05-03-preview\")",
"crossComponentResources": [
"{Workspace}"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "f1ef748f-0cc7-4378-a7cb-11a53b5d229d",
"version": "KqlParameterItem/1.0",
"name": "allowedTenants",
"type": 1,
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace}\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2023-04-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.properties.allowedTenantsForQuery\",\"columns\":[]}}]}",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace}\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"{apiVersion}\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.properties.allowedTenantsForQuery\",\"columns\":[]}}]}",
"isHiddenWhenLocked": true,
"queryType": 12
},
{
"id": "c3e5a7d1-8f6b-4c2a-9e1d-7a3b5f9d2e4c",
"version": "KqlParameterItem/1.0",
"name": "selectedTenant",
"label": "Target Tenant(s)",
"type": 2,
"description": "Tenants available for cross-tenant query access, auto-detected from workspace cloud. AME workspaces → CORP. Fairfax/Mooncake workspaces → AME and/or Torus.",
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "resources | where id =~ \"{Workspace}\" | extend endpoint = tostring(properties.metrics.prometheusQueryEndpoint) | extend cloud = case(endpoint endswith \"prometheus.monitor.azure.us\", \"FF\", endpoint endswith \"prometheus.monitor.azure.cn\", \"MC\", \"AME\") | extend corp = pack(\"label\", \"CORP (72f988bf-86f1-41af-91ab-2d7cd011db47)\", \"value\", \"72f988bf-86f1-41af-91ab-2d7cd011db47\") | extend ame = pack(\"label\", \"AME (33e01921-4d64-4f8c-a055-5bdaffd5e33d)\", \"value\", \"33e01921-4d64-4f8c-a055-5bdaffd5e33d\") | extend torus = pack(\"label\", \"Torus (cdc5aeea-15c5-4db6-b079-fcadd2505dc2)\", \"value\", \"cdc5aeea-15c5-4db6-b079-fcadd2505dc2\") | project tenants = iff(cloud == \"AME\", pack_array(corp), pack_array(ame, torus)) | mv-expand tenants | project value = tostring(tenants.value), label = tostring(tenants.label)",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"queryType": 1
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.monitor/accounts"
"queryType": 1
},
"name": "Workbook parameters"
},
{
"type": 1,
"content": {
"json": "# Enable Microsoft tenant access on your Azure Monitor workspace\r\n\r\nCurrently, only cross tenant access to Microsoft is permitted. Follow the steps below to enable MSFT tenant access on the Azure Monitor Workspace. "
"json": "# Enable cross-tenant query access on your Azure Monitor workspace\r\n\r\nSelect one or more target tenants from the **Target Tenant(s)** dropdown above, then follow the steps below to enable cross-tenant query access on the Azure Monitor Workspace.\r\n\r\n- **AME workspaces**: select CORP\r\n- **FF / MC workspaces**: select AME and/or Torus"
},
"name": "header message"
},
Expand All @@ -77,7 +113,7 @@
"id": "4746e96a-f82b-42c2-9060-d3efa5134dd8",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "1. Configure MSFT Tenant access",
"linkLabel": "1. Configure Tenant access",
"subTarget": "one",
"style": "primary"
},
Expand All @@ -102,22 +138,17 @@
{
"type": 1,
"content": {
"json": " # Configure MSFT tenant access"
"json": " # Configure tenant access"
},
"name": "step 1 header"
},
{
"type": 1,
"content": {
"json": "Microsoft is already added to the list of allowed tenants",
"style": "success"
},
"conditionalVisibility": {
"parameterName": "allowedTenants",
"comparison": "isEqualTo",
"value": "72f988bf-86f1-41af-91ab-2d7cd011db47"
"json": "Use the button below to set the target tenant(s) in `allowedTenantsForQuery` on the workspace. This is a PUT operation and will replace the current list.",
"style": "info"
},
"name": "step 1 success message"
"name": "step 1 info message"
},
{
"type": 11,
Expand All @@ -129,7 +160,7 @@
"id": "e5dba35e-7a2a-44a9-a818-1d435fb9be70",
"cellValue": "Allow",
"linkTarget": "ArmAction",
"linkLabel": "Allow Microsoft tenant access",
"linkLabel": "Allow tenant access",
"style": "primary",
"linkIsContextBlade": true,
"armActionContext": {
Expand All @@ -138,24 +169,19 @@
"params": [
{
"key": "api-version",
"value": "2023-04-01"
"value": "{apiVersion}"
}
],
"body": "{ \r\n \"id\": \"{Workspace:id}\",\r\n \"location\": \"{location}\",\r\n \"name\": \"{Workspace:name}\",\r\n \"type\": \"microsoft.monitor/accounts\",\r\n \"properties\": {\r\n \"allowedTenantsForQuery\": [\"72f988bf-86f1-41af-91ab-2d7cd011db47\"]\r\n }\r\n}\r\n ",
"body": "{ \r\n \"id\": \"{Workspace:id}\",\r\n \"location\": \"{location}\",\r\n \"name\": \"{Workspace:name}\",\r\n \"type\": \"microsoft.monitor/accounts\",\r\n \"properties\": {\r\n \"allowedTenantsForQuery\": [\"{selectedTenant}\"]\r\n }\r\n}\r\n ",
"httpMethod": "PUT",
"title": "Allow Microsoft tenant access",
"description": "{Workspace:grid}\n\nTenant to allow access: **72f988bf-86f1-41af-91ab-2d7cd011db47**\n\nClick on `Allow` to confirm adding MSFT tenant access to `{Workspace:name}`",
"actionName": "Allowing read access to Microsoft tenant",
"title": "Allow tenant access",
"description": "{Workspace:grid}\n\nTenant(s) to allow access: **{selectedTenant:label}**\n\nClick `Allow` to confirm updating allowed tenants on `{Workspace:name}`.",
"actionName": "Allowing read access to selected tenant(s)",
"runLabel": "Allow"
}
}
]
},
"conditionalVisibility": {
"parameterName": "allowedTenants",
"comparison": "isNotEqualTo",
"value": "72f988bf-86f1-41af-91ab-2d7cd011db47"
},
"name": "allow"
}
]
Expand Down Expand Up @@ -186,7 +212,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace}/accessPolicies\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"2023-04-01\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value[*]\",\"columns\":[{\"path\":\"$.name\",\"columnid\":\"PolicyName\",\"columnType\":\"string\"},{\"path\":\"$.properties.principal.principalType\",\"columnid\":\"PrincipalType\",\"columnType\":\"string\"},{\"path\":\"$..properties.principal.objectId\",\"columnid\":\"ObjectId\",\"columnType\":\"string\"},{\"path\":\"$..id\",\"columnid\":\"Manage\",\"columnType\":\"string\"}]}}]}",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"{Workspace}/accessPolicies\",\"urlParams\":[{\"key\":\"api-version\",\"value\":\"{apiVersion}\"}],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$.value[*]\",\"columns\":[{\"path\":\"$.name\",\"columnid\":\"PolicyName\",\"columnType\":\"string\"},{\"path\":\"$.properties.principal.principalType\",\"columnid\":\"PrincipalType\",\"columnType\":\"string\"},{\"path\":\"$..properties.principal.objectId\",\"columnid\":\"ObjectId\",\"columnType\":\"string\"},{\"path\":\"$..id\",\"columnid\":\"Manage\",\"columnType\":\"string\"}]}}]}",
"size": 1,
"title": "Active access policies",
"noDataMessage": "No access policies found",
Expand Down Expand Up @@ -236,7 +262,7 @@
"params": [
{
"key": "api-version",
"value": "2023-04-01"
"value": "{apiVersion}"
}
],
"httpMethod": "DELETE",
Expand All @@ -258,7 +284,7 @@
{
"type": 1,
"content": {
"json": "# Add Access Policy\r\n\r\nFor the current workspace,\r\n\r\n{Workspace:grid}\r\n\r\nCreate or update `microsoft.monitor/accounts/data/metrics/read` access policy for the Object id from Microsoft Tenant."
"json": "# Add Access Policy\r\n\r\nFor the current workspace,\r\n\r\n{Workspace:grid}\r\n\r\nCreate or update `microsoft.monitor/accounts/data/metrics/read` access policy for the Object id from the selected tenant."
},
"name": "Access policies action text"
},
Expand Down Expand Up @@ -309,6 +335,25 @@
"description": "The AAD Object Id of the object you want to add an access policy for",
"isRequired": true,
"value": ""
},
{
"id": "d2a1e9b3-7c4f-4a8e-b5d6-3f1c9e2a7b0d",
"version": "KqlParameterItem/1.0",
"name": "policyTenant",
"label": "Tenant",
"type": 10,
"description": "The tenant the principal belongs to. Auto-detected from workspace cloud: AME workspaces → CORP, Fairfax/Mooncake workspaces → AME or Torus.",
"isRequired": true,
"query": "resources | where id =~ \"{Workspace}\" | extend endpoint = tostring(properties.metrics.prometheusQueryEndpoint) | extend cloud = case(endpoint endswith \"prometheus.monitor.azure.us\", \"FF\", endpoint endswith \"prometheus.monitor.azure.cn\", \"MC\", \"AME\") | extend corp = pack(\"label\", \"CORP (72f988bf-86f1-41af-91ab-2d7cd011db47)\", \"value\", \"72f988bf-86f1-41af-91ab-2d7cd011db47\") | extend ame = pack(\"label\", \"AME (33e01921-4d64-4f8c-a055-5bdaffd5e33d)\", \"value\", \"33e01921-4d64-4f8c-a055-5bdaffd5e33d\") | extend torus = pack(\"label\", \"Torus (cdc5aeea-15c5-4db6-b079-fcadd2505dc2)\", \"value\", \"cdc5aeea-15c5-4db6-b079-fcadd2505dc2\") | project tenants = iff(cloud == \"AME\", pack_array(corp), pack_array(ame, torus)) | mv-expand tenants | project value = tostring(tenants.value), label = tostring(tenants.label)",
"crossComponentResources": [
"{Workspace}"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
}
],
"style": "formHorizontal",
Expand All @@ -335,13 +380,13 @@
"params": [
{
"key": "api-version",
"value": "2023-04-01"
"value": "{apiVersion}"
}
],
"body": "{\r\n \"id\": \"{Workspace}/accessPolicies/{policyName}\",\r\n \"name\": \"{policyName}\",\r\n \"type\": \"microsoft.monitor/accounts/accessPolicies\",\r\n \"location\": \"{location}\",\r\n \"properties\": {\r\n \"principal\": {\r\n \"tenantId\": \"72f988bf-86f1-41af-91ab-2d7cd011db47\",\r\n \"objectId\": \"{objectId}\",\r\n \"principalType\": \"{principalType}\",\r\n \"azureCloud\": \"Public\"\r\n },\r\n \"actions\": [\r\n \"microsoft.monitor/accounts/data/metrics/read\"\r\n ]\r\n }\r\n}",
"body": "{\r\n \"id\": \"{Workspace}/accessPolicies/{policyName}\",\r\n \"name\": \"{policyName}\",\r\n \"type\": \"microsoft.monitor/accounts/accessPolicies\",\r\n \"location\": \"{location}\",\r\n \"properties\": {\r\n \"principal\": {\r\n \"tenantId\": \"{policyTenant}\",\r\n \"objectId\": \"{objectId}\",\r\n \"principalType\": \"{principalType}\",\r\n \"azureCloud\": \"Public\"\r\n },\r\n \"actions\": [\r\n \"microsoft.monitor/accounts/data/metrics/read\"\r\n ]\r\n }\r\n}",
"httpMethod": "PUT",
"title": "Add access policy",
"description": "\nClicking `Add` below create an access policy called `{policyName}` and will enable `microsoft.monitor/accounts/data/metrics/read` access for tenant `72f988bf-86f1-41af-91ab-2d7cd011db47` for Entra Object id `{objectId}` with principal type `{principalType}`.\n\nPlease double check these before completing.\n",
"description": "\nClicking `Add` below will create an access policy called `{policyName}` and enable `microsoft.monitor/accounts/data/metrics/read` access for tenant `{policyTenant}` for Entra Object id `{objectId}` with principal type `{principalType}`.\n\nPlease double check these before completing.\n",
"actionName": "Add access policy",
"runLabel": "Add"
}
Expand Down
Loading