VNet Flow Logs and Traffic Analytics managed identity - required permissions

Roos, Fabian 25 Reputation points

Hi there!

We want to use VNet flow logs and Traffic Analytics with managed identity authentication as described in the article "Managed identity for virtual network flow logs".

The prerequisites contain the required permissions of the managed identity on the Storage Account that is used for raw data:

Storage Blob Data Contributor role assigned to the managed identity

However, I can't find any information about the required permissions on the Log Analytics Workspace that is used for Traffic Analytics. I already found this article: "Azure role-based access control permissions required to use Network Watcher" which includes the required permissions for the "account you log into Azure with", but there is no informationen about the required permissions for the managed identity that will be assigned to the flow log.

Could you please clarify:

  • What permissions does the account creating the flow log resource in Azure need?
  • What permissions does the managed identity assigned to the flow log need on the Storage Account and on the Log Analytics workspace?

Thanks in advance! :)

0 comments No comments
Sign in to comment

Answer accepted by question author

Ravi Varma Mudduluru 12,370 Reputation points Microsoft External Staff Moderator

Hello @ Roos, Fabian,

Thanks for reaching out to Microsoft Q&A.

I understand you're setting up Virtual Network Flow Logs with Traffic Analytics using a user-assigned managed identity and want to clarify the exact permissions needed.

1. For the account (or service principal) creating/enabling the Flow Log + Traffic Analytics:

You’ll need the permissions listed in the official Network Watcher RBAC documentation. This typically includes:

  • Microsoft.Network/networkWatchers/flowLogs/* actions
  • Additional permissions for Traffic Analytics, such as read access to the Log Analytics workspace, shared keys actions, and data collection rule/endpoint management.

Recommended approach: Assign the Network Contributor role (plus Log Analytics Contributor or Monitoring Contributor) to your creating account at the appropriate scope (usually the subscription containing the Log Analytics workspace).

Key doc: Azure role-based access control permissions required to use Network Watcher

2. For the user-assigned managed identity attached to the Flow Log:

  • Storage Account (for raw flow log storage): Assign the Storage Blob Data Contributor role. This is the only permission Microsoft requires from the managed identity.
  • Log Analytics Workspace (used by Traffic Analytics): No permissions or role assignments are needed on the managed identity.

The managed identity is used only to securely read the raw flow logs from your storage account. Traffic Analytics (a Microsoft-managed service) then processes the data and writes the results into your Log Analytics workspace using its own backend permissions no extra RBAC on the MI is required.

This is explicitly covered here: Managed Identity for Virtual Network Flow Logs

Recommended Next Steps

  1. Create (or use an existing) user-assigned managed identity.
  2. Assign Storage Blob Data Contributor to it on your target Storage Account.
  3. When creating or updating the Flow Log, select this managed identity and enable Traffic Analytics pointing to your Log Analytics workspace.

If you’re using PowerShell, here’s a quick example from the docs:

New-AzNetworkWatcherFlowLog -Name "MyFlowLog" `

If the above steps didn't resolve your issue, please check the private message and share the requested details there?

Please "Accept Answer" and "Upvote" if the information helped you. This will help us and others in the community as well.

  1. Roos, Fabian 25 Reputation points

    Hello @Ravi Varma Mudduluru

    Thank you for clarifying the required permissions. I was wondering why the managed identity doesn't need any permissions on the Log Analytics workspace, but your explanation makes it more clear.

    We will set up the identity and permissions as described.

Sign in to comment

1 additional answer

  1. Marcin Policht 92,630 Reputation points MVP Volunteer Moderator

    To create a flow log resource in Azure, your account must have the Owner, Contributor, or Network Contributor role assigned at the subscription scope. If you use the Network Contributor role, ensure it includes specific actions for storage and Log Analytics, as standard inheritance from management groups is not supported for this feature.

    The user-assigned managed identity assigned to the flow log requires the Storage Blob Data Contributor role on the target storage account to authenticate and write raw data. For the Log Analytics workspace used by Traffic Analytics, the managed identity acts as the service principal for data ingestion and requires the Monitoring Contributor and Log Analytics Contributor roles at the subscription level. These roles ensure the identity has the necessary Microsoft.OperationalInsights/workspaces/* and Microsoft.Network/*/read permissions to process and store analyzed traffic data.

    Additionally, the Microsoft.Insights resource provider must be registered in the subscription for flow logging to function correctly. You should also ensure the managed identity has Microsoft.OperationalInsights/workspaces/read access to the specific workspace to facilitate secure ingestion.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1. Roos, Fabian 25 Reputation points

      Hi Marcin,

      thank you for your reply! It gets me closer to a solution, but I still have some questions. Why would the managed identity need both roles Monitoring Contributor and Log Analytics Contributor? Wouldn't one of the roles be sufficient?

      Also, we have a scenario where the VNet and the flow log live in subscription A and the Log Analytics workspace lives in subscription B. Could you clarify which roles are required on which subscription or resource?

      My approach, based on all the information I have, would be the following.

      The identity that creates the flow log:

      • In subscription A:
        • Network Contributor to create the flow log
        • Storage Account Contributor to create the storage account for the flow logs
        • Managed Identity Contributor to create the managed identity assigned to the flow log
        • Role Based Access Control Administrator to grant the managed identity permissions on the storage account
      • In subscription B:
        • Monitoring Contributor as this role includes both the Microsoft.OperationalInsights/workspaces and Microsoft.Insights/dataCollectionRules actions required for Traffic Analytics documented here
        • Role Based Access Control Administrator to grant the managed identity permissions on the log analytics workspace

      And for the managed identity assigned to the flow log:

      • In subscription A:
        • Storage Blob Data Contributor to write data to the storage account
        • Reader to access data about the network for which the flow log is created
      • In subscription B:
        • Log Analytics Contributor to retrieve the shared keys for the workspace
    2. Marcin Policht 92,630 Reputation points MVP Volunteer Moderator

      AFAIK, the Monitoring Contributor and Log Analytics Contributor roles serve distinct purposes because Traffic Analytics is a multi-stage process. The Log Analytics Contributor role is primarily required for the managed identity to access the workspace shared keys via the Microsoft.OperationalInsights/workspaces/sharedKeys/action permission. This is needed because the Traffic Analytics agent uses these keys to securely transmit processed data to the workspace. Monitoring Contributor is used to ensure the identity has the permissions to interact with the underlying monitoring infrastructure and data collection rules, but it does not always grant the specific key access needed for direct ingestion. Effectively, having both is meant to ensure that the identity can both manage the data collection settings and authenticate for data submission.

      Your breakdown for the creator identity is largely accurate, but you should be able to streamline the requirements. In Subscription A, the Network Contributor role is sufficient for creating the flow log, and Managed Identity Contributor is correct for handling the identity. But instead of Role Based Access Control Administrator, the User Access Administrator role is commonly used built-in role for managing role assignments. In Subscription B, the creator needs the Monitoring Contributor role to enable the Traffic Analytics integration and link the workspace to the flow log resource. If you are not using a custom role, the creator will also need User Access Administrator in Subscription B to assign the managed identity the necessary permissions on the workspace.

      For the managed identity assigned to the flow log, your approach for Subscription A looks valid. The Storage Blob Data Contributor role is mandatory for the identity to write raw flow logs to the storage account. The Reader role on the network resource is helpful for the identity to understand the context of the metadata it is processing. In Subscription B, the Log Analytics Contributor role would be a requirement. It allows the identity to perform the listKeys action, which is how the system retrieves the credentials needed to push traffic analytics data into the workspace across subscription boundaries. I don't believe you strictly need Monitoring Contributor for the managed identity itself if Log Analytics Contributor is assigned, considering that the latter covers the necessary ingestion and key access permissions for this specific cross-subscription workflow.

      If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

      hth

      Marcin

    Sign in to comment
Sign in to answer

Your answer