This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 15%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Details
Steps have been followed from the documentation at Azure Monitor Agent for Windows Client to set the monitored object and associate it with a DCR via PowerShell for Log Analytics, but there has been no success. Seeking guidance on troubleshooting this issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 77%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Hi Al2020s,
To collect logs from an Entra-joined PC using Azure Monitor, you need to install the Azure Monitor Agent (AMA) on the PC, set up the PC as a monitored object in Azure, and link it to a Data Collection Rule (DCR) to define what data to collect. If you have followed Microsoft’s documentation but still not working, it could be due to a misconfiguration, a missed step, or permission issues that are preventing the setup from functioning correctly. Follow below steps to resolve the issue:
Make sure that the Azure Monitor Agent is installed on the PC and run the following PowerShell command to check:
Get-Service -Name azuremonitoragent
If the service isn’t running or installed, reinstall the agent using the documentation link: https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client#installing-the-agent
Confirm that the PC is correctly assigned to a Data Collection Rule and run this PowerShell command to verify the association:
Get-AzMonitorDataCollectionRuleAssociation -ResourceId "<ResourceID>"
Replace <ResourceID> with the resource ID of the PC. If the PC isn’t associated, ensure you have used the correct commands from the documentation.
Make sure the PC and your Azure account have the required permissions to access Log Analytics and the DCR. Check permissions using Azure AD Role for confirming the PC is properly Entra-joined. and checking Log Analytics Workspace Access that your account must have at least Contributor access to the workspace.
If the above checks pass, review the local agent logs on the PC for errors and check for errors that may indicate connectivity or configuration issues by using below PowerShell:
Get-Content -Path "C:\ProgramData\AzureMonitorAgent\logs\*.log" -Tail 100
Verify that the PC can connect to Azure Log Analytics endpoints and replace <LogAnalyticsRegion> with the region of your Log Analytics workspace (e.g., "westus").
Test-NetConnection -ComputerName <LogAnalyticsRegion>.ods.opinsights.azure.com -Port 443
Reference:
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/manage-access?tabs=portal
Hope the above provided information help you resolve the issue, if you have any further concerns or queries, please feel free to reach out to us.
If the comment is helpful, please click "Upvote it".
Hi Al2020s,
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back
Hi Srinivasa,
thank you for your comment. the issue I encountered was not the AMA agent installation on a Windows PC. I followed the instructions using powershell method (see below) with the only modification of changing the scope from "/" to specific resource group) but got stuck on step
of #Assign the Monitored Object Contributor role to the operator
I have subscription level owner role and Global Admin roles but getting msg of insufficient rights.
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client
Hi Al2020s,
Thank you for clarifying the issue. From your description, it seems the challenge lies with assigning the Monitored Object Contributor role, despite holding Subscription Owner and Global Administrator roles.
This issue could occur because Azure Role-Based Access Control (RBAC) assignments sometimes require explicit permissions at the scope where the action is performed. Follow below steps to resolve the issue:
Make sure you are assigning the role at the correct scope. Since you are modifying the scope to a specific resource group, confirm that you have appropriate permissions at the resource group level. Even as a Subscription Owner, explicit permissions might be needed at the resource group level.
Use the following PowerShell command to validate your permissions at the resource group, also replace <SubscriptionID> and <ResourceGroupName> with the appropriate values.
Get-AzRoleAssignment -Scope "/subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>"
If the required permission is not appearing in your role, assign the Monitored Object Contributor role at the resource group scope explicitly
New-AzRoleAssignment -ObjectId <UserObjectId> -RoleDefinitionName "Monitoring Contributor" -Scope "/subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>"
Replace <UserObjectId> with your Azure user ID.
Sometimes, even with Global Admin privileges, role assignments at specific scopes might encounter restrictions. Verify that your account is not restricted by Privileged Role Management (PIM) policies or other AAD governance features.
After confirming the above steps, reattempt assigning the Monitored Object Contributor role.
Reference:
https://learn.microsoft.com/en-us/azure/azure-monitor/fundamentals/roles-permissions-security
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
Hope the above provided information help you resolve the issue, if you have any further concerns or queries, please feel free to reach out to us.
If the comment is helpful, please click "Upvote it".
Hi Al2020s,
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back
thank you, but the role I am trying to assign is Monitoring Object Contributor on a scope of resource group and whatever I tried did not work.
Hi Al2020s,
Ensure you are using the exact role name Monitoring Contributor (not "Monitored Object Contributor"). This built-in role grants permissions to manage monitoring resources. Reference Link: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps
Even as a Subscription Owner or Global Administrator, explicit permissions might be required at the resource group level. Run this PowerShell command to check your current permissions:
Get-AzRoleAssignment -Scope "/subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>"
Replace <SubscriptionID> and <ResourceGroupName> with your values and make sure your account has Microsoft.Authorization/roleAssignments/write permission at the resource group scope.
Azure CLI/PowerShell might fail to resolve your user's principal name due to Microsoft Entra lookup restrictions. Use your account’s object ID instead:
New-AzRoleAssignment -ObjectId "<YourObjectId>" -RoleDefinitionName "Monitoring Contributor" -Scope "/subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>"
Find your object ID via:
Get-AzADUser -UserPrincipalName "<YourUPN>"
Make sure the subscription hasn’t hit the 4,000 role assignments limit (unlikely but possible in large environments). Reference link: https://docs.azure.cn/en-us/role-based-access-control/troubleshoot-limits?tabs=default
Check if Azure Privileged Identity Management (PIM) or conditional access policies are blocking role assignments and ensure no custom policies are overriding permissions at the resource group level.
If permissions are still denied, re-register the Microsoft.Authorization resource provider. Reference link: https://learn.microsoft.com/en-us/archive/blogs/azure4fun/common-problem-when-using-azure-resource-groups-rbac
Register-AzResourceProvider -ProviderNamespace Microsoft.Authorization
Make sure that your account is explicitly listed as a "User Access Administrator" at the subscription or resource group level. Global Administrator roles in Entra ID do not automatically grant Azure RBAC permissions.
Hope the above provided information help you resolve the issue, if you have any further concerns or queries, please feel free to reach out to us.
If the comment is helpful, please click "Upvote it".
Dear Al2020s,
Thank you for reaching out and providing details about the challenges you’re encountering with the Entra Joined PC Logging Collection setup. I appreciate your effort in following the documentation and troubleshooting the issue thus far.
Install the Azure Monitor Agent
But if u preffer step by step , so StepbyStep :)
Step 1: Verify Azure AD Join Status
Run dsregcmd /status (Admin Command Prompt):
Check if AzureAdJoined = YES and TenantName is correct.
If issues exist, rejoin using:
dsregcmd /leave
dsregcmd /join
Step 2: Confirm Azure Monitor Agent (AMA) Installation
Check AMA service:
Get-Service -Name AzureMonitorAgent | Select-Object Status, StartType
If missing, install AMA:
Install-AzConnectedMonitorAgent -ResourceGroupName "<RG>" -MachineName "<PC-Name>"
Install AMA
Step 3: Validate Data Collection Rule (DCR) Association
List assigned DCRs:
Get-AzDataCollectionRuleAssociation -TargetResourceId "/subscriptions/<SubID>/resourceGroups/<RG>/providers/Microsoft.Compute/virtualMachines/<PC-Name>"
If none, associate manually:
New-AzDataCollectionRuleAssociation -TargetResourceId "<PC-ResourceID>" -RuleId "<DCR-ResourceID>"
Configure DCRs
Step 4: Check Log Ingestion Errors
AMA Troubleshooting Logs:
Path: C:\WindowsAzure\Logs\AzureMonitorAgent*.log
Look for errors like "Failed to send data" or "Access denied".
Test connectivity to Log Analytics:
Test-NetConnection -ComputerName "<Workspace>.ods.opinsights.azure.com" -Port 443
Step 5: Review Permissions
Ensure the device or MSI has:
Log Analytics Contributor on the workspace.
Monitoring Publisher role on the DCR.
AMA Permissions
If you're still facing issues, let me know the specific errors you're encountering, and I will try to help pinpoint the exact solution!
Best regards,
Alex
P.S.If my answer help to you, please Accept my answer
Hi Al2020s,
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back
Hi,
the problem is not installing AMA agent on a physical PC.
The problem is creating a monitored object due to error of that my account does not have authorization rights
even though I have the following rights at subscription level
owner
global domain admin
Role Based Access Control Administrator
Monitoring Contributor
Log Analytics Contributor
I followed the steps for powershell option according to
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client
And see my comments in bold
I changed the scope from "/" to /subscriptions/xxxxx
#Grant access to the user at root scope "/"
$user = Get-AzADUser -SignedIn
#New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id
New-AzRoleAssignment -Scope '/subscriptions/xxxxxxxx' -RoleDefinitionName 'Owner' -ObjectId $user.Id
#Create the auth token
$auth = Get-AzAccessToken
$AuthenticationHeader = @{
"Content-Type" = "application/json"
"Authorization" = "Bearer " + $auth.Token
}
#Assign the Monitored Object Contributor role to the operator
$newguid = (New-Guid).Guid
$UserObjectID = $user.Id
$body = @"
{
"properties": {
"roleDefinitionId":"/providers/Microsoft.Authorization/roleDefinitions/56be40e24db14ccf93c37e44c597135b",
"principalId": `"$UserObjectID`"
}
}
"@
$requestURL = "https://management.azure.com/providers/microsoft.insights/providers/microsoft.authorization/roleassignments/$newguid`?api-version=2021-04-01-preview"
# but I am getting error executing this statement and can not proceed to the next step:
**Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body
#The error I am getting**
"error": {
"code": "AuthorizationFailed",
"message": "The client ******@ecrypt.com\u0027 with object id \u00272c97fab4-eca5-4fe7-b10d-bdb69198492d\u0027 does not have authorization to perform action \u0027
microsoft.authorization/roleassignments/write\u0027 over scope \u0027/providers/microsoft.insights/providers/microsoft.authorization\u0027 or the scope is invalid. If access was
recently granted, please refresh your credentials."
##########################
#Create a monitored object
#The 'location' property value in the 'body' section should be the Azure region where the monitored object is stored. It should be the same region where you created the data collection rule. This is the region where agent communications occurs.
$Location = "eastus" #Use your own location
$requestURL = "https://management.azure.com/providers/Microsoft.Insights/monitoredObjects/$TenantID`?api-version=2021-09-01-preview"
$body = @"
{
"properties":{
"location":`"$Location`"
}
}
"@
$Respond = Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body -Verbose
$RespondID = $Respond.id
##########################
#Associate a DCR to the monitored object
#See reference documentation https://learn.microsoft.com/rest/api/monitor/data-collection-rule-associations/create?tabs=HTTP
$associationName = "assoc01" #You can define your custom association name, but you must change the association name to a unique name if you want to associate multiple DCRs to a monitored object.
$DCRName = "dcr-WindowsClientOS" #Your data collection rule name
$requestURL = "https://management.azure.com$RespondId/providers/microsoft.insights/datacollectionruleassociations/$associationName`?api-version=2021-09-01-preview"
$body = @"
{
"properties": {
"dataCollectionRuleId": "/subscriptions/$SubscriptionID/resourceGroups/$ResourceGroup/providers/Microsoft.Insights/dataCollectionRules/$DCRName"
}
}
"@
Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body
#(Optional example) Associate another DCR to a monitored object. Remove comments around the following text to use it as a sample.
#See reference documentation https://learn.microsoft.com/en-us/rest/api/monitor/data-collection-rule-associations/create?tabs=HTTP
<#
$associationName = "assoc02" #You must change the association name to a unique name if you want to associate multiple DCRs to a monitored object.
$DCRName = "dcr-PAW-WindowsClientOS" #Your Data collection rule name
$requestURL = "https://management.azure.com$RespondId/providers/microsoft.insights/datacollectionruleassociations/$associationName`?api-version=2021-09-01-preview"
$body = @"
{
"properties": {
"dataCollectionRuleId": "/subscriptions/$SubscriptionID/resourceGroups/$ResourceGroup/providers/Microsoft.Insights/dataCollectionRules/$DCRName"
}
}
"@
Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body
#(Optional) Get all the associations.
$requestURL = "https://management.azure.com$RespondId/providers/microsoft.insights/datacollectionruleassociations?api-version=2021-09-01-preview"
(Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method get).value
#>
Hi Al2020s,
The error indicates that the scope you’re trying to use (/providers/microsoft.insights/providers/microsoft.authorization) is invalid or not accessible with your permissions. For assigning roles such as Monitoring Object Contributor, ensure the scope is correct and points to a resource group or resource where the role needs to be assigned.
While you have roles like Owner and Role-Based Access Control Administrator, ensure that your current session credentials are updated. Newly assigned roles sometimes require a refresh or re-login for the changes to take effect and there might be issues in the structure of your REST API body payload or headers, causing the request to fail.
Get-AzRoleAssignment -ObjectId $user.Id -Scope '/subscriptions/xxxx'
Make sure the role assignment scope is correct. If the monitored object resides in a specific resource group, the scope should be:
/subscriptions/{SubscriptionID}/resourceGroups/{ResourceGroupName}
$newguid = (New-Guid).Guid
$scope = "/subscriptions/{SubscriptionID}/resourceGroups/{ResourceGroupName}"
$roleDefinitionId = "/subscriptions/{SubscriptionID}/providers/Microsoft.Authorization/roleDefinitions/56be40e24db14ccf93c37e44c597135b" # Monitoring Object Contributor role ID
$body = @"
{
"properties": {
"roleDefinitionId": "$roleDefinitionId",
"principalId": "$UserObjectID"
}
}
"@
$requestURL = "https://management.azure.com{scope}/providers/Microsoft.Authorization/roleAssignments/$newguid?api-version=2021-04-01-preview"
Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body
3.After updating roles, refresh your Azure credentials to ensure the changes propagate:
Disconnect-AzAccount
Connect-AzAccount
4.Make sure that the region specified in the location field matches the region where the monitored object and data collection rule reside:
$Location = "eastus"
$requestURL = "https://management.azure.com/providers/Microsoft.Insights/monitoredObjects/$TenantID?api-version=2021-09-01-preview"
$body = @"
{
"properties": {
"location": "$Location"
}
}
"@
$Respond = Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body
5.Once the roles are assigned, validate them using:
Get-AzRoleAssignment -ObjectId $UserObjectID -Scope $scope
Cross Check with below Documentation:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-rest
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client
Hope the above provided information help you resolve the issue, if you have any further concerns or queries, please feel free to reach out to us.
If the comment is helpful, please click "Upvote it".
Thank you for your help.
I rechecked by roles at subsciption level and at resource group which are inherited from subscription role assignments:
Monitoring Contributor
Owner
Microsoft Sentinel Contributor
Log Analytics Contributor
Role Based Access Control Administrator
#$requestURL = "https://management.azure.com/providers/microsoft.insights/providers/microsoft.authorization/roleassignments/$newguid`?api-version=2021-04-01-preview"
PS C:\Windows\System32> $requestURL = "https://management.azure.com{scope}/providers/Microsoft.Authorization/roleAssignments/$newguid?api-version=2021-04-01-preview"
PS C:\Windows\System32> Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body
Invoke-RestMethod: Cannot bind parameter 'Uri'. Cannot convert value "https://management.azure.com{scope}/providers/Microsoft.Authorization/roleAssignments/-version=2021-04-01-preview" to type "System.Uri". Error: "Invalid URI: The hostname could not be parsed."
Thank you all for your help. I was able to resolve the problem