🔐 Secure & Controlled Access for Nodinite Logging and Monitoring Agents in Azure

Ensure Proper Access with Least Privileges

Configuring access rights for Nodinite Log- and Monitoring Agents in Azure is critical for both security and operational efficiency. With multiple Nodinite Agents available, setting up App Registrations correctly can be complex—but this guide simplifies the process. By following best practices, you ensure that only the necessary permissions are granted, following the principle of least privilege, reducing security risks, and maintaining compliance.

In this guide, you will learn how to:

✅ Register an Application (Client ID) in Azure to enable secure communication with the Azure REST API
✅ Assign the correct built-in roles to Nodinite Agents for optimal access control
✅ Configure least privilege access to minimize security exposure
✅ Use X.509 v3 certificates for secure authentication

Granting Access to Nodinite Logging and Monitoring Agents

The Nodinite Azure Logging and Monitoring Agents interact with the Azure Service Management REST API, executing queries and commands to monitor and log events efficiently. To enable this functionality, you must:

1️⃣ Register an Application in Azure – Set up App Registrations in the Azure Management Portal
2️⃣ Assign Required Roles – The necessary permissions for Nodinite Agents are listed in the Least Privileges section below
3️⃣ Secure Authentication – Nodinite uses SSL and the authentication process is using X.509 v3 certificates for robust security

The Azure Service Management API provides programmatic access to most of the features available in the Azure Management Portal, allowing Nodinite to seamlessly integrate with your Azure environment.

Info

Nodinite follows best practices for security, ensuring all API access is granted with least privileges by design.

Why This Matters for Your Business

✅ Full Control Over Access Rights – Ensure agents only have the permissions they need, reducing security risks.
✅ Seamless Integration – Easily connect Nodinite Log- and Monitoring Agents with Azure services.
✅ Improved Compliance & Security – Enforce best practices for least privilege access, protecting your data and infrastructure.
✅ Reduced Configuration Errors – With many Nodinite Agents, it’s easy to misconfigure access—this guide ensures a smooth setup.
✅ Optimized Performance – Proper role assignments help avoid permission-related errors, keeping your monitoring and logging efficient.

---

To configure the Nodinite Log- and Monitor-Agents; use this guide to find the following set of required properties:

1. TenantId
2. SubscriptionId
3. ResourceGroup
4. ClientId and ClientSecret

1. TenantId

The TenantId is the GUID uniquely identifying the Azure Active Directory instance.

From the Azure Portal; Enter tenant properties and navigate to Properties for the Azure Active Directory. The TenantId is available on the page.

2. SubscriptionId

The Microsoft Azure subscription is the unique user account in Azure. All Azure Resources and services are available to the REST-based Service Management API.

When you create an Azure subscription, it is uniquely identified by a SubscriptionId. The subscription Id is part of the call to the Azure Service Management API.

• The SubscriptionId is a GUID.

To acquire the SubscriptionId, enter Subscriptions in the search, and navigate to the Subscriptions page. Copy and use the GUID value:

Copy the SubscriptionId GUID to use.

3. Resource Group

For each Nodinite Log- and Monitor Agent; You must specify the Resource Groups to Monitor and Manage. There are different ways to manage these lists from within Nodinite depending on the type of agent.

One way to get the value is to use the Azure Portal; You can view the available Resource Groups.

Copy and use the Name of the Resource Group.

4. ClientId and ClientSecret

Important

Ensure you have at least one App Registration for each Subscription AND each Nodinite Monitoring Agent for Azure. This allows additional requests per timeframe is then allowed. You can read more about throttling here. If you have three Nodinite Monitoring Agents, you should have at least three App Registrations.

To retrieve the 'ClientId' and the 'ClientSecret' an Application must first exist/be created.

The following steps are required to create a new Application (Client Id):

1. Select Azure Active Directory
2. From the Selected Active Directory instance, click on App registrations
3. Click the New registration button

• Enter the name of the Application
• Select Accounts in this organizational directory only - least privileges
• Select the Web option
• Enter the URL to your user management website (can be changed later)

  Note

  The redirect URI can be any address like https://yournonexistinguserportal.nowhere.org

1. Click the Register button to begin the creation process

This operation may take some time.

Create Permissions

Click the newly created Application to start creating permissions.

• Click the Add a Permission button.

Request API Permissions

Next; select which API Permissions to assign for the Application. This may be different depending on which Nodinite Monitoring Agent to use.

1. Click the APIs my organization uses tab
2. Click the Windows Azure Service Management API
   

Type of Permissions

Another modal is now displayed, and you need to specify the type of permissions required by the Application:

1. Select Delegated permissions
2. Check the user_impersonation checkbox
3. Click the Add permissions button
   
   Steps to perform when specifying the type of permissions granted for Application.

Consent

You can safely skip this step.

Create Client Secret

1. Select the Certificates & secrets
2. Click the New client secret button

In the following dialogue, enter:

1. A user-friendly name for the Client secret
2. Select when the secret expire
3. click the Add button

Next, the Client secret presents (once - this time only)

Important

REMEMBER TO COPY THE KEY and store it securely and accessible for your colleagues! Since it will only be displayed upon first save!

Add permission to monitor and manage the Resource Group

You can fine-tune permission on individual levels.

• Subscription (highest level)
• Resource Group (recommended)
• Object (lowest level)

Least Privileges

Our recommendation is to assign as in the section: Roles with least privileges.

To assign the role membership on the Resource Group level:

1. Search and navigate to the list of Resource Groups.
2. Select the Resource Group to add the permission to.
3. Select Access Control (IAM).
4. click the Add button.
5. Select Add role assignment

1. Select the built-in Contributor Role OR, use the table in the Roles with least privileges section on this page.
2. Select Azure AD user, group. pr service principal.
3. Select one or more members (Application Name from step 4 - ClientId and ClientSecret).

   To find the named Application(s), you need to type some characters to active the filter.

Note

Remember to click on the Save button

Click the Save button to persist the role assignment.

List of permissions

When finished, you will now see all User (Application) permissions in the list for the Resource Group(s) and/or Subscriptions. The User (Application) will be listed as part of the Contributor role.

Least privileges

If you opt to allow the Client/Application the Contributor role on each Subscription to monitor and manage, then you do not have to fine tune the Role Assignments with some exceptions. Please review the table about the following bullets:

• Application Insights/Functions Monitoring, you need an API Key.
• App Registrations
• App Services (Function App and Web App)
• Event Hub (Post data)
• Function App

Below is a list of specific permissions required to use the following Nodinite Azure Logging and Monitoring Agents:

• Nodinite Azure Logic Apps Logging and Monitoring agent. The agent also uses Shared access policies to access the Event Hubs and the Storage Accounts.
• Nodinite Azure Monitoring Agent
• Nodinite Azure Service Bus Monitoring

The Nodinite Pickup Service does not use the Azure REST API. Instead, it uses information from the Shared access policies.

Permission

Clone a role

Keep in mind that updating Azure role assignments may take up to five minutes to propagate. Then, you need to restart the necessary Nodinite agents.

Resource	Role	Agent	Purpose
Subscription	Reader	Azure Monitoring Agent Azure Service Bus Monitoring Azure Logic Apps Logging and Monitoring agent	Show Details and Match/Validate the Subscription Id with the current configuration. NOTE: This right inherits to all other Resources in selected Subscription.
API Management Service	API Management Service Contributor	Azure Monitoring Agent	List resources, Create and delete EventHub Logger, Invoke APIs
App Registrations	Microsoft.Graph - Application.Read.All	Azure Monitoring Agent	List App Registration, SSO assignments, Branding info and evaluate Secrets NOTE: The type must be Application, NOT delegated
App Registrations - Owners (Details page)	Microsoft.Graph - User.Read.All	Azure Monitoring Agent	List details about Owners NOTE: The type must be Application, NOT delegated
App Services (Function App and Web App)	Website Contributor	Azure Monitoring Agent	List Web Sites Get Web Site List Web Jobs Get Web Job Web Jobs (the following features require the 'SCM Basic Auth Publishing Credentials' setting to be set to On) Fetch publishing profile View Web Jobs History Run Triggered Web Job Start/Stop Continous Web Job
Application Insights	Reader (read the Component configuration)	Azure Monitoring Agent	View all resources, but does not allow you to make any changes.
Application Insights	API Key (required to get the statistics for Function App Monitoring, additional access rights are required, please review the Function App in this table)	Azure Monitoring Agent	Not a role-assignment You must manually create an API Key (from the side bar menu 'API Access' in the Azure portal) for each Application Insights instance. API access is required for the Function App Monitoring. If the API key expires, you need to re-create it
Data Factory	Data Factory Contributor	Azure Monitoring Agent	List Data Factories and pipelines, Read Details, Read performance
Event Grid	EventGrid EventSubscription Reader	Azure Monitoring Agent	Lets you read Event Grid event subscriptions.
Event Hubs	Azure Event Hubs Data Sender	Azure Monitoring Agent	Send DATA to the Event Hub entity
Event Hubs	Azure Event Hubs Data Receiver	Azure Logic Apps Logging and Monitoring agentNew 6.1.29 Pickup Service	Receive DATA from the Event Hub entity
Function App	1. Website Contributor 2. Reader	Azure Monitoring Agent	1. List resources 2. View all resources, but does not allow you to make any changes Read configuration to explore Application Insights
Service Bus Namespace	Azure Service Bus Data Owner	Azure Service Bus Monitoring	List namespaces and Resources, Read and use Access Keys, Manage Queues and Topics
Key Vaults	Key Vault Reader	Azure Monitoring Agent	List Key vaults and reads meta data (does not read the actual secrets!) NOTE: Azure role-based access control (recommended) must be set in the 'Settings | Access configuration'.
Logic App	Logic App Operator	Azure Logic Apps Logging and Monitoring agent	Enable/Disable Logic App. This role is NOT allowed to Resubmit runs
Logic Apps	Logic App Contributor	Azure Logic Apps Logging and Monitoring agent	Allow to Resubmit runs. If you assign membership with this role; The Client does not need to be a member of the Logic App Operator role
Storage Account	Reader and Data Access NOTE:If you add this role, you do not need all the other specific role assignments	Azure Monitoring Agent	Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.
Storage Account - Blob (Read)	Storage Blob Data Reader	Azure Monitoring Agent	Read and list Azure Storage containers and blobs
Storage Account - Blob (Read/Write/Delete)	Storage Blob Data Contributor	Logic Apps Logging and Monitoring AgentNew 6.1.29 Azure Monitoring Agent Blob Storage Policy	Read, write, and delete Azure Storage containers and blobs.
Storage Account - File (Read/Write)	Storage File Data SMB Share Reader	Azure Monitoring Agent	Allows for read access on files/directories in Azure file shares.
Storage Account - File (Delete)	Storage File Data SMB Share Contributor	Azure Monitoring Agent	Allows for read, write, and delete access on files/directories in Azure file shares.
Storage Account - Queue (Read)	Storage Queue Data Reader	Azure Monitoring Agent	Read and list Azure Storage queues and queue messages.
Storage Account - Queue (Send/Post)	Storage Queue Data Message Sender	Azure Monitoring Agent	Add messages to an Azure Storage queue.
Storage Account - Queue (Delete)	Storage Queue Data Contributor	Azure Monitoring Agent	Read, write, and delete Azure Storage queues and queue messages.

Note

In Azure Portal, You can either assign role memberships on each Resource, or you can set the role assignment on the Resource Group, or Subscription level.

Important

You must restart the agent after changing role assignments since the token is cached and needs to be updated. Otherwise, it may take up to one hour for changes to be in effect.

---

Next Step

• Azure Logic Apps Logging and Monitoring agent
• Azure Monitoring Agent
• Azure Service Bus Monitoring

Related Topics

• Log Agents