We're building a multitenant SaaS app in MS Azure that allows customers to bring their own Azure tenant to us so that we can audit its data. In order to get permissions for this, we employ the standard consent flow in which Global Admin of customer's tenant should grant the permissions to our app.
This approach is OK if we work with tenant's data such as sharepoint files or users/groups, but recently we've got a requirement to read an audit log in Azure Subscription of a customer (e.g. events of creating/deleting VMs, manipulation with storage accounts etc.). In order to implement this we use Azure Monitor API (former Azure Insights API): https://msdn.microsoft.com/en-us/library/azure/dn931943.aspx.
The problem is that the consent framework Microsoft provides doesn't seem to have a mechanism for assigning roles to access Azure Subscription's data. When trying to read the data using our principal we get the following error:
The client 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not have authorization to perform action 'microsoft.insights/eventtypes/values/read' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.
As of now, we haven't found a way to fix the error except for manually adding the role "Readers" to our app in customer's subscription settings in Azure Portal (https://docs.microsoft.com/en-us/azure/resource-group-create-service-principal-portal, "Assign application to role" part), but we'd really like to avoid manual procedures.
Any ideas how to solve this in more elegant way?
