Azure Log Analytics aggregates and provides search capabilities over data in an Azure deployment. Azure Log Analytics functions as a data store for Azure applications, but can also be queried manually.

Depending on policy and configuration, Azure Log Analytics can contain all kinds of data relevant to a security team. Most notably, after security audit policies are enabled on Azure VMs, they feed log data to Azure Log Analytics where it can be queried in the Analytics Portal.

Connecting your device to Workbench allows Workbench to ingest the data. Azure Log Analytics data include a great deal of information that can take hours to manually review.

Step 1: Enable console access

  1. Sign into the Azure portal as a user who is assigned a limited administrator directory role or the Guest Inviter role.

  2. In the navigation pane, click Azure Active Directory.

  3. Under Manage, select Users.

  4. Select New guest user.

  5. On the New user page, click Invite user, fill out the email address (, and optionally include a message.

  6. Under roles, add the role Global Reader role.

  7. Click Invite to automatically send the invitation to the guest user. After you send the invitation, the user account is automatically added to the directory as a guest.

Step 2: Enable Azure application access

  1. As an Azure administrator, log in to the Azure portal.

  2. Navigate to Azure Active Directory > App registrations and click +New registration.

  3. Fill in the application details. You can fill these in however you want, but we recommend this:

    • Name: Expel - Log Analytics API

    • Supported account types: Accounts in this organizational directory only (1st option).

  4. After you fill out the fields, click Register to create the new application.

  5. You should be navigated automatically to the settings page for the Expel Cloud Service app you just created. If not, navigate to Azure Active Directory > App Registrations > View all applications (if you don’t see the new app) Expel - Log Analytics API.

  6. Make a note of the Application (client) ID, Application secret, and the Directory (tenant) ID for use in later steps.

  7. Open API permissions. Click + Add a permission.

  8. Head over to Log Analytic Workspace > Access Control (IAM) > + Add and assign the Log Analytics Reader role to the application and user created in above steps.

Step 3: Configure Azure Log Analytics in Workbench

  1. In a new browser tab, login to

  2. Fill in the fields like this:

    Screen Shot 2021-03-05 at 8.00.07 AM.png
    • For Name type the host name of the Azure Log Analytics device.

    • For Location type Cloud.

    • For Directory ID, type the ID of the AzureActive Directory (tenant) in the cloud instance.

    • For Application ID, type the ID of the application with access to Azure Log Analytics.

    • For Application secret, type the key used to authenticate the application.

    • For Workspace ID, type the ID of the workspace within Azure Log Analytics.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!