🪲 MT.1100 (Intune Diagnostic Settings) fails without showing Azure ARM permissions error

[SamErde]

Description

MT.1100 (Intune Diagnostic Settings should include Audit Logs) needs a check in public\maester\intune\Test-MtIntuneDiagnosticSettings.ps1 to see if the required Azure ARM permissions are present. If not, it should skip the test, passing the reason that it had insufficient permissions.

Background

In my tenant, MT.1100 fails the test with the status, "No Intune Diagnostic Settings found." This is odd, because I manually verified that I do have Intune diagnostics all enabled and being shipped to Sentinel.

Maester's host output sometimes(?) shows this error, which gave me a direction to start looking in:

Select-Object: C:\Users\SamErde\Documents\PowerShell\Modules\Maester\2.0.3\public\maester\intune\Test-MtIntuneDiagnosticSettings.ps1:34
Line |
  34 |  … erty Content | ConvertFrom-Json | Select-Object -ExpandProperty value
     |                                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Property "value" cannot be found.

I found the issue when I ran the line manually in PowerShell:

Invoke-AzRestMethod -Method GET -Path "/providers/microsoft.intune/diagnosticSettings?api-version=2017-04-01-preview"

StatusCode : 403
Content    : {
               "error": {
                 "code": "AuthorizationFailed",
                 "message": "The client 'Redacted UPN' with object id 'Redacted Object Id' does not have authorization to perform action 'microsoft.intune/diagnosticSettings/read' over scope '/providers/microsoft.intune' or the scope is invalid. If access was recently granted, please refresh your credentials."
               }
             }
Method     : GET
RequestUri : https://management.azure.com/providers/microsoft.intune/diagnosticSettings?api-version=2017-04-01-preview
Version    : 1.1

This resource does not rely on our Graph API scopes or delegated Intune permissions, but rather Azure Resource Manager role assignments that grant microsoft.intune/diagnosticSettings/read over scope /providers/microsoft.intune.

This can be resolved by granting the required assignment at the subscription level:

New-AzRoleAssignment -ObjectId '{User, Security Principal, Managed Identity, or Group}' -RoleDefinitionName 'Reader' -Scope '/subscriptions/{SubscriptionId}'

Or by creating a custom role and assigning it to the identity that performs the check. This is the better approach, as it follows the principle of least privilege.

# Get the subscription ID and user ID from the current context. Change if necessary.
$SubscriptionId = "$((Get-AzContext).Subscription.Id)"
$UserId = (Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id).Id

$CustomRole = @{
    Name = 'Intune Diagnostic Settings Reader'
    Description = 'Can read Intune diagnostic settings only'
    Actions = @('microsoft.intune/diagnosticSettings/read')
    NotActions = @()
    AssignableScopes = @("/subscriptions/$SubscriptionId")
}

New-AzRoleDefinition -Role $CustomRole

# Assign the custom role at subscription level
New-AzRoleAssignment -ObjectId $UserId -RoleDefinitionName 'Intune Diagnostic Settings Reader' -Scope "/subscriptions/$SubscriptionId"

After this, the user may need to reconnect to Azure, and then the test will proceed successfully. Until then, a check should be added to the test and documentation updated to reflect this requirement.

[SamErde]

@nicolonsky, would you be able to update the test and documentation for this?

[nicolonsky]

@SamErde yes, I will add a condition for the StatusCode and in case of 403 will surface the permission issue