Why are Azure Monitor System permissions not shown in the IAM section?

Question

Why are Azure Monitor System permissions not shown in the IAM section?

Julian Bednarz 20

I have a Storage Account with Allow Azure services on the trusted services list to access this storage account option enabled, and a Log Analytics Workspace with data export configured with this SA. Based on information in logs, a Service Principal (Azure Monitor System) is responsible for uploading the content from LAW to SA (screenshot below)

enter image description here

The question is, if it has permissions to upload content, why is it not explicitly shown in the IAM section? (screenshot below)

enter image description here

2 answers

Your answer

Answer 1

Nandamuri Pranay Teja 4,445 Microsoft External Staff Moderator

Hello Julian Bednarz

Thank you for your question!

The reason you don't see the Azure Monitor System service principal in the IAM section is because it's not using traditional RBAC permissions.

The question is, if it has permissions to upload content, why is it not explicitly shown in the IAM section?

what you see in IAM is explicit role assignments to users, groups, service principals, or managed identities shows up in the "Access control (IAM)" blade Examples: Storage Blob Data Contributor, Reader, etc.

what Azure Monitor uses is to Built-in exceptions for Microsoft first-party services and Operates at the Azure Resource Manager level, not RBAC level this is why it doesn't appear in IAM because it's not an RBAC assignment.

When you enable "Allow Azure services on the trusted services list," you're essentially creating a network-level exception that allows these pre-approved Microsoft services to bypass both:

Network access restrictions
RBAC permission checks

This is why the Azure Monitor System service principal can write to your storage account without appearing in your IAM list - it's using a different, more fundamental permission pathway that operates below the RBAC layer.

Hope the above answer helps! Please let us know do you have any further queries I'm here to help.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Julian Bednarz 20 Reputation points

2025-07-28T13:45:35.84+00:00

Is this specified somewhere in the documentation?
Nandamuri Pranay Teja 4,445 Reputation points Microsoft External Staff Moderator

2025-07-29T10:58:54.7033333+00:00

Hello Julian Bednarz

Yes, this article explains how to apply role-based access control (RBAC) monitoring roles and discusses security considerations https://learn.microsoft.com/en-us/azure/azure-monitor/fundamentals/roles-permissions-security

This documentation outlines the permissions required for Azure Active Directory applications and service principals: https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/about-the-vm-series-firewall-on-azure/vm-series-on-azure-service-principal-permissions

Let me know if you have any questions or concerns!
Nandamuri Pranay Teja 4,445 Reputation points Microsoft External Staff Moderator

2025-07-30T09:14:25.3766667+00:00

Hello Julian Bednarz

I wanted to follow-up see if the provided answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further queries do let us know.
Nandamuri Pranay Teja 4,445 Reputation points Microsoft External Staff Moderator

2025-07-31T09:49:32.6266667+00:00

Hello Julian Bednarz

Just checking to see if you had the chance to see the above comment. Let know if you have any questions or concerns in comment, I'm here to assist you.
Julian Bednarz 20 Reputation points

2025-07-31T13:25:56.63+00:00
Your reply does answer my question, but provided documentation does not cover what you said.

Is this part documented somewhere?

When you enable "Allow Azure services on the trusted services list," you're essentially creating a network-level exception that allows these pre-approved Microsoft services to bypass both:

Network access restrictions

RBAC permission checks This is why the Azure Monitor System service principal can write to your storage account without appearing in your IAM list - it's using a different, more fundamental permission pathway that operates below the RBAC layer.
Nandamuri Pranay Teja 4,445 Reputation points Microsoft External Staff Moderator

2025-08-05T13:15:17.57+00:00
Hello Julian Bednarz My apologizes for providing the incorrect Link.

Looking at the official Microsoft documentation I found, the trusted services setting allows Azure Monitor to access the storage account by bypassing network rules Use customer-managed storage accounts in Azure Monitor Logs - Azure Monitor | Microsoft Learn, but this is specifically about network access, not RBAC permissions.

What I can confirm from the documentation:

Trusted Microsoft services use "strong authentication" when accessing storage accounts Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access

But the specific mechanism by which the Azure Monitor System service principal is authorized to perform write operations without explicit RBAC assignments is not clearly documented in the sources I can find. This could be:

A system-level service principal with implicit permissions

Internal Azure authorization mechanisms not covered in public documentation.

Let me know if you have any questions!
Nandamuri Pranay Teja 4,445 Reputation points Microsoft External Staff Moderator

2025-08-07T03:55:06.4733333+00:00

Hello Julian Bednarz,

Just checking to see if you had the chance to check the above comment. Let me know if you have any questions further.
Nandamuri Pranay Teja 4,445 Reputation points Microsoft External Staff Moderator

2025-08-08T05:17:59.05+00:00

Hello Julian Bednarz,

i wanted to see if you had the chance to check the above comment. Let me know if you have any questions further.

Answer 2

Hi @Julian Bednarz

The Service Principal "Azure Monitor System" is likely a built-in service principal in Azure that is used by Azure Monitor to interact with other Azure resources, such as Log Analytics Workspaces and Storage Accounts.

When you enable the "Allow Azure services on the trusted services list to access this storage account" option, you're essentially granting access to a set of pre-defined Azure service principals, including Azure Monitor. This allows Azure Monitor to access your Storage Account without requiring explicit permissions in the IAM section.

In this case, the Azure Monitor service principal is not explicitly shown in the IAM section because it's not a traditional service principal that you would create and manage yourself. Instead, it's a built-in service principal that's part of the Azure platform.

The permissions for Azure Monitor to access your Storage Account are granted implicitly through the "trusted services" mechanism, which allows specific Azure services to access your resources without requiring explicit role assignments.

To confirm this, you can check the Azure documentation on trusted services and service principals. It should provide more information on how Azure services interact with each other and how permissions are granted in these scenarios.

In summary, the Azure Monitor service principal has permissions to upload content to your Storage Account because it's a trusted service, not because it's explicitly listed in the IAM section.

Share via

Why are Azure Monitor System permissions not shown in the IAM section?

2 answers

Your answer