Skip to content

Set up the Log Analytics workspace

Two BI for Intune data sources read from an Azure Log Analytics workspace: Windows Update for Business reports and Enhanced Inventory. Both read from the same workspace, so you only ever need one.

For BI for Intune to read that data, three things have to be in place:

  • A Log Analytics workspace.
  • The Log Analytics API Data.Read permission on the BI for Intune app registration.
  • The Log Analytics Reader role granted to that app registration on the workspace.

This page is the single place those are configured. The Windows Update for Business reports and Enhanced Inventory pages both point back here.

Already set up Windows Update for Business reports?

Do not create a new workspace. Enrolling in Windows Update for Business reports already created one, and both add-ons must read from the same workspace. Skip Step 1 and go to Step 2 to add the Data.Read permission to the app registration, then Step 3 to grant it the Log Analytics Reader role on the workspace you already have.

Step 1: Create a Log Analytics workspace

Skip this step if you already have a workspace, including one created by Windows Update for Business reports. Both add-ons share a single workspace.

  1. Sign in to the Azure portal.
  2. Search for and select Log Analytics workspaces.
  3. Select Create.
  4. Choose a Subscription and Resource group, enter a Name, and choose a region. If you plan to use Windows Update for Business reports, pick a region that service supports.
  5. Select Review + create, then Create.

For the full Microsoft procedure, see Create a Log Analytics workspace.

Step 2: Add the Log Analytics permission to the app registration

The BI for Intune app registration needs the Log Analytics API Data.Read application permission so it can call the Log Analytics API.

May already be done

This permission is also part of the app registration setup. If you added it there, confirm it is present and granted, then continue to Step 3.

  1. In the Azure portal, go to Microsoft Entra ID > App registrations and open your BI for Intune app registration.
  2. Select API permissions > Add a permission > APIs my organization uses.
  3. Search for and select Log Analytics API.
  4. Select Application permissions, select Data.Read, and select Add permissions.
  5. Select Grant admin consent and confirm.

When complete, the Log Analytics API shows Data.Read with admin consent granted, alongside the Microsoft Graph permissions.

BI for Intune app registration showing the Log Analytics API Data.Read permission granted

Step 3: Grant the app registration read access to the workspace

The Data.Read permission lets the app call the Log Analytics API, but it does not grant access to any specific workspace. Assign the Log Analytics Reader role to the BI for Intune app registration on the workspace. Without it, data flows into the workspace but the BI for Intune dashboards stay blank.

  1. In the Azure portal, go to Log Analytics workspaces and select your workspace. Select Access control (IAM), then Add > Add role assignment.

    Log Analytics workspace Access control (IAM) with Add role assignment

  2. On the Role tab, search for Log Analytics Reader, select it, and select Next.

    Selecting the Log Analytics Reader role

  3. On the Members tab, leave Assign access to set to User, group, or service principal, then select Select members.

    Members tab with Select members

  4. Search for your BI for Intune app registration by name, select it, and select Select.

    Selecting the BI for Intune app registration as a member

  5. Select Review + assign.

    Review and assign

  6. Select Review + assign again to confirm the assignment.

    Confirming the role assignment

Step 4: Record the workspace ID

You need the Workspace ID when you connect BI for Intune to the workspace in the semantic model parameters.

  1. In the Azure portal, open your Log Analytics workspace and select Overview.
  2. Record the Workspace ID. Note the Subscription and Workspace Name for reference.

Log Analytics workspace Overview showing the Workspace ID

Use this Workspace ID for the AzureAD LogAnalytics WorkspaceID parameter when you set up Windows Update for Business reports or Enhanced Inventory.

Enhanced Inventory uses a second application

Enhanced Inventory also uses a separate application that writes data to the workspace: an Enterprise Application granted the Monitoring Metrics Publisher role on the Data Collection Rule. That is different from the BI for Intune app registration configured here, which reads the workspace. The write side is set up in Set up Enhanced Inventory.