I am having an issue with getting OMS setup. I am the owner of the subscription. I can see the squaredup app was created, the SPN was created, and squaredup-oms-plugin shows reader access to the OMS workspace shown in Azure portal. The only thing is if I go into the OMS Portal it doesn’t show up as a user there (I am guessing since it is an app service?).
Anyways, if I add the following query:
Type=SecurityEvent EventID=4624 AND (LogonTypeName=”10 – RemoteInteractive”) | select TimeGenerated, Computer, Account
The OMS tile in SquaredUp shows:
Query contains excessive number of logical terms; consider revising query or replacing AND/OR with comma-separated values.
It seems like it isn’t working. I tried a couple of other queries and got the same results (yes the queries work in OMS).
There are only 2 things that I can see that might be an issue, #1 I don’t see the squaredup app in Azure AD. If I do a Get SPN on the app though it does have an SPN and has Reader Role access to the resource group. #2, If I look into the OMS portal->Settings->Users I don’t see the app there but that might be normal.
My OMS workspace has been upgraded to the new language. I have tried both the legacy and the new query in the OMS tile.
The fact that your query returns an error relating to the query makes me think that yours is in fact set up correctly. Squared Up’s OMS tile currently supports both languages, as the API currently converts old > new. This will change at some point (at Microsoft’s behest) – Hopefully, SQUP have already prepped for this and it’s good to go. The “account” that’s created does not appear in the OMS portal.
I would suggest raising this with Support as I’ve not seen that error before and it would be useful to see if they have – Report back when you have an answer 😉
For reference to other users:
The resource that’s created can be found in the portal via: Azure AD blade > App registrations > change the drop down that says “My apps” to “All apps” (I’ve missed this myself a few times). The default name is:
If you click this and hit Settings, then Required Permissions, you should be able to see this:
I’ve had a couple of instances where this didn’t register/apply the correct delegated permissions (just hit Add and search to add them).