Share via

'authentication token provided does not have access to ingest data' when attempting to call a DCR from a logic app

Matthew O'Connor 5 Reputation points
2025-04-29T21:29:07.4366667+00:00 
{
  "type": "Http",
  "inputs": {
    "uri": "https://****.uksouth-1.ingest.monitor.azure.com/dataCollectionRules/dcr-3a3195e0bc6140b3a51eac0595641803/streams/Custom-bwgeneraldcr_CL?api-version=2023-01-01",
    "method": "POST",
    "body": [
      {
        "TimeGenerated": "@{utcNow()}",
        "OrderNumber": "12345",
        "ResourceType": "Function App",
        "ParentResourceName": "rs-las-orderupdates",
        "ResourceName": "SendOrders",
        "Severity": "1",
        "LogLevel": "Critical",
        "Message": "An error occurred while sending the order",
        "Attributes": "My attributes"
      }
    ],
    "authentication": {
      "type": "ManagedServiceIdentity",
      "identity": "/subscriptions/****/resourceGroups/rg-bw-bau-uksouth-1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/rs-mi-bw-bau-uksouth-1",
      "audience": "https://monitor.azure.com"
    }
  },
  "runAfter": {},
  "runtimeConfiguration": {
    "contentTransfer": {
      "transferMode": "Chunked"
    }
  }
}
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,579 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 4,550 Reputation points
    2025-04-30T07:49:56.5066667+00:00

    Dear Matthew,

    Thank you for posting your question on the Q&A portal! The Azure community is always happy to help, and together, we’ll find a solution to your issue (at least I hope so).

    You’re encountering an authentication error (authentication token provided does not have access to ingest data) when your Logic App tries to send data to a Data Collection Rule (DCR) in Azure Monitor. This typically happens when the Managed Identity (MSI) used in the Logic App doesn’t have the correct permissions on the DCR. The audience (https://monitor.azure.com) may need adjustment (though yours looks correct).

    Grant the Managed Identity the "Monitoring Metrics Publisher" role on the DCR (or at the Resource Group/Subscription level if needed).

    Go to your DCR > Access Control (IAM) > Add role assignment > Monitoring Metrics Publisher > Select your Managed Identity. (If using a custom table, ensure the identity has the right permissions on the Log Analytics Workspace too.)

    For most Azure Monitor ingestion scenarios, https://monitor.azure.com is correct, but you can also try:

    https://management.azure.com (if permissions are set at a higher scope).

    Check the DCR’s Immutable ID. Ensure the DCR ID in the Logic App’s HTTP call matches exactly.

    Authenticate with Managed Identity in Logic Apps https://learn.microsoft.com/en-us/azure/logic-apps/authenticate-with-managed-identity?tabs=consumption

    Let me know if you still face issues happy to refine the steps! The community (and I) are here to help.

    Best regards,
Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.