Share via

Invoke-AzOperationalInsightsQuery: Operation returned an invalid status code 'NotFound'

Germain, Yves 11 Reputation points
2022-12-23T05:10:36.353+00:00

Invoke-AzOperationalInsightsQuery: Operation returned an invalid status code 'NotFound'

I am running a query in the portal which works fine. When I try to reproduce this in PowerShell I get the previous error message.

This is the kusto query:

AuditLogs
| where OperationName == "Update conditional access policy"
| where TimeGenerated > ago(5d)

I have the right workspaceID, same name, and Resourcegroup in the same Subscription.
$workspaceid = get-azoperationalInsightsWorkspace -Name *******-cac-ws-security-01 -ResourceGroupName *******-cac-rg-security-logs-01
$query = 'AuditLogs
| where OperationName == "Update conditional access policy"
| where TimeGenerated > ago(5d)'

C:\temp> Invoke-AzOperationalInsightsQuery -Query $query -WorkspaceId $WorkspaceID
Invoke-AzOperationalInsightsQuery: Operation returned an invalid status code 'NotFound'
Here is the result in the portal
273535-image.png
Any idea what I could be doing wrong?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nathan Oyama 5 Reputation points
    2023-01-21T01:43:23.4266667+00:00

    You have to select the workspace ID ($workspace.CustomerId), not the whole object ($workspace).

    $workspace = Get-AzoperationalInsightsWorkspace `
  -Name *******-cac-ws-security-01 `
  -ResourceGroupName *******-cac-rg-security-logs-01

    I changed the variable name in your question from "$workspaceid" into "$workspace" without changing what's in it. And assume you've defined $query for the same KQL query.

    Then run a very similar command:

     Invoke-AzOperationalInsightsQuery -Query $query -WorkspaceId $workspace.CustomerId
    1 person found this answer helpful.
    0 comments
  2. Monalla-MSFT 13,161 Reputation points Moderator
    2022-12-27T15:17:41.14+00:00

    Hello @Germain, Yves - Welcome to Microsoft Q&A and thanks for reaching out to us.

    Please try adding the service principal to Directory readers using this command and see if it helps: 

    > Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "Directory Readers"}).Objectid -RefObjectId <object-id>

    Hope this helps. and please feel free to reach out if you have any further questions.

    ------------------------------------------------------------------

    If the above response was helpful, please feel free to "Accept as Answer" and "Upvote" the same so it can be beneficial to the community.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.