Device Analytics | Provisioning Azure Resources

Creating Application Insights and Log Workspace for ThinScale Device Analytics 

This guide will assist you in creating the required resources in Microsoft’s Azure Cloud Platform to take advantage of Device Analytics in the ThinKiosk & Secure Remote Work platform.  

This can be accomplished using Azure Web Portal or via Azure CLI scripts.

Either method, the recommended process is to create a “Resource Group” that only contains the “Log Analytics Workspace” and “Application Insights” resources.  

This provides the separation of resources where the associated “Application Identity” (used in the Management Console) has read-only permissions only to this specific workspace via the built-in Role Based Access Control (RBAC) group “Log Analytics Reader”.

In This Document

• Process Overview
• Interactive Web Portal Procedure
  1. Screenshots
• Command Line Scripted Procedure
• Microsoft Reference Links

Process Overview

1. Within Azure Portal with Administrative Access
   1. Create a “Resource Group” (ex: “ThinScaleAnalytics”)
   2. Within this “Resource Group” create two services:
      • Log Analytics Workspace
      • Application Insights (backed by the above Log Analytics workspace).
2. Within your Azure Active Directory with Administrative Access
   • Create Application Identity (ex: “ThinScale Device Analytics Reader")

• Grant this Application ID with the built-in role “Log Analytics Reader” to the “Resource Group”

Implementation Overview

Interactive Web Portal Procedure

See “Interactive Web Portal Procedure | Screenshots” for Azure Portal screenshots for each step

1. Authenticate to Azure Portal with Administrative Access
2. Create a “Resource Group”, and give it a name in our case “ThinScaleAnalytics”
3. Within the newly created “Resource Group” click create and from the marketplace add 2 services:
   • Log Analytics Workspace
   • Application Insights (backed by the above Log Analytics workspace).

Move over to your Azure Active Directory and Select “Add application registration”

1. Create Application Identity (Management Console Access)
   • Create an Application ID (Service Principal using RBAC)
   • Grant the Application ID “Log Analytics Reader” Role to the “Resource Group”

For the Redirect URI as we do inside our Azure Auth Provider we use the https://login.microsoftonline.com/common/oauth2/nativeclient  from Microsoft

Once done click on “Certificate & Secrets”, create one and copy the Secret Value somewhere. You can only see it once during creation and you will need that value inside the ThinScale Management Console as outlined later in the doc.

Last, go into your Resource Group now. Select Access control (IAM). Select Add > Add role assignment to open the Add role assignment page.

In the Role tab, select the role Log Analytics Reader

Select the Next button to move to the Members tab. Select Assign access to-> User, group, or service principal and then Select members. By default, Azure AD applications aren't displayed in the available options. To find your application, search by name (for example, "ThinScale Device") and select it from the returned list. Click the Select button. Then click the Review + assign button.

"Your Device Analytics is set up"

Interactive Web Portal Procedure | Screenshots

Resource Group View

Azure Active Directory Overview Dashboard

Web      https://login.microsoftonline.com/common/oauth2/nativeclient 

Copy the Secret Value, you will need this inside the ThinScale Management Console

Go back to your Resource Group and click on Access Control (IAM). Select Add role assignment and add the Log Analytics Reader to the Application ID

Management Console Global Settings View

During the creation of these resources, you will generate several identification and connection details.  These will be supplied in the Management Console under “Global Settings” (Figure 1).

                                                                                                                                Figure 1: ThinScale Management Console Global Settings

Client ID = Is the Client ID from the App Registrations

Secret Value = Is the Secret Value from the App Registration “Certificates & Secrets” Tab

Tenant ID = You can retrieve the Tenant ID from the Azure Active Directory Dashboard

Workspace ID = Is the Log Analytics Workspace ID

AI Connection String = Is the Application Insights “Connection String”

Command Line Scripted Procedure

The following script snippets will provision the suggested Azure resource configuration.  It is segmented into individual steps to follow and confirm each configuration step.  Setting the initial script variables as suggested, will allow you to simply copy/paste each segment for this procedure.

This process assumes you have the Azure CLI installed on your local workstation and a PowerShell console window.

Variables

The following variables and suggested values are needed when creating the resources in the portal or via scripting snippets.

Azure Tenant and Subscription Information

$AzureTenant        = "aaaaaaaa=0000-bbbb-1111-cccccccccccc"

$AzureSubscription  = "aaaaaaaa=0000-bbbb-1111-cccccccccccc"

Resources Setup

$AzureRegion                = "eastus2"

$ResourceGroupName          = "ThinScaleAnalytics"

$ReaderRoleName             = "ThinScale Device Analytics Reader"

$LogAnalyticsWorkspaceName   = "ThinScaleAnalyticsLogs"

$ApplicationInsightsName     = "ThinScaleAnalyticsAI"

Authentication

Login into the Azure portal and select the target subscription.

 Assumes authenticated id has permissions to create resources & an application ID in your AD Directory

az login --tenant $AzureTenant

az account set --subscription $AzureSubscription

Process Details

az group create --location $AzureRegion --name $ResourceGroupName

$ws = az monitor log-analytics workspace create `
         --resource-group $ResourceGroupName `
         --workspace $LogAnalyticsWorkspaceName `
         --location $AzureRegion `
         --sku pergb2018 `
         --retention-time 30 `
         --ingestion-access 'Enabled' `
         | ConvertFrom-Json

Azure CLI extension for "Applications Insights" is currently in "preview".

az extension add -n application-insights      # az cli in preview asof 22-jun

Create App Insights and hold results

$ai = az monitor app-insights component create `
         --app $ApplicationInsightsName `
         --location $AzureRegion `
         --resource-group $ResourceGroupName `
         --ingestion-access "Enabled" `
         --workspace $LogAnalyticsWorkspaceName `
     | ConvertFrom-Json

Create Application Identity & Assign Permissions

•  Note: Uses Built-In Role for "Log Analytics Reader"

Creating Application Identity

$appid = az ad sp create-for-rbac `
         -n $ReaderRoleName `
         | ConvertFrom-Json

Get Service Principal ID

$spid = az ad sp list `
         --display-name $ReaderRoleName `
         | ConvertFrom-Json

Assigning Permissions to new Role

az role assignment create `
         --assignee $spid.id `
         --role "Log Analytics Reader" `
         --resource-group $ResourceGroupName

Get Access Keys

Using results from above

• Workspace ID

$appid | Add-Member -Type NoteProperty -Name 'resourceId' -Value $ws.CustomerId

• The Following is your Instrumentation Key to use in the Endpoint Configuration

$ai.instrumentationKey

Expected Results

 Client Id": "abcdef1234567-890a-bcde-f1234567890a"
  Secret Value": "9240.451-jpjv092049wsdj24-=g0i0"
  tenant": "abcdef1234567-890a-bcde-f1234567890a"
  Workspace Id”: “abcdef1234567-890a-bcde-f1234567890a”
 

The new Device Logs Tabs together with the Device Analytics is a powerful tool to analyze the state of a machine directly from the console.

You will be able to see in almost real-time a consolidated view of multiple logs & event sources. This include:

• “Startup Events” (including installed applications if enabled), 
• “Windows Event Logs”, 
• “TK/SRW “Machine Service” log events, and 
• the “Device Analytics” events.

By default, only Critical and Error Logs are saved in the Log Analytics Workspace.

These can be modified using Windows standard XPath Select statements. The easiest way of doing so is via the “Computer Management” option.

Click Filter Current Logs. Select the level desired and then simply copy the XML Value within the Management Console, like so.

Example of Device Analytics

Enabled Latency Test

This is the place where you want your users to perform a speed test against specific URLs or IP Addresses.

Internet Host Checks

This option is to evaluate if the machine has or does not have an internet connection for local diagnostic purposes. A TCP port test of the URI will be logged in the local MachineService, log file

Collect Windows EventLog Data

This option will set the Log Level of the Windows Event Viewer you want the clients to collect.

Enable User Notification

This option is used to set a specific collection interval and a threshold to show users a systray notification.

When that threshold has been reached an example notification will be displayed.

Speed Test Server

Please do not modify modified this value unless instructed by ThinScale Support.

https://speedtest-api.thinscale.com/api/thinscale-speedtest-servers

Standard Data Collection

This is the interval in which the data will be collected.

Collection Software Inventory

When enabled Device Analytics will collect all the Installed Applications on the machine.

Please note: AppData (user-based) applications are not collected with this version.

Microsoft Reference Links

Manage Resource Groups

Create Log Analytics Workspace

Create Application Insights

Create an Azure AD app and service principal in the portal - Microsoft Entra | Microsoft Learn

Enterprise Application Identity

Get shared keys for the workspace