Snippets

KQL snippet: diagnose Key Vault denial with managed identity

A short query to separate identity denial, network path and source address when an Azure workload can no longer access Key Vault.

07 Jun 2026 kqlidentityazurelogsmonitoringprivate-endpointrunbook

When a managed identity can no longer read Key Vault, start with denial logs before broadening permissions. The goal is to check identity, operation and source address in the same time window.

kusto managed-identity-keyvault-denied.kql

let Window = 6h;
AzureDiagnostics
| where TimeGenerated > ago(Window)
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where ResultType !in ("Success", "Succeeded")
| project TimeGenerated,
        Resource,
        OperationName,
        ResultType,
        ResultSignature,
        CallerIPAddress,
        Identity=tostring(Identity),
        ClientRequestId
| order by TimeGenerated desc

Fast reading: unexpected identity means return to the workload principal; public source address means check private DNS and Private Endpoint; coherent identity and network means inspect minimal RBAC or access policy.