Log Analytics workspace access fails for ERP monitoring agents with private endpoints

michaelpro · May 6, 2025, 1:44pm

ERP monitoring agents deployed on Azure VMs can’t send logs to our Log Analytics workspace after we configured private endpoints. Agents show connected status but no data is flowing to the workspace.

We’ve set up private endpoint DNS configuration and verified the conditional access policy allows the managed identity. The agent network requirements should be met since VMs are in the same VNet as the private endpoint.


Agent Status: Connected
Last Heartbeat: None
Error: Failed to resolve workspace endpoint
Private DNS Zone: privatelink.oms.opinsights.azure.com

We’re missing critical monitoring data for our ERP environment. The private endpoint shows approved status. What’s wrong with the DNS setup or conditional access configuration?

jacob_tech · May 25, 2025, 5:56pm

Don’t overlook conditional access policies. If you have CA policies that restrict access to Azure resources, they can block the agent authentication even with correct DNS. The Log Analytics agent uses system-assigned managed identity for authentication, and that identity needs to be excluded from certain CA policies that require user interaction. Check your CA policy assignments in Azure AD.

emmacoder · May 8, 2025, 4:18am

The DNS resolution is likely the issue. When using private endpoints with Log Analytics, you need multiple DNS zones configured correctly. It’s not just the OMS zone - you also need zones for the data collection endpoints. Check if all required zones are linked to your VNet.

Topic		Views
Log Analytics workspace access fails for ERP monitoring agents using private endpoint and conditional access policies Microsoft Azure question , security , observability , log-analytics , az-2019 , conditional-access , dns-configuration , private-endpoint , monitoring-agent	3	October 14, 2025
Log Analytics workspace data ingestion fails due to firewall restrictions on subnet Microsoft Azure question , networking , analytics , log-analytics , az-2019 , workspace-access , firewall-rules , data-ingestion , private-link	4	May 3, 2025
Log Analytics workspace data ingestion fails due to firewall restrictions on custom analytics solution Microsoft Azure question , monitoring , networking , analytics , rest-api , log-analytics , az-2019 , firewall-rules , data-ingestion	5	December 9, 2024
Azure SQL Database private endpoint connection fails due to DNS misconfiguration in hybrid network setup Microsoft Azure question , networking , database , sql , az-2019 , azure-sql , dns-resolution , hybrid-connectivity , private-endpoint	3	October 5, 2025
Log Analytics workspace access denied for managed identity in monitoring pipeline Microsoft Azure question , monitoring , security , observability , log-analytics , az-2021 , rbac , access-denied , managed-identity	6	July 24, 2025
Private endpoint for Blob Storage fails DNS resolution from on-premises network after VNet integration Microsoft Azure question , storage , networking , az-2019 , vpn , dns , blob-storage , azure-private-endpoint , hybrid-network	3	April 17, 2025
Synapse Analytics managed identity permission denied for ERP data lake ingestion Microsoft Azure question , analytics , security , aml , data-lake , az-2021 , rbac , managed-identity , synapse-analytics	5	August 9, 2025
ML service endpoint deployed in VNet not accessible from on-premises network via VPN Microsoft Azure question , networking , hybrid-cloud , vpn-gateway , az-2019 , machine-learning , private-endpoint , nsg , azure-vnet	3	July 11, 2025
Synapse workspace firewall blocks Data Factory pipeline from accessing dedicated SQL pool Microsoft Azure question , analytics , security , connectivity , firewall , az-2021 , etl-failure , synapse , data-factory	4	June 3, 2025

Log Analytics workspace access fails for ERP monitoring agents with private endpoints

Related topics