The Best 17 Tips of Entra Log Analytics Workspace

The Entra log analytics workspace is a subset of the Entra Monitoring service. Log data collected by Entra Monitor is stored in a Log Analytics workspace, which is based on Entra Data Explorer. It collects telemetry from a variety of sources.

Why we use Entra Log Analytics?

Many companies are using Entra services; directly or indirectly. Directly, a workload is like a virtual server or appliance. Indirectly, I would be using Entra Directory Services while using Teams. In either case, there is already some level of experience with Entra. This includes directory synchronization and access delegation for service payments. Because of this, adding Entra log services has become a simple add-in.

Entra Log Services can be used to monitor more than just room systems. It can monitor all levels of a Windows based system, as well as syslog services and direct file analytics. It offers robust tools and query languages to develop reports on different types of logs.

Set up your room systems

Ensure that you have one teams room system completely setup and working. Having these setups now will make the next steps easier. If you don’t have IPv6 running, I will go through managing that in a later step. This includes the following components.

IP connectivity (v4 and v6).
Camera.

Audio device.
Device ingest (HDMI in)
Signed into a room account.

Setting up Entra Log Analytics

Setting up Entra log analytics is not just a click and go solution. There is setup required for this to work.

Setup and account in Entra.
Setting up a resource group.

Configure the workspace.
Configure the logs.
Setup the dashboard.

Configure alerting.

First, you need to set yourself up with an account in Entra. Note that the free trial runs for 30 days with a $200 credit. As a starting point, monitoring 10 systems for 1 month costs under $1 per month. The more systems you add and the more log files you have, the more it will cost. But for the cost of it and what it can do. Chrome seems to work the best with Entra.

Create your free Entra account.

Click on Start Free Trial (or pay as you go; either way, it is the same).
Go through the signup process, which should only take about 10 minutes.

Set up a resource group

A resource group is a container that holds related resources for a Entra solution. It is a logical grouping such as room systems, log analytics, storage accounts, virtual networks, and virtual machines (VMs) as a single entity. For example, you may want to create a resource group just for room system log analytics.

Go to the Entra portal.
Click “More services”.

Click on Resource Groups.

Click Add

When you created your account, you either had a free trial or Pay-as-you go subscription. From the subscription menu, choose those options.
In the resource group, enter a descriptive name. For more information about the naming conventions, visit the Microsoft website.

Under Region, choose the location where you want your data stored. This is typically near your primary office. In this example, I will call it video conferencing.
Once you have reviewed the configuration, it will take a few minutes to create it.

Setting up the workspace

A workspace is a container in which to manage a subset of data from a resource group. For example, to access, manage, and query data from log analytics a workspace is used.

Go to the Entra portal and select All Resources.

Click Add.
In the search box, type Log Analytics.

At the bottom of the screen, click Create.
In the Workspace, enter a name. This is just a name of a place to store the data and configuration. Typically, this would be OMS. In this example, I am using OMSDevices.
Choose the subscription used when creating the resource group.

Choose the location where you want to store your data; this is usually the same as the resource group.

Download the agent

Click on All resources.

There you should see the workspace just created, OMSDevices; click on it.

Click on Advanced Settings.

There, you will get dropped into the agent’s details.

Download the 64-bit agent since you are most likely running 64-bit Windows 10.

You will need to copy the workspace ID and primary Key.

Install the agent

There are two ways to install the agent, command line and the GUI. The GUI is pretty straight forward, so I will focus on the command line.

To extract the MSI file, you can use 7ZIP or run the download with.

Create a batch file with the following line in it (notice the quotes), and save it as c:\source\MMA\installMMA.cmd
Open a command prompt with elevated permissions and run the above batch file.
You can tell if the agent was installed correctly in two ways. First, check the control panel for the Microsoft Monitoring Agent.

Go to the Entra Log Analytics tab (OMS). If it shows a green checkbox, you are good; if it shows anything else, remove it and re-add it. Most likely, the Workspace ID or primary key is wrong.
Now wait at least 5 minutes, it takes some time for the device to show up in the advanced settings tab (from the same place where you downloaded the agent).

Configure Log Data

The steps listed below are derived from the Microsoft website. The entire process should take about 20 minutes to set up.

Configure the log sources

Configure the SRS logging.
To get there, click All Resources, then the workspace (OMSDevices in this example).
and then advanced settings.

Then click on data Windows Event Logs.
In the name, enter the room system and then the + to add it (it will not auto fill that event log since it is not a common file).

Then click Save (on the left side of the window, don’t forget to save).

Validate the logs

This can take a long time (sometimes up to a few hours) to retrieve the data. It depends on how long your system has been active and the internet, and so on.
Click on Monitor in the left navigation window.

Click on Logs.

That will take you to the query window, where you can enter their test commands. It can take some time for the data to show up, so give it about 5 minutes.

Then click Run. That should return a list in the bottom window. Repeat this for the other examples. Note that if you get stuck at “We are getting your data, hang in there”, for a long time, you will need to start over.
I have found it helpful to save commands as I go.

Click save on the right hand side.
Then give it a name and save it as a query and a category. The category can be reused. So the next time you save, it will be a drop down list as well as free-form text.

Map Custom Fields

Before continuing, make sure the SRS has been configured. To generate an event, unplug a device for 3 seconds and plug it back in. Then wait a few minutes for the log to be updated in OMS. If you don’t do this, the next step will not be doable.

Mapping custom fields takes time and is repetitive. In the example, we will map the field Description.

Run the search: Event | where Source == “SRS-App” and EventID == 2000.
Expand one of the records, doesn’t matter which.

Click the 3 dots … and choose Extract Fields.

Check the box next to the Event ID, this should be checked by default.

Under Rendered Description, select the text of the field to the right of “Description”:

The first field that is being sampled is conference speaker status. Select the value of that field.
When selected, you will be asked to give the field a name. Make sure you have the value correct, and assign it the name SRSEventDescription. The _CF cannot be changed.

Click Extract.

This will then show you where that string shows up in the above query that you used to get to this screen.

If you need to make a change to the selection, you can click on the edit button at the upper right of the blue box and then select Modify this highlight.

Then, at the far right, is the summary. This is also how you can double check if you checked the EventID box or not.

If everything is correct, click on “Save extraction” on the bottom right.

Once you click “Save extraction,” you will go back to the query window. You will now need to repeat these steps for each of the JSON fields:
If you are not running IPv6, you can skip that field, and changes to the dashboard will have to be manually edited.

Removing an incorrect JSON field

Once you have gone through and done these all and realized that you forgot to uncheck or check the EventID box, you will need to delete those entries and re-create them. Here is how.

Go to All Resources. WorkSpaceName (OMSDevices) Advanced Settings.
Then click on Data Custom Fields.

Find the field in question and click Remove. There is no way to edit the extraction. You will just need to recreate them.

Troubleshooting

Usually, if you don’t see what you expect, it means that somewhere during the export you grabbed the wrong fields or gave it the wrong name. You can troubleshoot this by doing the following.

Go back to the Logs Query window (Monitor Logs).

On the left, under the Query Tab in the Schema Search, type SRS.

That will filter out and show you just the custom fields you created.

In the query window, enter the following: This example will show the IP addresses for all the computers. You can get the value for any of the values above. Note that this is all case sensitive.

If you are not running IPv6 or decided not to import a field, you will need to manually remove it from the imported field.

In the dashboard, click on Edit.

On the properties windows, scroll down to Click.

Copy the text in the navigation query and paste it into Notepad.
Find the text that you want to remove. For example, SRSIPv6Address_CF.
Delete the text, make sure there is a space after all commas and paste it back into the Navigation Query field.

Repeat this for each view in the dashboard.

Setting up alerts

The documented process for building alerts can be found here.

Go back to log search and enter the following query (note that if you are not using IPv6, you should remove the SRSIPv6Address_CF.

Once the query returns records, click on the New alert rule.

Resource should show the workspace for logs:

The condition will show a red bang symbol, click on that.

In the Based on section, choose Number of results greater than 0.
Set the evaluation based on 60 minutes and the frequency of 60 minutes. You will need to adjust these times as needed. Basically, this means every 60 minutes (based on frequency), it will see what happened in the past 60 minutes.

Under Action Groups, click Create new.

Fill out the details and make sure to pick the resource group that contains the log analytics workspace. Choose the type of action.

Once you fill that out, click edit details. Usually email, SMS, or push are the most common; all of those are configured in the window that shows up. You will need to add an action item per email or push. So I would recommend distribution lists when possible (just to simplify the process).
In the details, you can add the email address, push, SMS, etc.

When you have configured that single notification, click OK. And the email or message will go to whomever you have configured in that specific policy.
When all of your policies have been configured, click OK to take you back to the main screen and check the box to change the subject to: Teams Room Systems v2 Hardware Failure Alert (or anything descriptive).

Then click Create alert rule.

Now create a second rule. It will use almost the same process.
In the query window, use the following statement (note that the SRSIPv6Address_CF has been removed in this example).
Click on the New Alert Rule.

Set the conditions the same as before.
Under Action Groups, click Select existing, the one you created previously.
Change the subject to: Teams Room Systems v2 Application Failure Alert.

Alert Rule Name: Teams Room Systems v2 Application Failure Alert.
Description: A list of devices that encountered an application issue within the last hour.
Severity Critical (Sev0).

Changing Alerts

If you ever need to change alert frequency, notifications, etc., or view current alerts:

Go to your resources and select the workspace.
Under monitoring, choose alerts.

Then choose what you want to change.

Advanced Queries

List Rooms with Details

This example will show details by computer, you can add any other details as well.

Event |
where EventLog == “Teams Room System” and EventID == 2000 and SRSOperationName_CF
== “Heartbeat” |
summarize by Computer, SRSAlias_CF, SRSAppVersion_CF, SRSOSVersion_CF,
SRSOSLongVersion_CF

Also read: The Powerful Guide to Microsoft Entra AD App Registration

Now I’d like to hear from you:

That’s how Entra log analytics workspace works.

Which strategy from today’s post are you going to try first? Or maybe you have a question about something that I covered.

Either way, let me know by leaving a comment below right now.