Application Logs
Because the infrastructure runs in your Azure subscription, you already have full access to all logs via the Azure Portal: Application Insights and Log Analytics are in your resource group.
Retention
Log Analytics is provisioned with the default retention of 30 days. Azure Activity Log (which records every resource change, including deployments) is retained for 90 days at the subscription level automatically.
If you need longer retention for compliance reasons, options include:
- Raising the Log Analytics retention to up to 730 days (incurs additional cost)
- Configuring continuous export to a Storage Account for indefinite archival
- Enabling the Log Analytics archive tier for low-cost long-term storage
Let us know your requirements and we can configure this when deploying or update it later.
Shared Log Access for Our Support Team
We strongly recommend granting our team read-only access to logs so we can diagnose issues quickly without asking you to copy/paste excerpts on every support ticket. Two options, pick whichever fits your security policy. Both are read-only, scoped to your DocAI Fabric resource group only, and fully revocable.
| Option | Best for | Identity in your tenant? | Setup effort |
|---|---|---|---|
| Azure Lighthouse (preferred) | Strict enterprises, multi-customer relationships | No (projected from our tenant) | One ARM deployment |
| Guest user + RBAC | Simpler one-customer setup, faster to grant today | Yes (guest user object) | Portal clicks, no template |
Option A: Azure Lighthouse
Microsoft's purpose-built mechanism for managed service providers. Our identities are projected into your resource scope without appearing in your Entra directory.
How it works:
- You run one command to authorise our Azure tenant with read-only access scoped to your resource group
- We query logs from our own Azure Portal; no credentials are shared, nothing is stored on our side
- The authorisation is fully visible in your Azure Activity Log
- You can revoke it at any time
Setup. We will provide the exact authorisation template when setting up your environment. The command looks like:
az deployment sub create \
--location <YOUR_REGION> \
--template-uri "<LIGHTHOUSE_TEMPLATE_WE_PROVIDE>"
This grants our team Log Analytics Reader, Monitoring Reader, and Reader on your resource group only: no write access, no access to your documents, storage contents, or any other resources.
Revoking access:
az managedservices assignment list --query "[].id" -o tsv | \
xargs -I {} az managedservices assignment delete --assignment {}
Or remove the delegation from the Azure Portal under Azure Lighthouse → Service providers.
Option B: Guest User + RBAC
Simpler if you only have one provider relationship and don't want to author a Lighthouse template. We share an email address; you invite it as a guest in your Entra ID and grant three read-only roles scoped to the resource group.
Steps:
-
Invite our support account as a guest user in your Entra ID:
- Azure Portal → Microsoft Entra ID → Users → + New user → Invite external user
- Use the email address we provide
-
Assign three built-in roles, scoped only to the DocAI Fabric resource group:
Role Purpose ReaderView container app configuration, revisions, storage listings Log Analytics ReaderRun KQL queries against the workspace Monitoring ReaderAccess Application Insights, metrics, alerts, Activity Log Via Portal: open the DocAI resource group → Access control (IAM) → + Add role assignment → repeat for each role.
Or via CLI:
RG="<your-docai-resource-group>"
USER_ID=$(az ad user list --filter "mail eq '<email-we-provide>'" --query "[0].id" -o tsv)
SCOPE=$(az group show -n $RG --query id -o tsv)
for ROLE in "Reader" "Log Analytics Reader" "Monitoring Reader"; do
az role assignment create --assignee-object-id $USER_ID --role "$ROLE" --scope $SCOPE
done
Revoking access: remove the role assignments from the resource group's IAM blade, or delete the guest user from Entra ID. Both actions appear in your Activity Log.
Safe on shared subscriptions. Because all three roles are assigned at resource group scope, the guest user cannot see or access any other resource group, any subscription-level resources, or other workloads sharing the subscription. The roles are pure read, with no ability to modify, deploy, or delete anything.
Tightening guest user defaults (optional). By default, guest users in Entra ID can see other users and groups in your directory (names only, no data). If your security policy is strict, you can set Entra ID → External identities → External collaboration settings → Guest user access to "Guest user access is restricted to properties and memberships of their own directory objects" before inviting.
Security (both options)
- Read-only: we cannot modify, delete, or access any resources
- Scoped to your resource group: no access to other RGs, other workloads, or subscription-level resources
- Auditable: every action we take appears in your Azure Activity Log
- Revocable: you can remove access at any time with a single command
If you prefer not to grant ongoing access, you can always share log excerpts manually, but expect slower turnaround on support.