Extend KQL Data with Azure Function as Resource Exporter

In complex cloud environments, effective monitoring and observability increasingly require data from sources beyond native Azure telemetry. While Azure native resources in combination with Azure Log Analytics offer deep visibility into Azure resources, they don’t directly support querying external systems such as Microsoft Graph API, or third-party platforms like ServiceNow, CRMs, etc. To bridge this gap, you can extend the telemetry using Azure Functions that collect, transform, and retrieve external data on demand using HTTP requests and making it accessible through Kusto Query Language (KQL).

This is a conceptual architecture meant to demonstrate how you can enrich your observability stack. It’s not a one-click or fully packaged solution, but rather a pattern that can be tailored to your specific API sources, data schemas, and monitoring goals.

Architecture

At its core, the approach involves using Azure Functions as external data connector — fetching data from APIs, converting it into structured records, and making it available to your existing monitoring data platform. Once the Azure Function is created, it becomes available to query, visualize, and alert on. It then works just like native or custom Azure logs.

This pattern unlocks powerful use cases, such as:

  • Correlating Entra ID sign-ins with metadata from ServiceNow or Microsoft Graph API.

  • Contextualizing security alerts with vulnerability data from external scanners.
  • Tracking compliance-related signals alongside Azure Policy states.

In the sections that follow, it is outlined how this architecture can be implemented, the technologies involved, and important operational considerations for building a reliable, secure, and maintainable integration.

Azure Function

The Azure Function acts as a lightweight API endpoint that retrieves data from external systems, transforms it into structured JSON, and serves it to KQL using an HTTP trigger. This allows real-time enrichment of queries with external context.

Authentication

To securely access external APIs like Microsoft Graph, your Azure Function must authenticate properly. The recommended method is using Managed Identity, which allows the function to obtain tokens without storing secrets.

Ensure the function’s identity has the necessary Graph API permissions (e.g., Group.Read.All) granted via Entra ID and admin consent. Learn more about System Managed Identities here: Use System Managed Ide... | LNC DOCS

Example Code
using namespace System.Net

param($Request, $TriggerMetadata)

if($request.Query.evaluationType -eq "entraidgroups" -and $request.Query.groupid){
    # Get Graph API Access Token
    Import-Module Microsoft.Graph.Authentication
    $requiredPermissions = @(
        "Group.Read.All"
    )
    $permissionsList = $requiredPermissions -join ', '
    Connect-MgGraph -Identity -NoWelcome
    $mgGraphRequest = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/" -OutputType HttpResponseMessage
    $Global:MicrosoftEntraIDAccessToken = $mgGraphRequest.RequestMessage.Headers.Authorization.Parameter

    $uri = "https://graph.microsoft.com/v1.0/groups/$($request.Query.groupid)/members"#?`$select=id,displayName"
    $allGroups = Invoke-RestMethod -Method GET -Uri $uri -Header @{Authorization = "Bearer $Global:MicrosoftEntraIDAccessToken" }

    $outputjson = ($allGroups.value)
}

Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
    StatusCode = [HttpStatusCode]::OK
    Body = $outputjson
})

KQL Query

Once your Azure Function is returning structured JSON data, you can integrate it into your monitoring workflow using externaldata() in KQL:

externaldata(id:string, displayName:string) // Extend with fields from your API response
[
  'https://<functionappname>.azurewebsites.net/api/<functionname>?code=<functionaccesskey>&evaluationType=entraidgroupmembers&groupid=<yourgroupid>'
]
with(format='multijson')

Key Considerations

With the right setup, this method allows seamless integration of external data into your KQL dashboards and alerts, expanding the scope of what you can monitor and correlate in Azure.


Revision #3
Created 31 May 2025 19:04:41 by Luca Noah Caprez
Updated 11 June 2025 09:18:18 by Luca Noah Caprez