Azure Monitor Alert Multi-Tenant Secure Webhook

Apologies for the late reply @Mathias Sundman. I've reached out to the product group regarding your specific issue. That limitation is by design and there isn't a work around. The reasoning behind it addresses a security concern. Without checking the ownership, anyone can configure a securewebhook action under his/her action group that's pointing to another customer's securewebhook. This can allow them to take advantage of the action Group to make http call to the webhook service.

Hello @Mathias Sundman

The “Owner” restriction you’re encountering is due to how Azure handles permissions and security across tenants. When you create an Azure Function in a different tenant as a Multi-Tenant app, it appears as an Enterprise App in the parent tenant because it’s considered a service provided by another tenant.

Admin consent in Azure is designed to protect the data and resources of a tenant. It’s a mechanism that ensures only authorized administrators can grant permissions to applications, especially when those applications request access to sensitive data or resources.

In the case of a multi-tenant application, admin consent can only be provided for the tenant where the application is registered in the first place1.

Users or Administrators of other tenants cannot consent via Azure Portal. It has to be done either when a user/administrator accesses the multi-tenant application for the first time, or by constructing the Admin Consent URL and sharing it with the Administrators of the other tenants.

As for Azure Monitor action groups, they are designed to work within the context of a single tenant. The “Owner” restriction ensures that the person configuring the action group has the necessary permissions to access and manage the resources involved. While it might seem logical to use a cross-tenant authenticated Secure Webhook, it would introduce complexities around security, data privacy, and compliance. Each tenant in Azure is a boundary that isolates access to resources and data. Allowing cross-tenant access would require careful management of these aspects.

However, your feedback about the “Owner” restriction and the desire for cross-tenant authenticated Secure Webhooks is valuable. I recommend providing this feedback directly to Microsoft through their UserVoice or feedback forums. We are always here for ways to improve their services based on user needs.

If this information provided here helps solve your issue, please tag this as answered, so it helps further community readers, who may have similar questions.

I'm sorry to be blunt, but this really sounds like a bug. Instead of fixing the actual problem, it sounds like the product group put a patch on that prevents customers from designing multi-tenant alert handling solutions, with a centralized function-app able to handle alert processing from all owned tenants.

Please fix the bug instead of putting a security restriction in place that won't allow us to design efficient alert handling.

Yes, we need to be secure, and I applaud that. But I am concerned when the answer is other customers can all our App Registrations with a Secure Webhook unless an "owner" check is put in place.