Azure Log analytics to identify user upn in Storage blob activities

Shola Lawani 531 Microsoft Employee

Hello experts,

I have enabled the storage Diagnostics setting (preview) for a storage account read, update and write activities mapped it to a log analytics workspace.

Now, if I issue the Log analytics Kusto query below, the result is not retrieving the "requesterUPN". The use case for the query is identify the user(s) that perform blob level activities in a storage account.

// Show anonymous requests

// List all requests with anonymous access over the last 3 days.
// To create an alert for this query, click '+ New alert rule'
StorageBlobLogs
| where TimeGenerated > ago(3d) and AuthenticationType == "OAuth"
| project TimeGenerated, OperationName, AuthenticationType,RequesterObjectId,RequesterUpn

What could be the issue here

bharathn-msft 5,086 Reputation points Microsoft Employee

2020-12-18T20:35:38.237+00:00

anonymous user - Thank you for reaching out with your query.

Looking through your scenario, I tried enabling below options with the diagnostic settings

Was able to to see the "RequesterUpn" without any issue.

Can you please help confirm the above settings in your storage account blob ? thank you
Shola Lawani 531 Reputation points Microsoft Employee

2020-12-21T14:19:32.14+00:00

hi @bharathn-msft Thanks for the response I have enabled diagnostic setting as shown in your response, however, the "RequesterUpn" value is still empty ![50021-image.png][1] ![50005-image.png][2] [1]: /answers/storage/temp/50021-image.png [2]: /answers/storage/temp/50005-image.png What could be wrong here?
bharathn-msft 5,086 Reputation points Microsoft Employee

2020-12-23T07:34:14.903+00:00

anonymous user - Thank you for verifying this and circling back. Interesting to see if you are not seeing the "RequesterUpn" is empty for you. We will have to further investigate on why you getting into that scenario.

Meanwhile can you please help confirm , if you are using your alias and making this calls to storage account via portal or using any other modes of connection to storage account, trying to better understand what way you are accessing the storage blob content and why the UPN is not getting registered.

Please share any additional information you might have, we also keep looking further into this scenario and share any pointers we might find. Thank you.
Shola Lawani 531 Reputation points Microsoft Employee

2020-12-28T16:32:50.067+00:00

@bharathn-msft ,

Thanks for the response. Yes I'm making the call with my alias via the Portal UI and then performing different operations (upload, delete, download) on the blobs.

I still don't understand the logs are not coming in.
svijay-MSFT 5,206 Reputation points Microsoft Employee

2020-12-29T13:10:48.717+00:00
anonymous user

Can you please confirm whether this is happening for all operations in the log or just few of them ?

Also, do you see any thing different in the UserAgentHeader for these operations ?

StorageBlobLogs | where TimeGenerated > ago(3d) and AuthenticationType == "OAuth" | project TimeGenerated,OperationName,AuthenticationType,RequesterUpn,UserAgentHeader

All the portal / UI browser operations will have the header as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4346.0 Safari/537.36 Edg/89.0.731.0 or something similar to this.
Shola Lawani 531 Reputation points Microsoft Employee

2021-01-04T15:55:29.463+00:00

@svijay-MSFT This is the output of the query below...Also the RequesterUPN is omitted for all blob operations ![53352-image.png][1] [1]: /api/attachments/53352-image.png?platform=QnA I have ran the same query on another subscription and I can't see the "RequesterUPN"
G Venkata Sai Pranav 0 Reputation points

2023-06-19T05:18:28.7+00:00

Hi @bharatn-msft

2 answers

bharathn-msft 5,086 Reputation points Microsoft Employee

2021-03-08T15:33:52.92+00:00

<<Re-sharing the information here from comments for broader community usage>>

anonymous user In general the UPN is missing when the caller is not a user principal, but a service principal (could be a service to service call from another resource provider, a manually created service principal, or a Managed Identity).

Please review the reference document on claims in access tokens here : Microsoft identity platform access tokens - Microsoft identity platform | Microsoft Learn

Hope the information helps, please let us know if you have any further queries. Thanks
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Pini Krisher 1 Reputation point

2022-08-02T09:54:06.807+00:00

Hi
Why the RequesterUpn field in my logs is always empty? @bharathn-msft
Please sign in to rate this answer.

0 comments No comments
Sign in to comment