Server DevOps Audit Settings - Create Or Update

  • Reference
Service:
SQL Database
API Version:
2021-02-01-preview

Creates or updates a server's DevOps audit settings.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/devOpsAuditingSettings/{devOpsAuditingSettingsName}?api-version=2021-02-01-preview

URI Parameters

Name In Required Type Description
devOpsAuditingSettingsName
 path True
  • string

The name of the devops audit settings. This should always be 'default'.
resourceGroupName
 path True
  • string

The name of the resource group that contains the resource. You can obtain this value from the Azure Resource Manager API or the portal.
serverName
 path True
  • string

The name of the server.
subscriptionId
 path True
  • string

The subscription ID that identifies an Azure subscription.
api-version
 query True
  • string

The API version to use for the request.

Request Body

Name Required Type Description
properties.state True

Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.
properties.isAzureMonitorTargetEnabled
  • boolean

Specifies whether DevOps audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify 'State' as 'Enabled' and 'IsAzureMonitorTargetEnabled' as true.

When using REST API to configure DevOps audit, Diagnostic Settings with 'DevOpsOperationsAudit' diagnostic logs category on the master database should be also created.

Diagnostic Settings URI format: PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/master/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview

For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell
properties.storageAccountAccessKey
  • string

Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage. Prerequisites for using managed identity authentication:

  1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).
  2. Grant SQL Server identity access to the storage account by adding 'Storage Blob Data Contributor' RBAC role to the server identity. For more information, see Auditing to storage using Managed Identity authentication
properties.storageAccountSubscriptionId
  • string

Specifies the blob storage subscription Id.
properties.storageEndpoint
  • string

Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.

Responses

Name Type Description
200 OK

Successfully updated the DevOps audit settings.
202 Accepted

Updating the audit DevOps settings is in progress.
Other Status Codes

*** Error Responses: ***

  • 400 InvalidServerDevOpsAuditSettingsCreateRequest - The create server DevOps audit policy request does not exist or has no properties object.

  • 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.

  • 400 InvalidServerDevOpsAuditSettingsName - Invalid server DevOps policy name.

  • 400 DevOpsAuditInvalidStorageAccountCredentials - The provided storage account or access key is not valid.

  • 404 SubscriptionDoesNotHaveServer - The requested server was not found

  • 404 ServerNotInSubscriptionResourceGroup - Specified server does not exist in the specified resource group and subscription.

  • 409 ServerDevOpsAuditSettingsInProgress - Set server DevOps audit is already in progress.

Examples

Update a server's DevOps audit settings with all params
Update a server's DevOps audit settings with minimal input

Update a server's DevOps audit settings with all params

Sample Request

PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/devAuditTestRG/providers/Microsoft.Sql/servers/devOpsAuditTestSvr/devOpsAuditingSettings/default?api-version=2021-02-01-preview
Request Body
{
  "properties": {
    "state": "Enabled",
    "storageAccountAccessKey": "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
    "storageEndpoint": "https://mystorage.blob.core.windows.net",
    "storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
    "isAzureMonitorTargetEnabled": true
  }
}

Sample Response

Status code:
200 
{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/devAuditTestRG/providers/Microsoft.Sql/servers/devOpsAuditTestSvr/devOpsAuditingSettings/default",
  "name": "default",
  "type": "Microsoft.Sql/servers/devOpsAuditingSettings",
  "properties": {
    "state": "Enabled",
    "storageEndpoint": "https://mystorage.blob.core.windows.net",
    "storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
    "isAzureMonitorTargetEnabled": true
  }
}
Status code:
202

Update a server's DevOps audit settings with minimal input

Sample Request

PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/devAuditTestRG/providers/Microsoft.Sql/servers/devOpsAuditTestSvr/devOpsAuditingSettings/default?api-version=2021-02-01-preview
Request Body
{
  "properties": {
    "state": "Enabled",
    "storageAccountAccessKey": "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
    "storageEndpoint": "https://mystorage.blob.core.windows.net"
  }
}

Sample Response

Status code:
200 
{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/devAuditTestRG/providers/Microsoft.Sql/servers/devOpsAuditTestSvr/devOpsAuditingSettings/default",
  "name": "default",
  "type": "Microsoft.Sql/servers/devOpsAuditingSettings",
  "properties": {
    "state": "Enabled",
    "storageEndpoint": "https://mystorage.blob.core.windows.net",
    "storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000"
  }
}
Status code:
202

Definitions

BlobAuditingPolicyState

Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.
createdByType

The type of identity that created the resource.
ServerDevOpsAuditingSettings

A server DevOps auditing settings.
systemData

Metadata pertaining to creation and last modification of the resource.

BlobAuditingPolicyState

Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.

Name Type Description
Disabled
  • string
Enabled
  • string

createdByType

The type of identity that created the resource.

Name Type Description
Application
  • string
Key
  • string
ManagedIdentity
  • string
User
  • string

ServerDevOpsAuditingSettings

A server DevOps auditing settings.

Name Type Description
id
  • string

Resource ID.
name
  • string

Resource name.
properties.isAzureMonitorTargetEnabled
  • boolean

Specifies whether DevOps audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify 'State' as 'Enabled' and 'IsAzureMonitorTargetEnabled' as true.

When using REST API to configure DevOps audit, Diagnostic Settings with 'DevOpsOperationsAudit' diagnostic logs category on the master database should be also created.

Diagnostic Settings URI format: PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/master/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview

For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell
properties.state

Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.
properties.storageAccountAccessKey
  • string

Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage. Prerequisites for using managed identity authentication:

  1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).
  2. Grant SQL Server identity access to the storage account by adding 'Storage Blob Data Contributor' RBAC role to the server identity. For more information, see Auditing to storage using Managed Identity authentication
properties.storageAccountSubscriptionId
  • string

Specifies the blob storage subscription Id.
properties.storageEndpoint
  • string

Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.
systemData

SystemData of ServerDevOpsAuditSettingsResource.
type
  • string

Resource type.

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt
  • string

The timestamp of resource creation (UTC).
createdBy
  • string

The identity that created the resource.
createdByType

The type of identity that created the resource.
lastModifiedAt
  • string

The timestamp of resource last modification (UTC)
lastModifiedBy
  • string

The identity that last modified the resource.
lastModifiedByType

The type of identity that last modified the resource.