Enable debug logging

To troubleshoot a deployment error, enable debug logging to get more information. Debug logging works for deployments using Bicep files or Azure Resource Manager templates (ARM templates). You can get data about a deployment's request and response to learn the cause of a problem.

Warning

Debug logging can expose secrets like passwords or listKeys. Only enable debug logging when you need to troubleshoot a deployment error.

Set up debug logging

Use Azure PowerShell to enable debug logging and view the results with Azure PowerShell or Azure CLI.

For a resource group deployment, use New-AzResourceGroupDeployment to set the DeploymentDebugLogLevel parameter to All, ResponseContent, or RequestContent.

When debug logging is enabled, a warning is displayed that secrets like passwords or listKeys can be logged and displayed when you get deployment operations with commands like Get-AzResourceGroupDeploymentOperation.

New-AzResourceGroupDeployment `
  -Name exampledeployment `
  -ResourceGroupName examplegroup `
  -TemplateFile main.bicep `
  -DeploymentDebugLogLevel All

The output shows the debug logging level.

DeploymentDebugLogLevel : RequestContent, ResponseContent

The DeploymentDebugLogLevel parameter is available for other deployment scopes: subscription, management group, and tenant.

Get debug information

After debug logging is enabled, you can get more information from the deployment operations.

For a resource group deployment, use Get-AzResourceGroupDeploymentOperation to get deployment operations.

Get-AzResourceGroupDeploymentOperation `
  -DeploymentName exampledeployment `
  -ResourceGroupName examplegroup

You can specify a property, like StatusMessage or StatusCode to filter the output.

(Get-AzResourceGroupDeploymentOperation `
  -DeploymentName exampledeployment `
  -ResourceGroupName examplegroup).StatusMessage

For more information, see the documentation for deployment operation scopes: subscription, management group, and tenant.

Remove debug deployment history

When you're finished debugging, you can remove deployment history to prevent anyone who has access from seeing sensitive information that might have been logged. If you used multiple deployment names during debugging, run the command for each deployment name.

To remove deployment history for a resource group deployment, use Remove-AzResourceGroupDeployment.

Remove-AzResourceGroupDeployment -ResourceGroupName examplegroup -Name exampledeployment

The command returns True when it's successful.

For more information about deployment history, see the documentation for the deployment scopes: subscription, management group, and tenant.

Nested template

To log debug information for a nested ARM template, use the Microsoft.Resources/deployments debugSetting property.

{
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2020-10-01",
  "name": "nestedTemplate",
  "properties": {
    "mode": "Incremental",
    "templateLink": {
      "uri": "{template-uri}",
      "contentVersion": "1.0.0.0"
    },
    "debugSetting": {
       "detailLevel": "requestContent, responseContent"
    }
  }
}

Bicep uses modules rather than nested templates.

Next steps