question

DiptiRanjanSwain-1959 avatar image
0 Votes"
DiptiRanjanSwain-1959 asked DiptiRanjanSwain-1959 commented

How to check Azure policy audit logs

Hi,

I need to enable logging for all the activities perform related to Azure policy and forward the log to log analytics. Like when a policy was created, modified, deleted and by which user. Other details about the policies. Also want to log/track when a policy is deprecated by Azure.

Can someone please answer how to achieve this.

azure-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

tbgangav-MSFT avatar image
0 Votes"
tbgangav-MSFT answered DiptiRanjanSwain-1959 commented

Hi @DiptiRanjanSwain-1959,

You can send activity logs to Log Analytics workspace in two ways i.e., via Activity logs diagnostics settings or via legacy method and then if required you can configure log alert with the help of AzureActivity table.

Below are few actions which track the policy definition changes. For complete list of actions, please refer this document.

  • Action for change in policy definition - Microsoft.Authorization/policyDefinitions/write

  • Action for policy definition deletion - Microsoft.Authorization/policyDefinitions/delete

Regarding tracking the deprecation of a policy, in general under metadata section, deprecated property is set to true in such cases. For more information w.r.t it, please refer this document. We probably would be able to track changes w.r.t that in the same way as explained above. For illustration, this is one such policy that is deprecated and so the deprecated property in metadata section is set to true.

Just FYI, this is a similar question related to tracking changes in the policy. If interested, you may refer to the answer in that question which has little illustrations with screenshots.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@tbgangav-MSFT Thank you for quickly answering my question. This is helpful. One follow up question, if I create Azure policy via Terraform, will that be logged similarly like creating policy in the Azure portal, or there is some other log for that.

0 Votes 0 ·
tbgangav-MSFT avatar image tbgangav-MSFT DiptiRanjanSwain-1959 ·

@DiptiRanjanSwain-1959,

Glad to know!

AFAIK it should be the same even if you the create the policy via Terraform or Azure Portal as at the end its an Activity at the Azure end i.e., Azure Activity!

1 Vote 1 ·