Understand how provisioning integrates with Azure Monitor logs

Provisioning integrates with Azure Monitor logs and Log Analytics. With Azure monitoring you can do things like create workbooks, also known as dashboards, store provisioning logs for 30+ days, and create custom queries and alerts. This article discusses how provisioning logs integrate with Azure Monitor logs. To learn more about how provisioning logs work in general, see provisioning logs.

Enabling provisioning logs

You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see Azure Monitor overview. To learn more about Azure Monitor logs and Log Analytics, see Overview of log queries in Azure Monitor.

Once you've configured Azure monitoring, you can enable logs for application provisioning. The option is located on the Diagnostics settings page.

Access diagnostic settings

Enable application provisioning logs

Note

If you have just recently provisioned a workspace, it can take some time before you can send logs to it. If you receive an error that the subscription is not registered to use microsoft.insights then check back after a few minutes.

Understanding the data

The underlying data stream that Provisioning sends log viewers is almost identical. Azure Monitor logs gets nearly the same stream as the Azure portal UI and Azure API. There are only a few differences in the log fields as outlined in the following table. To learn more about these fields, see List provisioningObjectSummary.

Azure Monitor logs Azure portal UI Azure API
errorDescription reason resultDescription
status resultType resultType
activityDateTime TimeGenerated TimeGenerated

Azure Monitor workbooks

Azure Monitor workbooks provide a flexible canvas for data analysis. They also provide for the creation of rich visual reports within the Azure portal. To learn more, see Azure Monitor Workbooks overview.

Application provisioning comes with a set of pre-built workbooks. You can find them on the Workbooks page. To view the data, you'll need to ensure that all the filters (timeRange, jobID, appName) are populated. You'll also need to make sure you've provisioned an app, otherwise there won't be any data in the logs.

Application provisioning workbooks

Application provisioning dashboard

Custom queries

You can create custom queries and show the data on Azure dashboards. To learn how, see Create and share dashboards of Log Analytics data. Also, be sure to check out Overview of log queries in Azure Monitor.

Here are some samples to get started with application provisioning.

Query the logs for a user a based on their ID in the source system:

AADProvisioningLogs
| extend SourceIdentity = parse_json(SourceIdentity)
| where tostring(SourceIdentity.Id) == "49a4974bb-5011-415d-b9b8-78caa7024f9a"

Summarize count per ErrorCode:

AADProvisioningLogs
| summarize count() by ErrorCode = ResultSignature

Summarize count of events per day by action:

AADProvisioningLogs
| where TimeGenerated > ago(7d)
| summarize count() by Action, bin(TimeGenerated, 1d)

Take 100 events and project key properties:

AADProvisioningLogs
| extend SourceIdentity = parse_json(SourceIdentity)
| extend TargetIdentity = parse_json(TargetIdentity)
| extend ServicePrincipal = parse_json(ServicePrincipal)
| where tostring(SourceIdentity.identityType) == "Group"
| project tostring(ServicePrincipal.Id), tostring(ServicePrincipal.Name), ModifiedProperties, JobId, Id, CycleId, ChangeId, Action, SourceIdentity.identityType, SourceIdentity.details, TargetIdentity.identityType, TargetIdentity.details, ProvisioningSteps
|take 100

Custom alerts

Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong.

To learn more about alerts, see Azure Monitor Log Alerts.

Alert when there's a spike in failures. Replace the jobID with the jobID for your application.

Alert when there's a spike in failures.

There may be an issue that caused the provisioning service to stop running. Use the following alert to detect when there are no provisioning events during a given time interval.

There may be an issue that caused the provisioning service to stop running.

Alert when there's a spike in disables or deletes.

Alert when there's a spike in disables or deletes.

Community contributions

We're taking an open source and community-based approach to application provisioning queries and dashboards. If you've built a query, alert, or workbook that you think others would find useful, be sure to publish it to the AzureMonitorCommunity GitHub repo. Then shoot us an email with a link. We'll review and publish it to the service so others can benefit too. You can contact us at provisioningfeedback@microsoft.com.

Next steps