Any time someone grants or revokes access within your subscriptions, the changes get logged in Azure events. You can create access change history reports to see all changes for the past 90 days.
Create a report with Azure PowerShell
To create an access change history report in PowerShell, use the Get-AzureRMAuthorizationChangeLog command.
When you call this command, you can specify which property of the assignments you want listed, including the following:
|Action||Whether access was granted or revoked|
|Caller||The owner responsible for the access change|
|PrincipalId||The unique identifier of the user, group, or application that was assigned the role|
|PrincipalName||The name of the user, group, or application|
|PrincipalType||Whether the assignment was for a user, group, or application|
|RoleDefinitionId||The GUID of the role that was granted or revoked|
|RoleName||The role that was granted or revoked|
|Scope||The unique identifier of the subscription, resource group, or resource that the assignment applies to|
|ScopeName||The name of the subscription, resource group, or resource|
|ScopeType||Whether the assignment was at the subscription, resource group, or resource scope|
|Timestamp||The date and time that access was changed|
This example command lists all access changes in the subscription for the past seven days:
Get-AzureRMAuthorizationChangeLog -StartTime ([DateTime]::Now - [TimeSpan]::FromDays(7)) | FT Caller,Action,RoleName,PrincipalType,PrincipalName,ScopeType,ScopeName
Create a report with Azure CLI
To create an access change history report in the Azure command-line interface (CLI), use the
azure role assignment changelog list command.
Export to a spreadsheet
To save the report, or manipulate the data, export the access changes into a .csv file. You can then view the report in a spreadsheet for review.