Create an access report for Role-Based Access Control

Any time someone grants or revokes access within your subscriptions, the changes get logged in Azure events. You can create access change history reports to see all changes for the past 90 days.

Create a report with Azure PowerShell

To create an access change history report in PowerShell, use the Get-AzureRMAuthorizationChangeLog command.

When you call this command, you can specify which property of the assignments you want listed, including the following:

Property Description
Action Whether access was granted or revoked
Caller The owner responsible for the access change
PrincipalId The unique identifier of the user, group, or application that was assigned the role
PrincipalName The name of the user, group, or application
PrincipalType Whether the assignment was for a user, group, or application
RoleDefinitionId The GUID of the role that was granted or revoked
RoleName The role that was granted or revoked
Scope The unique identifier of the subscription, resource group, or resource that the assignment applies to
ScopeName The name of the subscription, resource group, or resource
ScopeType Whether the assignment was at the subscription, resource group, or resource scope
Timestamp The date and time that access was changed

This example command lists all access changes in the subscription for the past seven days:

Get-AzureRMAuthorizationChangeLog -StartTime ([DateTime]::Now - [TimeSpan]::FromDays(7)) | FT Caller,Action,RoleName,PrincipalType,PrincipalName,ScopeType,ScopeName

PowerShell Get-AzureRMAuthorizationChangeLog - screenshot

Create a report with Azure CLI

To create an access change history report in the Azure command-line interface (CLI), use the azure role assignment changelog list command.

Export to a spreadsheet

To save the report, or manipulate the data, export the access changes into a .csv file. You can then view the report in a spreadsheet for review.

Changelog viewed as spreadsheet - screenshot

Next steps