Any time someone grants or revokes access within your subscriptions, the changes get logged in Azure events. You can create access change history reports to see all changes for the past 90 days.
Create a report with Azure PowerShell
To create an access change history report in PowerShell, use the
Get-AzureRMAuthorizationChangeLog command. More details about this cmdlet are available in the PowerShell Gallery.
When you call this command, you can specify which property of the assignments you want listed, including the following:
|Action||Whether access was granted or revoked|
|Caller||The owner responsible for the access change|
|Date||The date and time that access was changed|
|DirectoryName||The Azure Active Directory directory|
|PrincipalName||The name of the user, group, or application|
|PrincipalType||Whether the assignment was for a user, group, or application|
|RoleId||The GUID of the role that was granted or revoked|
|RoleName||The role that was granted or revoked|
|ScopeName||The name of the subscription, resource group, or resource|
|ScopeType||Whether the assignment was at the subscription, resource group, or resource scope|
|SubscriptionId||The GUID of the Azure subscription|
|SubscriptionName||The name of the Azure subscription|
This example command lists all access changes in the subscription for the past seven days:
Get-AzureRMAuthorizationChangeLog -StartTime ([DateTime]::Now - [TimeSpan]::FromDays(7)) | FT Caller,Action,RoleName,PrincipalType,PrincipalName,ScopeType,ScopeName
Create a report with Azure CLI
To create an access change history report in the Azure command-line interface (CLI), use the
azure role assignment changelog list command.
Export to a spreadsheet
To save the report, or manipulate the data, export the access changes into a .csv file. You can then view the report in a spreadsheet for review.