View activity logs for Azure RBAC changes
Sometimes you need information about Azure role-based access control (Azure RBAC) changes, such as for auditing or troubleshooting purposes. Anytime someone makes changes to role assignments or role definitions within your subscriptions, the changes get logged in Azure Activity Log. You can view the activity logs to see all the Azure RBAC changes for the past 90 days.
Operations that are logged
Here are the Azure RBAC-related operations that are logged in Activity Log:
- Create role assignment
- Delete role assignment
- Create or update custom role definition
- Delete custom role definition
Azure portal
The easiest way to get started is to view the activity logs with the Azure portal. The following screenshot shows an example of role assignment operations in the activity log. It also includes an option to download the logs as a CSV file.
The activity log in the portal has several filters. Here are the Azure RBAC-related filters:
Filter | Value |
---|---|
Event category |
|
Operation |
|
For more information about activity logs, see View activity logs to monitor actions on resources.
Azure PowerShell
Note
This article has been updated to use the Azure Az PowerShell module. The Az PowerShell module is the recommended PowerShell module for interacting with Azure. To get started with the Az PowerShell module, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
To view activity logs with Azure PowerShell, use the Get-AzLog command.
This command lists all role assignment changes in a subscription for the past seven days:
Get-AzLog -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/roleAssignments/*'}
This command lists all role definition changes in a resource group for the past seven days:
Get-AzLog -ResourceGroupName pharma-sales -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/roleDefinitions/*'}
This command lists all role assignment and role definition changes in a subscription for the past seven days and displays the results in a list:
Get-AzLog -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/role*'} | Format-List Caller,EventTimestamp,{$_.Authorization.Action},Properties
Caller : alain@example.com
EventTimestamp : 2/27/2020 9:18:07 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties :
statusCode : Created
serviceRequestId: 11111111-1111-1111-1111-111111111111
eventCategory : Administrative
Caller : alain@example.com
EventTimestamp : 2/27/2020 9:18:05 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties :
requestbody : {"Id":"22222222-2222-2222-2222-222222222222","Properties":{"PrincipalId":"33333333-3333-3333-3333-333333333333","RoleDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers
/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c","Scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"}}
If you are using a service principal to create role assignments, the Caller property will be an object ID. You can use Get-AzADServicePrincipal to get information about the service principal.
Caller : 44444444-4444-4444-4444-444444444444
EventTimestamp : 6/4/2020 9:43:08 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties :
statusCode : Created
serviceRequestId: 55555555-5555-5555-5555-555555555555
category : Administrative
Azure CLI
To view activity logs with the Azure CLI, use the az monitor activity-log list command.
This command lists the activity logs in a resource group from February 27, looking forward seven days:
az monitor activity-log list --resource-group pharma-sales --start-time 2020-02-27 --offset 7d
This command lists the activity logs for the Authorization resource provider from February 27, looking forward seven days:
az monitor activity-log list --namespace "Microsoft.Authorization" --start-time 2020-02-27 --offset 7d
Azure Monitor logs
Azure Monitor logs is another tool you can use to collect and analyze Azure RBAC changes for all your Azure resources. Azure Monitor logs has the following benefits:
- Write complex queries and logic
- Integrate with alerts, Power BI, and other tools
- Save data for longer retention periods
- Cross-reference with other logs such as security, virtual machine, and custom
Here are the basic steps to get started:
Configure the Activity Log Analytics solution for your workspace.
View the activity logs. A quick way to navigate to the Activity Log Analytics solution Overview page is to click the Logs option.
Optionally use the Azure Monitor Log Analytics to query and view the logs. For more information, see Get started with Azure Monitor log queries.
Here's a query that returns new role assignments organized by target resource provider:
AzureActivity
| where TimeGenerated > ago(60d) and Authorization contains "Microsoft.Authorization/roleAssignments/write" and ActivityStatus == "Succeeded"
| parse ResourceId with * "/providers/" TargetResourceAuthProvider "/" *
| summarize count(), makeset(Caller) by TargetResourceAuthProvider
Here's a query that returns role assignment changes displayed in a chart:
AzureActivity
| where TimeGenerated > ago(60d) and Authorization contains "Microsoft.Authorization/roleAssignments"
| summarize count() by bin(TimeGenerated, 1d), OperationName
| render timechart