Last Update: Sep 04, 2024 | Published: Aug 30, 2017
In this post, I will explain how all actions in Azure are recorded, can be archived for long term retention, and searched.
Organizations require auditing of activity for all kinds of reasons. For some, there is no choice. They have a regulatory requirement to track all activity, no matter how big or small. Even without that legal need, having a log of who has done the different tasks can be very useful.
It is useful to understand who did what and when for assigning responsibility. Perhaps you need to know who deleted a critical resource. You may need to understand when an expensive resource was deployed. I have had a situation where a customer claimed that they did not deploy something that greatly increased costs and because of that, they should not be billed for it. A quick peek into the logs and I could prove that the person complaining was the actual person that was to blame for the expensive resource being deployed. I could even say when they did it. That was followed quickly by an, “Ah! I remember now …”
Having such an audit log can also be useful for troubleshooting. Maybe something stops working at a certain time. For example, maybe a SQL Server stops responding on the network at 16:42 on Tuesday. If we have a look into the logs for what was done just before that, maybe we will see a new Network Security Group rule being introduced that blocks the traffic. We can then question the person that the log identified as the culprit to find out why this new firewall rule was created. Then, we can decide if it should be undone or another solution should be found.
All activity in your Azure tenant or subscription can be found in the Activity Log. Open the navigation bar on the left, click More Services, and search for Activity Log.
Here you can find a history of up to 90 days for every action in your Azure tenant. Do not worry, we can keep more than 90 days activity if we need to.
At the top, you will find a set of controls to filter/search the history. The following filter controls are available:
Below I have filtered the activity log to look for actions to a virtual machine called vm-petri-02 in the rg-petri resource group. I can see that someone (I am innocent, I tell ya!) deleted a virtual machine and quickly recreated it. If you select the event and click JSON, you can find a lot of information about the specific event. Note the ability to save the results as a CSV file.
Note that you can click the Save (Diskette) button to save your search with a name of your choosing. When you reopen Activity Log, you can expand Select Query to run that same search again.
If you click the Pin button, your search will be pinned to the Dashboard. If you click the tile, the Activity Log will open.
The Activity Log is useless if every administrator/operator signs in as the default administrator, for example: [email protected]. All too often, almost always, this is what people seem to be doing in my experience. It is vital that this account only be used to add each administrator’s or operator’s own account. One way to do this is by having guest users come from their own tenant (Office 365), another tenant (Microsoft partners), or from a domain controller (via Azure AD Connect) to sign into Azure.
Azure will retain up to 90 days of an audit history in the Activity Log. Some organizations will need to keep this kind of history for years. Luckily, Azure makes it easy and cost effective to keep this history.
We can configure the Activity Log to export the audit trail to a storage account. I have configured a storage account as follows:
You could restrict access to this storage account by placing it into a secured resource group. I have tested this idea but you might set up a restricted access subscription in the same tenant and place the storage account here.
Configuring retention is refreshingly simple. Open Activity Log and click Export (at the top). Then you will configure it as follows:
After you click Save, Azure will start exporting data, in JSON format, to a container (folder) structure in your selected storage account.
You can download any of the JSON files or you can ingest them into other analysis or logging systems.