Looking through my Azure Audit Logs and see someone deleted a bunch of services. I see under "Initiated by" is a Object ID (GUID). Documentation says this is also refered to in JSON as “caller”.
caller: Email address of the user who has performed the operation, UPN claim, or SPN claim based on availability.
So have now tried these AZ CLI commands with no luck:
Looking for a USER
sdistefa@Azure:~$ az ad user show --upn-or-object-id 5e9a4129-c335-4dcb-84d0-488531e7b026
But get:
Resource '5e9a4129-c335-4dcb-84d0-488531e7b026' does not exist or one of its queried reference-property objects are not present.
Looking for a Service Principal:
sdistefa@Azure:~$ az ad sp list --subscription 9350e6db-d02d-4db7-baee-76f9498dfd13 --spn 5e9a4129-c335-4dcb-84d0-488531e7b026
[]
I need to figure out how to query for a UPN Claim or a Service Principal Claim…… I guess?
I switched to Powershell. I queried myself to see my ObjectId and then tried the command to find myself by a valid ID. PS Azure:> Get-AzureADUser -ObjectId "[email protected]"
ObjectId DisplayName UserPrincipalName UserType -------- ----------- ----------------- -------- f9f1560e-ecba-461d-a811-c0f923a7895a DiStefano, Steve [email protected] Member Azure:/ PS Azure:> Get-AzureADObjectByObjectId -objectid f9f1560e-ecba-461d-a811-c0f923a7895a
ObjectId DisplayName UserPrincipalName UserType -------- ----------- ----------------- -------- f9f1560e-ecba-461d-a811-c0f923a7895a DiStefano, Steve [email protected] Member
Now I try the ObjectId from the activity Log: and it returns a blank: Azure:/ PS Azure:> Get-AzureADObjectByObjectId -objectid 5e9a4129-c335-4dcb-84d0-488531e7b026 Azure:/ PS Azure:>
