How to get Azure Activity Log Summary with alerts/powershell/cli?

1
votes

I am currently trying to monitor any RBAC changes that happens in our subscriptions example: John.Doe added Sue.Jones as Reader to Resource Group rg-test. Is there any to achieve what I am trying using powershell/cli/rest. From what I have tried and researched, it is not.

Looking in the activity log, for a Write RoleAssignments operation, the summary has all the output I need but when using powershell/cli , you arent able to get what role was assigned or to who. In summary you get:

Operation name

Write RoleAssignments

Time stamp

Wed(Eastern Daylight Time)

Event initiated by: John.Doe

MessageShared with 'Sue.Jones'.

Role: Reader

Scope Resource group: 'rg-test'

Using powershell/cli/alerts you get

Activity log alert alert-iamtesting Time May 19, 2021 15:29 UTC Category Administrative Operation name Microsoft.Authorization/roleAssignments/write

Correlation ID 0000000-000000000-000000000

Level Informational

Resource ID /subscriptions/0000000-000000000-000000000/resourceGroups/rg-test/providers/Microsoft.Authorization/roleAssignments/0000000-000000000-000000000

Caller John.Doe

Properties {"statusCode":"Created","serviceRequestId":"0000000-000000000-000000000","eventCategory":"Administrative","entity":"/subscriptions/0000000-000000000-000000000/resourceGroups/rg-test/providers/Microsoft.Authorization/roleAssignments/00000000000000000

1
azurepowershellazure-powershellazureportalazure-rbac

1 Answers

0
votes

When you view activity log in Azure portal, it calls 3 API endpoints.

The first one is Activity Logs - List:

GET https://management.azure.com/subscriptions/{subscription id}/providers/microsoft.insights/eventtypes/management/values?api-version=2017-03-01-preview&$filter=eventTimestamp ge '2021-05-19T19:52:43Z' and eventTimestamp le '2021-05-20T01:52:43Z' and eventChannels eq 'Admin, Operation' and resourceGroupName eq '{resource group name}' and operations eq 'Microsoft.Authorization/roleAssignments/write' and levels eq 'Critical,Error,Warning,Informational'

It returns the caller, operationName, eventTimestamp, resourceGroup and the object id of the target user and the RoleDefinitionId of the Role.

The second one is getting the target user:

GET https://graph.windows.net/hanxia.onmicrosoft.com/users/{user object id}?api-version=1.6

The last one is getting the role:

GET https://management.azure.com/subscriptions/{subscription id}/providers/Microsoft.Authorization/roleDefinitions/{RoleDefinitionId}?api-version=2015-07-01

So you can get all the information you need.

When we use Azure CLI, we should choose az monitor activity-log list. BUT it is only equivalent to the first call above. And we get a property named resourceId which is the roleAssignment id.

So we still need to get the roleAssignment with the id. Here is a simple script.

# list the activity logs of resource group "AllenTestRG01" in the past 4 hours
$logs = az monitor activity-log list -g AllenTestRG01 --offset 4h | ConvertFrom-Json

# I assume that the first $logs[0] is the log you are tracking. (you should implement your logic here to find the log you need)
$logs[0].resourceId

# list the role assignments for resource group "AllenTestRG01"
$assignments = az role assignment list -g AllenTestRG01 | ConvertFrom-Json

# do a match
foreach ($assignment in $assignments){
    if ($assignment.id -eq $a[0].resourceId) {
        Write-Host "assigned user: " $assignment.principalName  " role: " 
$assignment.roleDefinitionName
    }
}