查看 Azure RBAC 更改的活动日志View activity logs for Azure RBAC changes

有时需要了解 Azure 基于角色的访问控制 (Azure RBAC) 更改,如出于审核或故障排除目的。Sometimes you need information about Azure role-based access control (Azure RBAC) changes, such as for auditing or troubleshooting purposes. 只要有人更改了你订阅中的角色分配或角色定义,这些更改就会记录到 Azure 活动日志中。Anytime someone makes changes to role assignments or role definitions within your subscriptions, the changes get logged in Azure Activity Log. 可以查看活动日志,了解在过去 90 天内发生的所有 Azure RBAC 更改。You can view the activity logs to see all the Azure RBAC changes for the past 90 days.

记录的操作Operations that are logged

以下是活动日志中记录的与 Azure RBAC 相关的操作:Here are the Azure RBAC-related operations that are logged in Activity Log:

  • 创建角色分配Create role assignment
  • 删除角色分配Delete role assignment
  • 创建或更新自定义角色定义Create or update custom role definition
  • 删除自定义角色定义Delete custom role definition

Azure 门户Azure portal

最简单的入手方式就是使用 Azure 门户查看活动日志。The easiest way to get started is to view the activity logs with the Azure portal. 以下屏幕截图显示了活动日志中角色分配操作的示例。The following screenshot shows an example of role assignment operations in the activity log. 它还包括一个用于将日志下载为 CSV 文件的选项。It also includes an option to download the logs as a CSV file.

使用门户的活动日志 - 屏幕截图

门户中的活动日志有多个筛选器。The activity log in the portal has several filters. 下面是与 Azure RBAC 相关的筛选器:Here are the Azure RBAC-related filters:

“筛选器”Filter Value
事件类别Event category
  • 管理Administrative
OperationOperation
  • 创建角色分配Create role assignment
  • 删除角色分配Delete role assignment
  • 创建或更新自定义角色定义Create or update custom role definition
  • 删除自定义角色定义Delete custom role definition

有关活动日志的更多信息,请参阅查看活动日志以监视对资源的操作For more information about activity logs, see View activity logs to monitor actions on resources.

Azure PowerShellAzure PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

若要使用 Azure PowerShell 查看活动日志,请使用 Get-AzLog 命令。To view activity logs with Azure PowerShell, use the Get-AzLog command.

此命令列出过去 7 天内订阅中所有角色分配的更改:This command lists all role assignment changes in a subscription for the past seven days:

Get-AzLog -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/roleAssignments/*'}

此命令列出过去 7 天内资源组中所有角色定义的更改:This command lists all role definition changes in a resource group for the past seven days:

Get-AzLog -ResourceGroupName pharma-sales -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/roleDefinitions/*'}

此命令列出过去 7 天内订阅中所有角色分配和角色定义的更改,并在列表中显示结果:This command lists all role assignment and role definition changes in a subscription for the past seven days and displays the results in a list:

Get-AzLog -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/role*'} | Format-List Caller,EventTimestamp,{$_.Authorization.Action},Properties
Caller                  : alain@example.com
EventTimestamp          : 2/27/2020 9:18:07 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties              :
                          statusCode     : Created
                          serviceRequestId: 11111111-1111-1111-1111-111111111111
                          eventCategory  : Administrative

Caller                  : alain@example.com
EventTimestamp          : 2/27/2020 9:18:05 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties              :
                          requestbody    : {"Id":"22222222-2222-2222-2222-222222222222","Properties":{"PrincipalId":"33333333-3333-3333-3333-333333333333","RoleDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers
                          /Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c","Scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"}}

如果使用服务主体来创建角色分配,则 Caller 属性将是一个对象 ID。If you are using a service principal to create role assignments, the Caller property will be an object ID. 可以使用 Get-AzADServicePrincipal 获取有关服务主体的信息。You can use Get-AzADServicePrincipal to get information about the service principal.

Caller                  : 44444444-4444-4444-4444-444444444444
EventTimestamp          : 6/4/2020 9:43:08 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties              : 
                          statusCode     : Created
                          serviceRequestId: 55555555-5555-5555-5555-555555555555
                          category       : Administrative

Azure CLIAzure CLI

若要使用 Azure CLI 查看活动日志,请使用 az monitor activity-log list 命令。To view activity logs with the Azure CLI, use the az monitor activity-log list command.

此命令列出了资源组中从 2 月 27 日起 7 天的活动日志:This command lists the activity logs in a resource group from February 27, looking forward seven days:

az monitor activity-log list --resource-group pharma-sales --start-time 2020-02-27 --offset 7d

此命令列出了授权资源提供程序从 2 月 27 日起 7 天的活动日志:This command lists the activity logs for the Authorization resource provider from February 27, looking forward seven days:

az monitor activity-log list --namespace "Microsoft.Authorization" --start-time 2020-02-27 --offset 7d

Azure Monitor 日志Azure Monitor logs

Azure Monitor 日志是另一种可用于收集并分析所有 Azure 资源的 Azure RBAC 更改的工具。Azure Monitor logs is another tool you can use to collect and analyze Azure RBAC changes for all your Azure resources. Azure Monitor 日志具有以下优点:Azure Monitor logs has the following benefits:

  • 编写复杂查询和逻辑Write complex queries and logic
  • 与警报、Power BI 和其他工具集成Integrate with alerts, Power BI, and other tools
  • 以更长的保持期保存数据Save data for longer retention periods
  • 与其他日志(例如安全性、虚拟机和自定义日志)交叉引用Cross-reference with other logs such as security, virtual machine, and custom

以下是开始使用的基本步骤:Here are the basic steps to get started:

  1. 创建 Log Analytics 工作区Create a Log Analytics workspace.

  2. 为工作区配置 Activity Log Analytics 解决方案Configure the Activity Log Analytics solution for your workspace.

  3. 查看活动日志View the activity logs. 单击“日志”选项可以快速导航到 Activity Log Analytics 解决方案“概述”页面。A quick way to navigate to the Activity Log Analytics solution Overview page is to click the Logs option.

    门户中的 Azure Monitor 日志选项

  4. (可选)使用 Azure Monitor Log Analytics 查询并查看日志。Optionally use the Azure Monitor Log Analytics to query and view the logs. 有关详细信息,请参阅 Azure Monitor 日志查询入门For more information, see Get started with Azure Monitor log queries.

以下查询返回由目标资源提供程序组织的新角色分配:Here's a query that returns new role assignments organized by target resource provider:

AzureActivity
| where TimeGenerated > ago(60d) and Authorization contains "Microsoft.Authorization/roleAssignments/write" and ActivityStatus == "Succeeded"
| parse ResourceId with * "/providers/" TargetResourceAuthProvider "/" *
| summarize count(), makeset(Caller) by TargetResourceAuthProvider

以下查询返回图表中显示的角色分配更改:Here's a query that returns role assignment changes displayed in a chart:

AzureActivity
| where TimeGenerated > ago(60d) and Authorization contains "Microsoft.Authorization/roleAssignments"
| summarize count() by bin(TimeGenerated, 1d), OperationName
| render timechart

使用高级分析门户的活动日志 - 屏幕截图

后续步骤Next steps