查看 Azure 资源的 RBAC 更改的活动日志View activity logs for RBAC changes to Azure resources

有时需要了解 Azure 资源的基于角色的访问控制 (RBAC) 更改,如出于审核或故障排除目的。Sometimes you need information about role-based access control (RBAC) changes to Azure resources, such as for auditing or troubleshooting purposes. 只要有人更改了你订阅中的角色分配或角色定义,这些更改就会被记录到 Azure 活动日志中。Any time someone makes changes to role assignments or role definitions within your subscriptions, the changes get logged in Azure Activity Log. 可以查看活动日志,了解在过去 90 天内发生的所有 RBAC 更改。You can view the activity logs to see all the RBAC changes for the past 90 days.

记录的操作Operations that are logged

下面是记录在活动日志中的 RBAC 相关操作:Here are the RBAC-related operations that are logged in Activity Log:

  • 创建角色分配Create role assignment
  • 删除角色分配Delete role assignment
  • 创建或更新自定义角色定义Create or update custom role definition
  • 删除自定义角色定义Delete custom role definition

Azure 门户Azure portal

最简单的入手方式就是使用 Azure 门户查看活动日志。The easiest way to get started is to view the activity logs with the Azure portal. 下面的屏幕截图展示了已筛选为显示角色分配和角色定义操作的活动日志示例。The following screenshot shows an example of an activity log that has been filtered to display role assignment and role definition operations. 它还包括一个用于将日志下载为 CSV 文件的链接。It also includes a link to download the logs as a CSV file.

使用门户的活动日志 - 屏幕截图

门户中的活动日志有多个筛选器。The activity log in the portal has several filters. 下面是与 RBAC 相关的筛选器:Here are the RBAC-related filters:

筛选器Filter ValueValue
事件类别Event category
  • 管理Administrative
操作Operation
  • 创建角色分配Create role assignment
  • 删除角色分配Delete role assignment
  • 创建或更新自定义角色定义Create or update custom role definition
  • 删除自定义角色定义Delete custom role definition

若要详细了解活动日志,请参阅查看活动日志中的事件For more information about activity logs, see View events in activity log.

Azure PowerShellAzure PowerShell

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

若要使用 Azure PowerShell 查看活动日志,请使用 Get-AzLog 命令。To view activity logs with Azure PowerShell, use the Get-AzLog command.

此命令列出过去 7 天内订阅中所有角色分配的更改:This command lists all role assignment changes in a subscription for the past seven days:

Get-AzLog -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/roleAssignments/*'}

此命令列出过去 7 天内资源组中所有角色定义的更改:This command lists all role definition changes in a resource group for the past seven days:

Get-AzLog -ResourceGroupName pharma-sales -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/roleDefinitions/*'}

此命令列出过去 7 天内订阅中所有角色分配和角色定义的更改,并在列表中显示结果:This command lists all role assignment and role definition changes in a subscription for the past seven days and displays the results in a list:

Get-AzLog -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/role*'} | Format-List Caller,EventTimestamp,{$_.Authorization.Action},Properties
Caller                  : alain@example.com
EventTimestamp          : 4/20/2018 9:18:07 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties              :
                          statusCode     : Created
                          serviceRequestId: 11111111-1111-1111-1111-111111111111

Caller                  : alain@example.com
EventTimestamp          : 4/20/2018 9:18:05 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties              :
                          requestbody    : {"Id":"22222222-2222-2222-2222-222222222222","Properties":{"PrincipalId":"33333333-3333-3333-3333-333333333333","RoleDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers
                          /Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c","Scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales"}}

Azure CLIAzure CLI

若要使用 Azure CLI 查看活动日志,请使用 az monitor activity-log list 命令。To view activity logs with the Azure CLI, use the az monitor activity-log list command.

此命令列出从启动以来资源组中存在的活动日志:This command lists the activity logs in a resource group since the start time:

az monitor activity-log list --resource-group pharma-sales --start-time 2018-04-20T00:00:00Z

此命令列出从启动以来授权资源提供程序的活动日志:This command lists the activity logs for the Authorization resource provider since the start time:

az monitor activity-log list --resource-provider "Microsoft.Authorization" --start-time 2018-04-20T00:00:00Z

后续步骤Next steps