查看 Azure RBAC 更改的活动日志View activity logs for Azure RBAC changes

有时需要了解 Azure 基于角色的访问控制 (Azure RBAC) 更改,如出于审核或故障排除目的。Sometimes you need information about Azure role-based access control (Azure RBAC) changes, such as for auditing or troubleshooting purposes. 只要有人更改了你订阅中的角色分配或角色定义,这些更改就会记录到 Azure 活动日志中。Anytime someone makes changes to role assignments or role definitions within your subscriptions, the changes get logged in Azure Activity Log. 可以查看活动日志,了解在过去 90 天内发生的所有 Azure RBAC 更改。You can view the activity logs to see all the Azure RBAC changes for the past 90 days.

记录的操作Operations that are logged

以下是活动日志中记录的与 Azure RBAC 相关的操作:Here are the Azure RBAC-related operations that are logged in Activity Log:

  • 创建角色分配Create role assignment
  • 删除角色分配Delete role assignment
  • 创建或更新自定义角色定义Create or update custom role definition
  • 删除自定义角色定义Delete custom role definition

Azure 门户Azure portal

最简单的入手方式就是使用 Azure 门户查看活动日志。The easiest way to get started is to view the activity logs with the Azure portal. 以下屏幕截图显示了活动日志中角色分配操作的示例。The following screenshot shows an example of role assignment operations in the activity log. 它还包括一个用于将日志下载为 CSV 文件的选项。It also includes an option to download the logs as a CSV file.

使用门户的活动日志 - 屏幕截图

若要获取详细信息,请单击某个条目以打开“摘要”窗格。To get more information, click an entry to open the summary pane. 单击“JSON”选项卡获取详细日志。Click the JSON tab to get a detailed log.

使用门户的活动日志(打开了“摘要”窗格)- 屏幕截图

门户中的活动日志有多个筛选器。The activity log in the portal has several filters. 下面是与 Azure RBAC 相关的筛选器:Here are the Azure RBAC-related filters:

“筛选器”Filter Value
事件类别Event category
  • 管理Administrative
OperationOperation
  • 创建角色分配Create role assignment
  • 删除角色分配Delete role assignment
  • 创建或更新自定义角色定义Create or update custom role definition
  • 删除自定义角色定义Delete custom role definition

有关活动日志的更多信息,请参阅查看活动日志以监视对资源的操作For more information about activity logs, see View activity logs to monitor actions on resources.

解析日志条目Interpret a log entry

“JSON”选项卡、Azure PowerShell 或 Azure CLI 中的日志输出可以包含很多信息。The log output from the JSON tab, Azure PowerShell, or Azure CLI can include a lot of information. 下面是尝试解析日志条目时要查找的一些关键属性。Here are some of the key properties to look for when trying to interpret a log entry. 有关使用 Azure PowerShell 或 Azure CLI 来筛选日志输出的方法,请参阅以下部分。For ways to filter the log output using Azure PowerShell or Azure CLI, see the following sections.

属性Property 示例值Example values 说明Description
authorization:actionauthorization:action Microsoft.Authorization/roleAssignments/writeMicrosoft.Authorization/roleAssignments/write 创建角色分配Create role assignment
Microsoft.Authorization/roleAssignments/deleteMicrosoft.Authorization/roleAssignments/delete 删除角色分配Delete role assignment
Microsoft.Authorization/roleDefinitions/writeMicrosoft.Authorization/roleDefinitions/write 创建或更新角色定义Create or update role definition
Microsoft.Authorization/roleDefinitions/deleteMicrosoft.Authorization/roleDefinitions/delete 删除角色定义Delete role definition
authorization:scopeauthorization:scope /subscriptions/{subscriptionId}/subscriptions/{subscriptionId}
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}
操作范围Scope for the action
callercaller admin@example.com
{objectId}{objectId}
谁启动了操作Who initiated the action
eventTimestampeventTimestamp 2021-03-01T22:07:41.126243Z2021-03-01T22:07:41.126243Z 操作发生的时间Time that action occurred
status:valuestatus:value StartedStarted
已成功Succeeded
失败Failed
操作状态Status of the action

Azure PowerShellAzure PowerShell

若要使用 Azure PowerShell 查看活动日志,请使用 Get-AzLog 命令。To view activity logs with Azure PowerShell, use the Get-AzLog command.

此命令列出过去 7 天内订阅中所有角色分配的更改:This command lists all role assignment changes in a subscription for the past seven days:

Get-AzLog -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/roleAssignments/*'}

此命令列出过去 7 天内资源组中所有角色定义的更改:This command lists all role definition changes in a resource group for the past seven days:

Get-AzLog -ResourceGroupName pharma-sales -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/roleDefinitions/*'}

筛选日志输出Filter log output

日志输出可以包含许多信息。The log output can include a lot of information. 此命令列出过去 7 天内订阅中所有角色分配和角色定义的更改,并筛选输出:This command lists all role assignment and role definition changes in a subscription for the past seven days and filters the output:

Get-AzLog -StartTime (Get-Date).AddDays(-7) | Where-Object {$_.Authorization.Action -like 'Microsoft.Authorization/role*'} | Format-List Caller,EventTimestamp,{$_.Authorization.Action},Properties

下面显示了在创建角色分配时筛选日志输出的示例:The following shows an example of the filtered log output when creating a role assignment:

Caller                  : admin@example.com
EventTimestamp          : 3/1/2021 10:07:42 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties              :
                          statusCode     : Created
                          serviceRequestId: {serviceRequestId}
                          eventCategory  : Administrative
                          entity         : /subscriptions/{subscriptionId}/resourceGroups/example-group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}
                          message        : Microsoft.Authorization/roleAssignments/write
                          hierarchy      : {tenantId}/{subscriptionId}

Caller                  : admin@example.com
EventTimestamp          : 3/1/2021 10:07:41 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties              :
                          requestbody    : {"Id":"{roleAssignmentId}","Properties":{"PrincipalId":"{principalId}","PrincipalType":"User","RoleDefinitionId":"/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64","Scope":"/subscriptions/
                          {subscriptionId}/resourceGroups/example-group"}}
                          eventCategory  : Administrative
                          entity         : /subscriptions/{subscriptionId}/resourceGroups/example-group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}
                          message        : Microsoft.Authorization/roleAssignments/write
                          hierarchy      : {tenantId}/{subscriptionId}

如果使用服务主体来创建角色分配,则 Caller 属性将是一个服务主体对象 ID。If you are using a service principal to create role assignments, the Caller property will be a service principal object ID. 可以使用 Get-AzADServicePrincipal 获取有关服务主体的信息。You can use Get-AzADServicePrincipal to get information about the service principal.

Caller                  : {objectId}
EventTimestamp          : 3/1/2021 9:43:08 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties              : 
                          statusCode     : Created
                          serviceRequestId: {serviceRequestId}
                          eventCategory  : Administrative

Azure CLIAzure CLI

若要使用 Azure CLI 查看活动日志,请使用 az monitor activity-log list 命令。To view activity logs with the Azure CLI, use the az monitor activity-log list command.

此命令列出了资源组中从 3 月 1 日起 7 天的活动日志:This command lists the activity logs in a resource group from March 1, looking forward seven days:

az monitor activity-log list --resource-group example-group --start-time 2021-03-01 --offset 7d

此命令列出了授权资源提供程序从 3 月 1 日起 7 天的活动日志:This command lists the activity logs for the Authorization resource provider from March 1, looking forward seven days:

az monitor activity-log list --namespace "Microsoft.Authorization" --start-time 2021-03-01 --offset 7d

筛选日志输出Filter log output

日志输出可以包含许多信息。The log output can include a lot of information. 此命令列出后续 7 天订阅中所有角色分配和角色定义的更改,并筛选输出:This command lists all role assignment and role definition changes in a subscription looking forward seven days and filters the output:

az monitor activity-log list --namespace "Microsoft.Authorization" --start-time 2021-03-01 --offset 7d --query '[].{authorization:authorization, caller:caller, eventTimestamp:eventTimestamp, properties:properties}'

下面显示了在创建角色分配时筛选日志输出的示例:The following shows an example of the filtered log output when creating a role assignment:

[
 {
    "authorization": {
      "action": "Microsoft.Authorization/roleAssignments/write",
      "role": null,
      "scope": "/subscriptions/{subscriptionId}/resourceGroups/example-group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}"
    },
    "caller": "admin@example.com",
    "eventTimestamp": "2021-03-01T22:07:42.456241+00:00",
    "properties": {
      "entity": "/subscriptions/{subscriptionId}/resourceGroups/example-group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
      "eventCategory": "Administrative",
      "hierarchy": "{tenantId}/{subscriptionId}",
      "message": "Microsoft.Authorization/roleAssignments/write",
      "serviceRequestId": "{serviceRequestId}",
      "statusCode": "Created"
    }
  },
  {
    "authorization": {
      "action": "Microsoft.Authorization/roleAssignments/write",
      "role": null,
      "scope": "/subscriptions/{subscriptionId}/resourceGroups/example-group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}"
    },
    "caller": "admin@example.com",
    "eventTimestamp": "2021-03-01T22:07:41.126243+00:00",
    "properties": {
      "entity": "/subscriptions/{subscriptionId}/resourceGroups/example-group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
      "eventCategory": "Administrative",
      "hierarchy": "{tenantId}/{subscriptionId}",
      "message": "Microsoft.Authorization/roleAssignments/write",
      "requestbody": "{\"Id\":\"{roleAssignmentId}\",\"Properties\":{\"PrincipalId\":\"{principalId}\",\"PrincipalType\":\"User\",\"RoleDefinitionId\":\"/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64\",\"Scope\":\"/subscriptions/{subscriptionId}/resourceGroups/example-group\"}}"
    }
  }
]

Azure Monitor 日志Azure Monitor logs

Azure Monitor 日志是另一种可用于收集并分析所有 Azure 资源的 Azure RBAC 更改的工具。Azure Monitor logs is another tool you can use to collect and analyze Azure RBAC changes for all your Azure resources. Azure Monitor 日志具有以下优点:Azure Monitor logs has the following benefits:

  • 编写复杂查询和逻辑Write complex queries and logic
  • 与警报、Power BI 和其他工具集成Integrate with alerts, Power BI, and other tools
  • 以更长的保持期保存数据Save data for longer retention periods
  • 与其他日志(例如安全性、虚拟机和自定义日志)交叉引用Cross-reference with other logs such as security, virtual machine, and custom

以下是开始使用的基本步骤:Here are the basic steps to get started:

  1. 创建 Log Analytics 工作区Create a Log Analytics workspace.

  2. 为工作区配置 Activity Log Analytics 解决方案Configure the Activity Log Analytics solution for your workspace.

  3. 查看活动日志View the activity logs. 单击“日志”选项可以快速导航到 Activity Log Analytics 解决方案“概述”页面。A quick way to navigate to the Activity Log Analytics solution Overview page is to click the Logs option.

    门户中的 Azure Monitor 日志选项

  4. (可选)使用 Azure Monitor Log Analytics 查询并查看日志。Optionally use the Azure Monitor Log Analytics to query and view the logs. 有关详细信息,请参阅 Azure Monitor 日志查询入门For more information, see Get started with log queries in Azure Monitor.

以下查询返回由目标资源提供程序组织的新角色分配:Here's a query that returns new role assignments organized by target resource provider:

AzureActivity
| where TimeGenerated > ago(60d) and Authorization contains "Microsoft.Authorization/roleAssignments/write" and ActivityStatus == "Succeeded"
| parse ResourceId with * "/providers/" TargetResourceAuthProvider "/" *
| summarize count(), makeset(Caller) by TargetResourceAuthProvider

以下查询返回图表中显示的角色分配更改:Here's a query that returns role assignment changes displayed in a chart:

AzureActivity
| where TimeGenerated > ago(60d) and Authorization contains "Microsoft.Authorization/roleAssignments"
| summarize count() by bin(TimeGenerated, 1d), OperationName
| render timechart

使用高级分析门户的活动日志 - 屏幕截图

后续步骤Next steps