Azure Resource Read Usage Admin Logs

Sravan Reddy 0

I am looking to be able to extract Azure console usage via resource reads from users. GCP supports this via data access audit logs that can be enabled https://cloud.google.com/logging/docs/audit/configure-data-access and fetched over API or through pub/sub

I don't see the equivalent levers to pull for Azure - is there a feature gap or am I missing how to extract resource read logs? If this is a feature gap, are there plans to get to parity with GCP?

1 answer

Vinodh247 23,506 Reputation points MVP

2024-11-10T14:38:31.8866667+00:00

Azure provides several logging mechanisms to monitor and audit resource access, including read operations, though the approach differs from Google's Data Access Audit Logs.

Azure Activity Logs: These logs capture control-plane events such as create, update, and delete operations on Azure resources. However, they do not record data-plane read operations.

Azure Resource Logs: These logs offer insights into operations performed within Azure resources, including data-plane activities. To collect and analyze these logs, you need to configure diagnostic settings for each resource and direct the logs to a destination like a Log Analytics workspace, Event Hub, or Storage account.

Diagnostic Settings Configuration: By setting up diagnostic settings on your Azure resources, you can capture data-plane operations, including read activities. This process involves selecting the appropriate log categories and directing them to your chosen destination for analysis.

Accessing Logs via API: Once logs are collected in a Log Analytics workspace, you can query them using the Azure Monitor Logs API. This allows for programmatic access to the logs, enabling integration with other systems or custom analysis.

Comparison with GCP: While Azure's logging capabilities are robust, they require manual configuration to capture data-plane read operations, unlike GCP's Data Access Audit Logs, which can be enabled more directly. As of now, Azure does not offer a native, unified feature specifically for tracking all data-plane read operations across all services.

Future Plans: Microsoft continuously enhances Azure's monitoring and logging features. For the most current information on feature updates and planned enhancements, it's advisable to consult the Azure updates page or contact Microsoft support.

In summary, while Azure can capture resource read operations through resource logs and diagnostic settings, it requires more configuration compared to GCP's approach. Staying informed about Azure's updates will help you leverage new features as they become available.
Please sign in to rate this answer.
Sravan Reddy 0 Reputation points

2024-11-12T16:02:13.41+00:00

@Vinodh247 What is the easiest way to turn on Azure resource read logs (e.g. for resource groups this operation MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/READ) across all my resources and use a diagnostic setting to pipe them to an event hub I have configured?

Can I do this via an API call to handle in bulk or something else that is relatively quick?

Sravan Reddy 0 Reputation points

2024-11-12T16:04:55.1766667+00:00

@Vinodh247 How can I enable the resource logs for read operations (e.g. MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/WRITE) across all of my environment's resources?

Is there an API call or an Azure CLI command I can do for this? Or some kind of script you all have for this purpose?

Vinodh247 23,506 Reputation points MVP

2024-11-12T16:35:42.22+00:00

To enable resource read logs (such as MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/READ) across all resources and pipe them to an Event Hub, you can set up diagnostic settings at the subscription level. Using the Azure Management API allows you to programmatically apply these settings across multiple resources in bulk. Here’s a step-by-step guide to do this efficiently:

Configure a Subscription-Level Diagnostic Setting

Use the REST API to Create Diagnostic Settings

Execute the API Call in Bulk Using a Script

For bulk automation, you could iterate over multiple resource groups or use tags and filters to dynamically assign settings. This approach provides quick and programmatic configuration across all necessary resources.

Sravan Reddy 0 Reputation points

2024-11-12T16:40:28.2+00:00

@Vinodh247

To be more precise - which category specifically do I need to enable to get this resource read log? I tried enabling administrative but I only get create, update & delete logs.

For example, can you give me the exact steps needed to begin emitting MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/READ for even a single resource group such that when I click on the resource group in the UI a log will be emitted?

Vinodh247 23,506 Reputation points MVP

2024-11-12T17:52:38.6266667+00:00

Currently, Azure Activity Logs capture control-plane events, which include create, update, and delete operations but do not capture data-plane read operations by default for resources like resource groups. This differs from GCP's Data Access Audit Logs, which can track read access directly.

Unfortunately, Azure does not provide a dedicated log category that specifically captures read actions (e.g., MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/READ) for all resources at a granular level as GCP does. The Administrative category in Azure Activity Logs will only log changes or modifications (e.g., create, update, delete operations) but does not log read actions such as viewing or listing resources.

Potential Workaround

For certain resources that offer data-plane logging, you could enable Diagnostic Settings to capture access and read events. However, this feature is limited to specific Azure services that support data-plane logging (such as Azure Storage and Key Vault) and does not universally apply to resource groups or general management-plane read actions.

If capturing read access logs for all resource types is critical for your operations, you might consider submitting feedback to Microsoft through the Azure feedback channels, as this is a known gap compared to GCP's capabilities.

Example: Tracking Reads for Specific Azure Resources

For resources that support data-plane logging, you can set up diagnostic settings to log access attempts, but this will not cover all resources or allow logging for resource group reads. For instance:

Azure Key Vault: Can log key, secret, and certificate read access.

Azure Storage: Can log read access to blobs, tables, and files.

These logs can then be directed to an Event Hub, Log Analytics workspace, or Storage Account.

Monitoring Activity Logs in Log Analytics

If your goal is to track user interactions in the Azure portal, consider using Azure AD Sign-In Logs in Azure AD for general tracking of who accessed the Azure portal. However, these logs do not capture the specific resources accessed at a read level.

Hope this helps!

Sravan Reddy 0 Reputation points

2024-11-12T19:37:40.85+00:00

@Vinodh247 thanks that response was helpful - one follow-up

| ...submitting feedback to Microsoft through the Azure feedback channels

How can I do this?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure Resource Read Usage Admin Logs

1 answer

Your answer