![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 54%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,428 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 20%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Srikanthreddy Adla,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you would like to create alert for system Identity or user identity on Azure VMs whenever there is change.
You will need to improve your query in the correct resource type, having identity parsing correctly and make sure the extend and project statements are correctly used to capture the necessary fields.
The below is a modified version of your query:
arg("").resources
| where type in ("microsoft.compute/virtualmachines", "microsoft.compute/virtualmachinescalesets") // Filter for VMs and VMSS
| where subscriptionId == "abcd" // Specified subscription ID
| extend identity = parse_json(identity) // Parse the identity column
| extend identityType = tostring(identity.type) // Extract identity type
| extend userAssignedIdentities = todynamic(identity.userAssignedIdentities) // Explicitly cast user-assigned identities to dynamic
| where isnull(identityType) // Check for missing identity type
or identityType == "None" // Check if identity is disabled
or (identityType contains "SystemAssigned" and isnull(userAssignedIdentities)) // Check if user-assigned identities are missing
or (identityType contains "UserAssigned" and (isnull(userAssignedIdentities) or array_length(bag_keys(userAssignedIdentities)) < 2)) // Check for fewer user-assigned identities
| extend TimeGenerated = todatetime(now()) // Add synthetic TimeGenerated
| project TimeGenerated, name, RenderedDescription = strcat("[TEST-Alert] VM/VMSS Name: [", name, "] has System/User identity Disabled/Missing")
Also, you can use Azure Monitor to create alerts based on log queries, it will provide more flexibility and reliability.
For more understanding check the Azure documentation on managed identities and for more detailed guidance check how to configure managed identities scale sets
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.