Comment on page
Get-AzSubscriptionActivityLog
Gets Activity Log events from an Azure subscription with filtering options.
Get-AzSubscriptionActivityLog
[-TenantId <String>]
[-SubscriptionId <String>]
[-TimespanHours <Int>]
[-IncludeProperties <Switch>]
[-IncludeListAndGetOperations <Switch>]
[-IdentityType <String[]>]
[-Level <String[]>]
[-Category <String[]>]
[-Caller <String[]>]
[-ResourceGroupName <String[]>]
[-ResourceProviderName <String[]>]
[-ResourceIdMatch <String>]
[-ResourceType <String[]>]
[-OperationName <String[]>]
[-Status <String[]>]
Get-AzSubscriptionActivityLog retrieves events from the Activity Log in an Azure subscription using the REST API. Caller identities are translated to their friendly names from their GUIDs. Requires the Az.Accounts module for authentication in the current context.
Note by default, operations with 'List' or 'Get token' in the name are excluded from the results as these can be numerous. To include them, use the -IncludeListAndGetOperations parameter
Requires at least a Reader role in the Azure subscription.
Requires Directory.Read.All permission in Microsoft Graph.
Install the script from the PowerShell gallery:
Install-Script Get-AzSubscriptionActivityLog -Force
if you haven't already authenticated to Azure, run the Connect-AzAccount cmdlet first, eg
Connect-AzAccount -Subscription "e7b7fedf-90ab-4b0c-913b-a08ccd060d9a"
Get-AzSubscriptionActivityLog -TenantId 'a84894e7-90hb-40e3-9783-320d0334b3cc' -SubscriptionID 'e7b7fedf-1d1d-4b0c-913b-a08ccd060d9a' -TimespanHours 12
This command gets activity logs from the specified tenant and subscription over the last 12 hours.
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IdentityType ManagedIdentity
This command gets events where the caller type is a managed identity.
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Category 'Policy','Security'
This command gets events with a category of Policy or Security.
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Caller 'Windows 365','Microsoft.RecoveryServices'
This command gets events where the calling identity is either Windows 365 or Microsoft.RecoveryServices. You could also specify the displayname of a managed identity or the UPN of a AAD user.
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Level Error,Warning
This command gets events with a severity level of either Error or Warning.
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceGroupName 'rg-01','rg-02'
This command gets events from the resource groups rg-01 and rg-02.
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceProviderName 'Microsoft.Network','Microsoft.VirtualMachineImages'
This command gets events where the resource provider is either Microsoft.Network or Microsoft.VirtualMachineImages
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceIdMatch "VM001"
This command gets events where the resourceId matches the string VM001, which in this case is a virtual machine name. This could be any part of the resourceId name after the resource provider and supports a single string only.
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceType 'MICROSOFT.RECOVERYSERVICES/vaults','Microsoft.Compute/virtualMachines'
This command gets events where the resource type is either MICROSOFT.RECOVERYSERVICES/vaults or Microsoft.Compute/virtualMachines
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -OperationName 'Start Virtual Machine','Backup Protected Item'
This command gets events where the operation name is either Start Virtual Machine or Backup Protected Item
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Status Failed,Accepted
This command gets events with a status of Failed or Accepted.
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeListAndGetOperations
This command gets all events including any List or Get token operations, which are excluded by default as they can be numerous.
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeProperties
This command gets events and includes any additional properties that are attached to the event.
$ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeProperties
$ActivityLog[0].properties | Format-List
This command retrieves the additional properties for the first event in the array, formatted as a list.
$ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID
$ActivityLog | Group-Object -Property operationName -NoElement | Sort-Object -Property Count -Descending | Format-Table -AutoSize
This command groups events by their operationName and displays the counts of each operation with the most numerous first

$ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID
$ActivityLog | Group-Object -Property category -NoElement | Sort-Object -Property Count -Descending | Format-Table -AutoSize
This command groups events by their category and displays the counts of each category with the most numerous first.

Last modified 1yr ago