smsagent.blog
  • docs.smsagent.blog
  • Custom Reporting in Microsoft Intune
    • Delivery Optimization Report
    • Windows Update for Business Custom Reporting
      • Power BI Report Walkthrough
      • Known issues / limitations
      • Change log
      • Deploy the solution
        • Create Azure Resources
        • Configure Azure Resources
        • Deploy the client-side script
        • Deploy the Azure automation runbooks
        • Configure the Power BI report
      • Adding additional language support
      • Table schema reference
    • Automating Data Exports from Microsoft Graph
      • Azure Automation account
        • Create / configure an Azure automation account
        • Grant API permissions
        • Create an Azure automation runbook
      • Azure Storage account
      • Automate Data Export to Azure Storage Account
      • Automate Data Export to Azure Monitor Logs
      • Creating / Troubleshooting Runbooks
      • Power BI
        • Connect Power BI to an Azure storage account data source
        • Connect Power BI to an Azure log analytics workspace as a data source
    • Managed Devices Report
      • Create / configure an Azure automation account
      • Grant API permissions
      • Create / configure an Azure storage account
      • Create an Azure automation runbook
      • Create a PowerBI report
      • MEM Managed Device Report template
      • Bonus! Unhealthy MEMCM Clients email report
    • Intune Assignments Report
      • Create / configure an Azure automation account
      • Grant API permissions
      • Create / configure an Azure storage account
      • Create an Azure automation runbook
      • Create a Power BI report
      • Change log
    • Patch My PC Report
      • A look at the Power BI reports
      • Change log
      • Video guides
      • Things to know
      • Create / configure an Azure automation account
      • Grant API permissions
      • Create / configure an Azure storage account
      • Create an Azure automation runbook
      • Create the Power BI report
      • Feedback
    • Windows 11 Hardware Readiness Report
    • Gathering Custom Inventory with Intune
      • Set up the Azure Resources
      • Create a Proactive remediations script package
      • Create a runbook
  • PowerShell Scripts Online Help
    • Get-AzSubscriptionActivityLog
  • Azure Solutions
    • Automated Azure Table Storage Backups
      • Change log
      • Deploy the solution
        • Create the Azure resources
        • Set the backup schedule
        • Add storage tables to the backup
        • Add role assignments to the storage account/s
        • Create a lifecycle management rule
      • Run a manual backup
      • Restore a backup
Powered by GitBook
On this page
  • Syntax
  • Description
  • Permissions
  • Install
  • Connect to Azure
  • Examples
  • Example 1 - Get activity log events for the last 12 hours
  • Example 2 - Get activity log events for a specific identity type
  • Example 3 - Get activity log events for specific categories
  • Example 4 - Get activity log events for specific callers
  • Example 5 - Get activity log events with a specific severity
  • Example 6 - Get activity log events for specific resource groups
  • Example 7 - Get activity log events for specific resource providers
  • Example 8 - Get activity log events for a specific resource
  • Example 9 - Get activity log events for a specific resource type
  • Example 10 - Get activity log events for specific operations
  • Example 11 - Get activity log events with a specific status
  • Example 12 - Get activity log events including List and Get token operations
  • Example 13 - Get activity logs including additional properties
  • Example 14 - View the additional properties for an event
  • Example 15 - Group and count events by Operation
  • Example 16 - Group and count events by category
  • Parameters

Was this helpful?

  1. PowerShell Scripts Online Help

Get-AzSubscriptionActivityLog

Gets Activity Log events from an Azure subscription with filtering options.

Syntax

Get-AzSubscriptionActivityLog
    [-TenantId <String>]
    [-SubscriptionId <String>]
    [-TimespanHours <Int>]
    [-IncludeProperties <Switch>]
    [-IncludeListAndGetOperations <Switch>]
    [-IdentityType <String[]>]
    [-Level <String[]>]
    [-Category <String[]>]
    [-Caller <String[]>]
    [-ResourceGroupName <String[]>]
    [-ResourceProviderName <String[]>]
    [-ResourceIdMatch <String>]
    [-ResourceType <String[]>]
    [-OperationName <String[]>]
    [-Status <String[]>]

Description

Get-AzSubscriptionActivityLog retrieves events from the Activity Log in an Azure subscription using the REST API. Caller identities are translated to their friendly names from their GUIDs. Requires the Az.Accounts module for authentication in the current context.

Note by default, operations with 'List' or 'Get token' in the name are excluded from the results as these can be numerous. To include them, use the -IncludeListAndGetOperations parameter

Permissions

Requires at least a Reader role in the Azure subscription.

Requires Directory.Read.All permission in Microsoft Graph.

Install

Install the script from the PowerShell gallery:

Install-Script Get-AzSubscriptionActivityLog -Force

Connect to Azure

if you haven't already authenticated to Azure, run the Connect-AzAccount cmdlet first, eg

Connect-AzAccount -Subscription "e7b7fedf-90ab-4b0c-913b-a08ccd060d9a"

Examples

Example 1 - Get activity log events for the last 12 hours

Get-AzSubscriptionActivityLog -TenantId 'a84894e7-90hb-40e3-9783-320d0334b3cc' -SubscriptionID 'e7b7fedf-1d1d-4b0c-913b-a08ccd060d9a' -TimespanHours 12

This command gets activity logs from the specified tenant and subscription over the last 12 hours.

Example 2 - Get activity log events for a specific identity type

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IdentityType ManagedIdentity

This command gets events where the caller type is a managed identity.

Example 3 - Get activity log events for specific categories

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Category 'Policy','Security'

This command gets events with a category of Policy or Security.

Example 4 - Get activity log events for specific callers

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Caller 'Windows 365','Microsoft.RecoveryServices'

This command gets events where the calling identity is either Windows 365 or Microsoft.RecoveryServices. You could also specify the displayname of a managed identity or the UPN of a AAD user.

Example 5 - Get activity log events with a specific severity

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Level Error,Warning

This command gets events with a severity level of either Error or Warning.

Example 6 - Get activity log events for specific resource groups

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceGroupName 'rg-01','rg-02'

This command gets events from the resource groups rg-01 and rg-02.

Example 7 - Get activity log events for specific resource providers

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceProviderName 'Microsoft.Network','Microsoft.VirtualMachineImages'

This command gets events where the resource provider is either Microsoft.Network or Microsoft.VirtualMachineImages

Example 8 - Get activity log events for a specific resource

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceIdMatch "VM001"

This command gets events where the resourceId matches the string VM001, which in this case is a virtual machine name. This could be any part of the resourceId name after the resource provider and supports a single string only.

Example 9 - Get activity log events for a specific resource type

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceType 'MICROSOFT.RECOVERYSERVICES/vaults','Microsoft.Compute/virtualMachines'

This command gets events where the resource type is either MICROSOFT.RECOVERYSERVICES/vaults or Microsoft.Compute/virtualMachines

Example 10 - Get activity log events for specific operations

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -OperationName 'Start Virtual Machine','Backup Protected Item'

This command gets events where the operation name is either Start Virtual Machine or Backup Protected Item

Example 11 - Get activity log events with a specific status

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Status Failed,Accepted

This command gets events with a status of Failed or Accepted.

Example 12 - Get activity log events including List and Get token operations

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeListAndGetOperations

This command gets all events including any List or Get token operations, which are excluded by default as they can be numerous.

Example 13 - Get activity logs including additional properties

Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeProperties

This command gets events and includes any additional properties that are attached to the event.

Example 14 - View the additional properties for an event

$ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeProperties
$ActivityLog[0].properties | Format-List

This command retrieves the additional properties for the first event in the array, formatted as a list.

Example 15 - Group and count events by Operation

$ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID
$ActivityLog | Group-Object -Property operationName -NoElement | Sort-Object -Property Count -Descending | Format-Table -AutoSize

This command groups events by their operationName and displays the counts of each operation with the most numerous first

Example 16 - Group and count events by category

$ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID
$ActivityLog | Group-Object -Property category -NoElement | Sort-Object -Property Count -Descending | Format-Table -AutoSize

This command groups events by their category and displays the counts of each category with the most numerous first.

Parameters

-TenantId

Required. GUID as a String. The tenant Id for the Azure subscription.

-SubscriptionId

Required. GUID as a String. The Azure subscription Id.

TimespanHours

Integer. The number of hours past (from now) to retrieve events. Default is 6.

IncludeProperties

Switch. Use this parameter to include the additional properties for the event. Each event may have additional properties that differ depending on the event type.

IncludeListAndGetOperations

Switch. By default, operations with "List" or "Get token" in the name are excluded as they can be numerous and aren't always useful. Add this parameter if you wish to include them instead.

IdentityType

String[]. The identity type of the caller. Valid values are Application, ManagedIdentity, Service,User or $null.

Level

String[]. The event level or severity. Valid values are Informational, Warning, Error or Critical.

Category

String[]. The event category, for example Administrative, Security, Policy, Recommendation

Caller

String[]. The identity that performed the action in the event.

ResourceGroupName

String[]. The name of one or more resource groups to filter on.

ResourceProviderName

String[]. One or more resource providers to filter on, such as Microsoft.Compute or Microsoft.RecoveryServices

ResourceIdMatch

String. Use this to search for a resource by name using a match, for example a VM name or a NIC name.

ResourceType

String[]. One or more resource types to filter on, for example Microsoft.Network/networkInterfaces or Microsoft.HybridCompute/machines/extensions

OperationName

String[]. The localized values of one or more operation names, for example "Create or Update Network Interface" or "Backup Protected Item"

Status

String[]. The event status. Valid values are Accepted, Started, Succeeded, Failed.

PreviousCreate a runbookNextAutomated Azure Table Storage Backups

Last updated 2 years ago

Was this helpful?