# Get-AzSubscriptionActivityLog

Gets Activity Log events from an Azure subscription with filtering options.

## Syntax

```powershell
Get-AzSubscriptionActivityLog
    [-TenantId <String>]
    [-SubscriptionId <String>]
    [-TimespanHours <Int>]
    [-IncludeProperties <Switch>]
    [-IncludeListAndGetOperations <Switch>]
    [-IdentityType <String[]>]
    [-Level <String[]>]
    [-Category <String[]>]
    [-Caller <String[]>]
    [-ResourceGroupName <String[]>]
    [-ResourceProviderName <String[]>]
    [-ResourceIdMatch <String>]
    [-ResourceType <String[]>]
    [-OperationName <String[]>]
    [-Status <String[]>]
```

## Description

Get-AzSubscriptionActivityLog retrieves events from the Activity Log in an Azure subscription using the REST API. Caller identities are translated to their friendly names from their GUIDs. Requires the **Az.Accounts** module for authentication in the current context.

{% hint style="info" %}
Note by default, operations with 'List' or 'Get token' in the name are excluded from the results as these can be numerous. To include them, use the -IncludeListAndGetOperations parameter
{% endhint %}

## Permissions

Requires at least a **Reader** role in the Azure subscription.

Requires **Directory.Read.All** permission in Microsoft Graph.

## Install

Install the script from the PowerShell gallery:

```powershell
Install-Script Get-AzSubscriptionActivityLog -Force
```

## Connect to Azure

if you haven't already authenticated to Azure, run the **Connect-AzAccount** cmdlet first, eg

```powershell
Connect-AzAccount -Subscription "e7b7fedf-90ab-4b0c-913b-a08ccd060d9a"
```

## Examples

### Example 1 - Get activity log events for the last 12 hours

```powershell
Get-AzSubscriptionActivityLog -TenantId 'a84894e7-90hb-40e3-9783-320d0334b3cc' -SubscriptionID 'e7b7fedf-1d1d-4b0c-913b-a08ccd060d9a' -TimespanHours 12
```

This command gets activity logs from the specified tenant and subscription over the last 12 hours.

### Example 2 - Get activity log events for a specific identity type

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IdentityType ManagedIdentity
```

This command gets events where the caller type is a managed identity.

### Example 3 - Get activity log events for specific categories

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Category 'Policy','Security'
```

This command gets events with a category of *Policy* or *Security*.

### Example 4 - Get activity log events for specific callers

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Caller 'Windows 365','Microsoft.RecoveryServices'
```

This command gets events where the calling identity is either *Windows 365* or *Microsoft.RecoveryServices*. You could also specify the displayname of a managed identity or the UPN of a AAD user.

### Example 5 - Get activity log events with a specific severity

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Level Error,Warning
```

This command gets events with a severity level of either *Error* or *Warning*.

### Example 6 - Get activity log events for specific resource groups

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceGroupName 'rg-01','rg-02'
```

This command gets events from the resource groups *rg-01* and *rg-02.*

### Example 7 - Get activity log events for specific resource providers

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceProviderName 'Microsoft.Network','Microsoft.VirtualMachineImages' 
```

This command gets events where the resource provider is either *Microsoft.Network* or *Microsoft.VirtualMachineImages*

### Example 8 - Get activity log events for a specific resource

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceIdMatch "VM001"
```

This command gets events where the resourceId matches the string *VM001*, which in this case is a virtual machine name. This could be any part of the resourceId name after the resource provider and supports a single string only.

### Example 9 - Get activity log events for a specific resource type

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceType 'MICROSOFT.RECOVERYSERVICES/vaults','Microsoft.Compute/virtualMachines'
```

This command gets events where the resource type is either *MICROSOFT.RECOVERYSERVICES/vaults* or *Microsoft.Compute/virtualMachines*

### Example 10 - Get activity log events for specific operations

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -OperationName 'Start Virtual Machine','Backup Protected Item'
```

This command gets events where the operation name is either *Start Virtual Machine* or *Backup Protected Item*

### Example 11 - Get activity log events with a specific status

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Status Failed,Accepted 
```

This command gets events with a status of *Failed* or *Accepted*.

### Example 12 - Get activity log events including List and Get token operations

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeListAndGetOperations
```

This command gets all events including any *List* or *Get token* operations, which are excluded by default as they can be numerous.

### Example 13 - Get activity logs including additional properties

```powershell
Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeProperties
```

This command gets events and includes any additional properties that are attached to the event.

### Example 14 - View the additional properties for an event

```powershell
$ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeProperties
$ActivityLog[0].properties | Format-List
```

This command retrieves the additional properties for the first event in the array, formatted as a list.

### Example 15 - Group and count events by Operation

```powershell
$ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID
$ActivityLog | Group-Object -Property operationName -NoElement | Sort-Object -Property Count -Descending | Format-Table -AutoSize
```

This command groups events by their operationName and displays the counts of each operation with the most numerous first

<figure><img src="https://3886807721-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWe9ieepRHnj7T8odXt%2Fuploads%2FH6tiG3wfK7fzQ0bRyqnY%2FPic1.png?alt=media&#x26;token=c8e43e82-b02c-4f64-b2e5-8d0062a05276" alt=""><figcaption></figcaption></figure>

### Example 16 - Group and count events by category

```powershell
$ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID
$ActivityLog | Group-Object -Property category -NoElement | Sort-Object -Property Count -Descending | Format-Table -AutoSize
```

This command groups events by their category and displays the counts of each category with the most numerous first.&#x20;

<figure><img src="https://3886807721-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWe9ieepRHnj7T8odXt%2Fuploads%2F2eZOylEA4eviGD4NpJmK%2FPic2.png?alt=media&#x26;token=40ce4eaf-cbdf-4795-83a2-71709017129e" alt=""><figcaption></figcaption></figure>

## Parameters

<details>

<summary>-TenantId</summary>

**Required**. GUID as a String. The tenant Id for the Azure subscription.

</details>

<details>

<summary>-SubscriptionId</summary>

**Required**. GUID as a String. The Azure subscription Id.

</details>

<details>

<summary>TimespanHours</summary>

Integer. The number of hours past (from now) to retrieve events. Default is 6.

</details>

<details>

<summary>IncludeProperties</summary>

Switch. Use this parameter to include the additional properties for the event. Each event may have additional properties that differ depending on the event type.

</details>

<details>

<summary>IncludeListAndGetOperations</summary>

Switch. By default, operations with "List" or "Get token" in the name are excluded as they can be numerous and aren't always useful. Add this parameter if you wish to include them instead.

</details>

<details>

<summary>IdentityType</summary>

String\[]. The identity type of the caller. Valid values are *Application, ManagedIdentity, Service,User* or *$null*.

</details>

<details>

<summary>Level</summary>

String\[]. The event level or severity. Valid values are *Informational, Warning, Error* or *Critical*.

</details>

<details>

<summary>Category</summary>

String\[]. The event category, for example *Administrative, Security, Policy, Recommendation*

</details>

<details>

<summary>Caller</summary>

String\[]. The identity that performed the action in the event.

</details>

<details>

<summary>ResourceGroupName</summary>

String\[]. The name of one or more resource groups to filter on.

</details>

<details>

<summary>ResourceProviderName</summary>

String\[]. One or more resource providers to filter on, such as *Microsoft.Compute* or *Microsoft.RecoveryServices*

</details>

<details>

<summary>ResourceIdMatch</summary>

String. Use this to search for a resource by name using a match, for example a VM name or a NIC name.

</details>

<details>

<summary>ResourceType</summary>

String\[]. One or more resource types to filter on, for example *Microsoft.Network/networkInterfaces* or *Microsoft.HybridCompute/machines/extensions*

</details>

<details>

<summary>OperationName</summary>

String\[]. The localized values of one or more operation names, for example *"Create or Update Network Interface"* or *"Backup Protected Item"*

</details>

<details>

<summary>Status</summary>

String\[]. The event status. Valid values are *Accepted, Started, Succeeded, Failed*.

</details>