# Get-AzSubscriptionActivityLog Gets Activity Log events from an Azure subscription with filtering options. ## Syntax ```powershell Get-AzSubscriptionActivityLog [-TenantId ] [-SubscriptionId ] [-TimespanHours ] [-IncludeProperties ] [-IncludeListAndGetOperations ] [-IdentityType ] [-Level ] [-Category ] [-Caller ] [-ResourceGroupName ] [-ResourceProviderName ] [-ResourceIdMatch ] [-ResourceType ] [-OperationName ] [-Status ] ``` ## Description Get-AzSubscriptionActivityLog retrieves events from the Activity Log in an Azure subscription using the REST API. Caller identities are translated to their friendly names from their GUIDs. Requires the **Az.Accounts** module for authentication in the current context. {% hint style="info" %} Note by default, operations with 'List' or 'Get token' in the name are excluded from the results as these can be numerous. To include them, use the -IncludeListAndGetOperations parameter {% endhint %} ## Permissions Requires at least a **Reader** role in the Azure subscription. Requires **Directory.Read.All** permission in Microsoft Graph. ## Install Install the script from the PowerShell gallery: ```powershell Install-Script Get-AzSubscriptionActivityLog -Force ``` ## Connect to Azure if you haven't already authenticated to Azure, run the **Connect-AzAccount** cmdlet first, eg ```powershell Connect-AzAccount -Subscription "e7b7fedf-90ab-4b0c-913b-a08ccd060d9a" ``` ## Examples ### Example 1 - Get activity log events for the last 12 hours ```powershell Get-AzSubscriptionActivityLog -TenantId 'a84894e7-90hb-40e3-9783-320d0334b3cc' -SubscriptionID 'e7b7fedf-1d1d-4b0c-913b-a08ccd060d9a' -TimespanHours 12 ``` This command gets activity logs from the specified tenant and subscription over the last 12 hours. ### Example 2 - Get activity log events for a specific identity type ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IdentityType ManagedIdentity ``` This command gets events where the caller type is a managed identity. ### Example 3 - Get activity log events for specific categories ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Category 'Policy','Security' ``` This command gets events with a category of *Policy* or *Security*. ### Example 4 - Get activity log events for specific callers ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Caller 'Windows 365','Microsoft.RecoveryServices' ``` This command gets events where the calling identity is either *Windows 365* or *Microsoft.RecoveryServices*. You could also specify the displayname of a managed identity or the UPN of a AAD user. ### Example 5 - Get activity log events with a specific severity ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Level Error,Warning ``` This command gets events with a severity level of either *Error* or *Warning*. ### Example 6 - Get activity log events for specific resource groups ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceGroupName 'rg-01','rg-02' ``` This command gets events from the resource groups *rg-01* and *rg-02.* ### Example 7 - Get activity log events for specific resource providers ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceProviderName 'Microsoft.Network','Microsoft.VirtualMachineImages' ``` This command gets events where the resource provider is either *Microsoft.Network* or *Microsoft.VirtualMachineImages* ### Example 8 - Get activity log events for a specific resource ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceIdMatch "VM001" ``` This command gets events where the resourceId matches the string *VM001*, which in this case is a virtual machine name. This could be any part of the resourceId name after the resource provider and supports a single string only. ### Example 9 - Get activity log events for a specific resource type ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -ResourceType 'MICROSOFT.RECOVERYSERVICES/vaults','Microsoft.Compute/virtualMachines' ``` This command gets events where the resource type is either *MICROSOFT.RECOVERYSERVICES/vaults* or *Microsoft.Compute/virtualMachines* ### Example 10 - Get activity log events for specific operations ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -OperationName 'Start Virtual Machine','Backup Protected Item' ``` This command gets events where the operation name is either *Start Virtual Machine* or *Backup Protected Item* ### Example 11 - Get activity log events with a specific status ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -Status Failed,Accepted ``` This command gets events with a status of *Failed* or *Accepted*. ### Example 12 - Get activity log events including List and Get token operations ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeListAndGetOperations ``` This command gets all events including any *List* or *Get token* operations, which are excluded by default as they can be numerous. ### Example 13 - Get activity logs including additional properties ```powershell Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeProperties ``` This command gets events and includes any additional properties that are attached to the event. ### Example 14 - View the additional properties for an event ```powershell $ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID -IncludeProperties $ActivityLog[0].properties | Format-List ``` This command retrieves the additional properties for the first event in the array, formatted as a list. ### Example 15 - Group and count events by Operation ```powershell $ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID $ActivityLog | Group-Object -Property operationName -NoElement | Sort-Object -Property Count -Descending | Format-Table -AutoSize ``` This command groups events by their operationName and displays the counts of each operation with the most numerous first
### Example 16 - Group and count events by category ```powershell $ActivityLog = Get-AzSubscriptionActivityLog -TenantId $TenantId -SubscriptionId $SubscriptionID $ActivityLog | Group-Object -Property category -NoElement | Sort-Object -Property Count -Descending | Format-Table -AutoSize ``` This command groups events by their category and displays the counts of each category with the most numerous first.
## Parameters
-TenantId **Required**. GUID as a String. The tenant Id for the Azure subscription.
-SubscriptionId **Required**. GUID as a String. The Azure subscription Id.
TimespanHours Integer. The number of hours past (from now) to retrieve events. Default is 6.
IncludeProperties Switch. Use this parameter to include the additional properties for the event. Each event may have additional properties that differ depending on the event type.
IncludeListAndGetOperations Switch. By default, operations with "List" or "Get token" in the name are excluded as they can be numerous and aren't always useful. Add this parameter if you wish to include them instead.
IdentityType String\[]. The identity type of the caller. Valid values are *Application, ManagedIdentity, Service,User* or *$null*.
Level String\[]. The event level or severity. Valid values are *Informational, Warning, Error* or *Critical*.
Category String\[]. The event category, for example *Administrative, Security, Policy, Recommendation*
Caller String\[]. The identity that performed the action in the event.
ResourceGroupName String\[]. The name of one or more resource groups to filter on.
ResourceProviderName String\[]. One or more resource providers to filter on, such as *Microsoft.Compute* or *Microsoft.RecoveryServices*
ResourceIdMatch String. Use this to search for a resource by name using a match, for example a VM name or a NIC name.
ResourceType String\[]. One or more resource types to filter on, for example *Microsoft.Network/networkInterfaces* or *Microsoft.HybridCompute/machines/extensions*
OperationName String\[]. The localized values of one or more operation names, for example *"Create or Update Network Interface"* or *"Backup Protected Item"*
Status String\[]. The event status. Valid values are *Accepted, Started, Succeeded, Failed*.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.smsagent.blog/powershell-scripts-online-help/get-azsubscriptionactivitylog.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.