Azure Kusto Query Language hot tip: RBAC changes

By /

Here is the first of several articles with tips on how you can leverage Azure Kusto Query Language (KQL) for various tasks in your Microsoft Azure environment. (Microsoft has an overview of KQL here.) Sometimes you want to keep track of the RBAC changes on your resources. This Kusto Query Language will provide a summarized view of all successful attempts to add or remove entries in the Azure resources. The same query can be customized to narrow down the results by resource type, in case you are targeting a specific resource or even a name (perhaps too specific in a corporate environment).

The results of the query are depicted in the image below.

kusto rbac

The query required to provide that output is listed below.

AzureActivity
| where TimeGenerated > ago(24h)
| where (OperationNameValue == 'MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE'
or OperationNameValue == 'MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/DELETE')
| where ActivityStatusValue == 'Success'
| order by TimeGenerated desc

About The Author

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides of the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange, CISSP and several other certifications. Anderson contributes to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at Techgenix.com, MSExchange.org, ITPROCentral.com and Anderson Patricio.org (Portuguese).

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top