| title | description | services | documentationcenter | author | manager | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | ms.reviewer | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Access reporting - Azure RBAC | Microsoft Docs |
Generate a report that lists all changes in access to your Azure subscriptions with Role-Based Access Control over the past 90 days. |
active-directory |
andredm7 |
mtillman |
2bc68595-145e-4de3-8b71-3a21890d13d9 |
active-directory |
na |
article |
na |
identity |
07/17/2017 |
andredm |
rqureshi |
H1Hack27Feb2017 |
Any time someone grants or revokes access within your subscriptions, the changes get logged in Azure events. You can create access change history reports to see all changes for the past 90 days.
To create an access change history report in PowerShell, use the Get-AzureRMAuthorizationChangeLog command.
When you call this command, you can specify which property of the assignments you want listed, including the following:
| Property | Description |
|---|---|
| Action | Whether access was granted or revoked |
| Caller | The owner responsible for the access change |
| PrincipalId | The unique identifier of the user, group, or application that was assigned the role |
| PrincipalName | The name of the user, group, or application |
| PrincipalType | Whether the assignment was for a user, group, or application |
| RoleDefinitionId | The GUID of the role that was granted or revoked |
| RoleName | The role that was granted or revoked |
| Scope | The unique identifier of the subscription, resource group, or resource that the assignment applies to |
| ScopeName | The name of the subscription, resource group, or resource |
| ScopeType | Whether the assignment was at the subscription, resource group, or resource scope |
| Timestamp | The date and time that access was changed |
This example command lists all access changes in the subscription for the past seven days:
Get-AzureRMAuthorizationChangeLog -StartTime ([DateTime]::Now - [TimeSpan]::FromDays(7)) | FT Caller,Action,RoleName,PrincipalType,PrincipalName,ScopeType,ScopeName
To create an access change history report in the Azure command-line interface (CLI), use the azure role assignment changelog list command.
To save the report, or manipulate the data, export the access changes into a .csv file. You can then view the report in a spreadsheet for review.
- Work with Custom roles in Azure RBAC
- Learn how to manage Azure RBAC with powershell