Audit Events in Your Azure Subscription with PowerShell

Update! v.1.1 released fixing a bug where the most recent events were not being returned (2022-09-13)

A quick post – I just published a new script for retrieving activity log events for an Azure subscription as the current options for searching and retrieving events didn’t satisfy me.

Azure Monitor has an activity log at the subscription level which can be useful for auditing events in your Azure subscription, find out who made changes to what and when etc. You can search this log in the portal, or by sending the logs to a log analytics workspace, for example.

You can also query events with the Get-AzLog commandlet. However, I wanted to have more flexible and additional search criteria as well as translating the caller name, which could be the GUID of a service principal or managed identity, into its more friendly display name which makes it much easier to figure out who did what.

Get-AzSubscriptionActivityLog was the result and can be installed from the PowerShell Gallery:

Install-Script Get-AzSubscriptionActivityLog -Force

There is an online help file which gives the lowdown and several examples here, or you can run:

Get-Help Get-AzSubscriptionActivityLog.ps1 -Online

Hope it helps someone!