Skip to content
This PowerShell Runbook can be used to collect Management Group Activity Logs and can send them to Azure Storage, Azure Event Hubs, Azure Monitor
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Collect Management Group Activity Logs

This PowerShell script is designed to run an an Azure Automation Runbook. The script collects the Activity Logs associated with each Management Group within an Azure Active Directory tenant and writes the logs to blob storage in an Azure Storage Account. It additionally can deliver the logs to an Azure Event Hub and Azure Monitor through the Azure Monitor HTTP Data Collector API. The log created in Azure Monitor is named mgmtGroupActivityLogs.

What problem does this solve?

In Microsoft Azure, write, update, and delete operations on the cloud control plane are logged to the Azure Activity Log. Each Azure Subscription and Azure Management Group have an Activity Log which are retained on the platform for 90 days. To retain the logs for more than 90 days the logs need to be retrieved and stored in another medium. Activity Logs for subscriptions have been integrated with Azure Storage, Azure Log Analytics, and Azure Event Hubs. The logs for Management Groups are only accessible through the Azure Portal and the Azure REST API, and as of October 2019, have not yet been integrated with other storage mediums.

Management Groups were introduced to Microsoft Azure as a means of applying governance and access controls across multiple Azure Subscriptions. This is accomplished through the use of Azure Policy and Azure RBAC. This means that activites performed on management groups need to be monitored, analyzed, and alerted upon.

This Runbook can be used to collect the Activity Logs from all Management Groups within an Azure AD Tenant in order to retain, analyze, and alert on the logs. It will write the logs to blob storage in an Azure Storage Account and optionally to a Log Analytics Workspace and Azure Event Hub.


Azure Identity and Access Management Requirements

The following Azure RBAC Roles must be granted to the Azure Automation Account under the context which the Runbook runs.

Azure Resource Requirements

  • Azure Storage Account with a container already created for the blobs
  • (Optional) Azure Log Analytics Workspace
  • (Optional) Azure Event Hub

.NET Libraries

The following .NET libraries need to be imported into the Azure Automation Account. You can use the command line version of Nuget. Each library needs to be packed into a separate ZIP file for important. Ensure you capture both the DLL and XML/PDB (if present) files for each package.


  1. Create a new Azure Automation Account
  2. Install and run the Update-AutomationAzureModulesForAccount PowerShell runbook.
  3. Install the .NET modules referenced above into the Azure Automation Account.
  4. Create the required Azure resources above and optional resources if choosing to write to Azure Monitor or Azure Event Hub.
  5. Grant the RBAC roles referenced in the requirements above to the service principal used by the Azure Automation Account.
  6. Create three variables in the Azure Automation Account. The variables should be named and used as follows:
  • eventHubConnString - Connection string for the Event Hub you want the logs to stream to.
  • logAnalyticsWorkspaceId - Log Analytics Workspace Id you want the logs to be sent to.
  • logAnalyticsWorkspaceKey- Log Analytics Workspace Key you want the logs to be sent to.
  1. Install the Collect-ManagementGroupActivityLogs
  2. Run on demand, schedule, or whatever floats your boat!
You can’t perform that action at this time.