Collect Management Group Activity Logs
This PowerShell script is designed to run an an Azure Automation Runbook. The script collects the Activity Logs associated with each Management Group within an Azure Active Directory tenant and writes the logs to blob storage in an Azure Storage Account. It additionally can deliver the logs to an Azure Event Hub and Azure Monitor through the Azure Monitor HTTP Data Collector API. The log created in Azure Monitor is named mgmtGroupActivityLogs.
What problem does this solve?
In Microsoft Azure, write, update, and delete operations on the cloud control plane are logged to the Azure Activity Log. Each Azure Subscription and Azure Management Group have an Activity Log which are retained on the platform for 90 days. To retain the logs for more than 90 days the logs need to be retrieved and stored in another medium. Activity Logs for subscriptions have been integrated with Azure Storage, Azure Log Analytics, and Azure Event Hubs. The logs for Management Groups are only accessible through the Azure Portal and the Azure REST API, and as of October 2019, have not yet been integrated with other storage mediums.
Management Groups were introduced to Microsoft Azure as a means of applying governance and access controls across multiple Azure Subscriptions. This is accomplished through the use of Azure Policy and Azure RBAC. This means that activites performed on management groups need to be monitored, analyzed, and alerted upon.
This Runbook can be used to collect the Activity Logs from all Management Groups within an Azure AD Tenant in order to retain, analyze, and alert on the logs. It will write the logs to blob storage in an Azure Storage Account and optionally to a Log Analytics Workspace and Azure Event Hub.
Azure Identity and Access Management Requirements
The following Azure RBAC Roles must be granted to the Azure Automation Account under the context which the Runbook runs.
- Reader on Tenant Root Group Management Group
- Storage Blob Contributor on the Azure Storage Account where you want to write the logs
Azure Resource Requirements
- Azure Storage Account with a container already created for the blobs
- (Optional) Azure Log Analytics Workspace
- (Optional) Azure Event Hub
The following .NET libraries need to be imported into the Azure Automation Account. You can use the command line version of Nuget. Each library needs to be packed into a separate ZIP file for important. Ensure you capture both the DLL and XML/PDB (if present) files for each package.
- Microsoft.IdentityModel.Clients.ActiveDirectory 5.2.3
- Microsoft.Azure.EventHubs 4.1.0 - .NET Standard 2.0
- Microsoft.Azure.Amqp 2.4.3
- System.Diagnostics.DiagnosticSource 4.6.0 - .NET 4.5
- Create a new Azure Automation Account
- Install and run the Update-AutomationAzureModulesForAccount PowerShell runbook.
- Install the .NET modules referenced above into the Azure Automation Account.
- Create the required Azure resources above and optional resources if choosing to write to Azure Monitor or Azure Event Hub.
- Grant the RBAC roles referenced in the requirements above to the service principal used by the Azure Automation Account.
- Create three variables in the Azure Automation Account. The variables should be named and used as follows:
- eventHubConnString - Connection string for the Event Hub you want the logs to stream to.
- logAnalyticsWorkspaceId - Log Analytics Workspace Id you want the logs to be sent to.
- logAnalyticsWorkspaceKey- Log Analytics Workspace Key you want the logs to be sent to.
- Install the Collect-ManagementGroupActivityLogs
- Run on demand, schedule, or whatever floats your boat!