How to Configure Azure Activity “Administrative” Logs on Azure Subscription using PowerShell?

Azure Activity “Administrative” logs are a type of activity log that record events that occur in your Azure subscription. By enabling and configuring the Azure Activity “Administrative” logs will collect and store logs in your specified log analytics workspace (this is your log destination). Administrative logs help you to view and analyze the logs to track changes to your Azure resources and identify any suspicious activity. In this article, we will use a PowerShell script, which is a flexible and scriptable way to configure and manage diagnostic settings.

Azure Activity Log requirements for Log Analytics

• To configure the setup you require Contributor Access on Azure Subscription to enable Azure Activity “Administrative” Logs.
• If your Log Analytics Workspace is not within the same azure subscription then you need additional Contributor or Log Analytics Contributor role to access on Log Analytics Workspace resource.
• You should have PowerShell module installed on your windows system. You may refer this if not already installed “How To Install and Update Azure PowerShell on Windows Machine?“

Steps To Configure Azure Activity “Administrative” Logs on Azure Subscription using PowerShell :

Step 1: Open the PowerShell on your Windows

Step 2: Login in your Azure account using the Connect-AzAccount cmdlet

Connect-AzAccount

Step 3: Create a new file named newAzDiagnostics.ps1 – Use the following command to create a new PowerShell file

New-Item newAzDiagnostics.ps1

Step 4: Now use the following command to to add the PowerShell script in the file.

code .\newAzDiagnostics.ps1

Step 5: Add the following lines of code in the file >> set the variable name according to your project setup and save the changes.

#Set Log Analytics Variables
$subLAW = "add workspace subscription name"
$rgLAW = "add workspace resource group name"
$LAWName = "add workspace name"

#Set Variables for Azure Subscription
$SubName = "add your target azure subscription name"
$DiagName = "add subscription diagnostics name"
$LogCategory = "Administrative"

Set-AzContext -SubscriptionName $subLAW
$LAW = Get-AzOperationalInsightsWorkspace -ResourceGroupName $rgLAW -Name $LAWName
$LAWResourceId = $Law.ResourceId
$LAWResourceId

Set-AzContext -SubscriptionName "$SubName"
$SubId = (Get-AzSubscription -SubscriptionName "$SubName").Id
$SubResourceId = "/subscriptions/$SubId"
$SubResourceId
$log = New-AzDiagnosticSettingLogSettingsObject -Enabled $true -Category $LogCategory
$log
New-AzDiagnosticSetting -Name $DiagName -ResourceId $SubResourceId -WorkspaceId $LawId -Log $log

Step 6: Run the file newAzDiagnostics.ps1

.\newAzDiagnostics.ps1

Now this will now enable Azure Activity “Administrative” log on your specified Azure Subscription. To verify the changes navigate to Azure Subscription >> Click on Activity Logs >> select Export Diagnostics

Sample Output:

FAQs on Azure Activity Administrative

1. Which Log Category should enable to capture Activity Logs?

Administrative Log category should be enabled at Azure Subscription level to capture the Azure Activity Logs.

2. What is default retention period for Azure Activity Logs?

The default retention period for Azure Activity Logs is 90 days. Activity Logs will automatically delete events that are older than 90 days.

3. Can we store the Activity Log for a longer time?

Yes, we can increase the Activity Log retention period by storing Logs in Azure Storage or a Log Analytics workspace. The pricing for log stored is based on the volume of data that you store and the retention period.