Skip to content
Related Articles

Related Articles

Improve Article
Save Article
Like Article

Microsoft Azure – Check Resource Owner in Azure using KQL

  • Last Updated : 29 Dec, 2021

In this article, we will see how we can find the creation date of resources by using the Kusto Query Language. Azure KQL Queries helps in finding the resource creation date, time, created user email,…etc.

Note: You cannot retrieve log data if it is more than 90 days using KQL. In this case store log data to a storage account to fetch the logs for beyond 90 days.

Prerequisites:

  • Log Analytics Workspace
  • Diagnostic Logs should be enabled for subscription and log analytics.

KQL Queries to check Resource Owner:

1. Find who created a specific resource in a specific resource group with Activity Status Succeeded.

AzureActivity
| where ResourceGroup == "Add_Resource_Group_Name" and Resource == "Add_Resource_Type"
| where ActivityStatus == "Succeeded" 
| project ResourceGroup, Resource, CreatedBy = Caller, CreationTime = TimeGenerated

This query returns the name of the resource group, resource name, caller (one who created), and creation time.

Sample Output:

 2. To find who created a specific resource in a specific resource group with Activity Status Succeeded by specific user email id use the below KQL query:

AzureActivity
| where ResourceGroup == "Add_Resource_Group_Name" and Resource == "Add_Resource_Type"
| where ActivityStatus == "Succeeded" 
| project ResourceGroup, Resource, CreatedBy = Caller, CreationTime = TimeGenerated
| where CreatedBy == "UserName@domain.com" 

This query returns the name of the resource group, resource name, the caller (specific user), and creation time.

Sample Output:

3. To find all the resources created with the service principal use the below query:

AzureActivity
| where ResourceGroup != "" and Resource != ""
| where ActivityStatus == "Succeeded" 
| where Caller !has "@" 
| project ResourceGroup, Resource, CreatedBy = Caller, CreationTime = TimeGenerated

This query returns the name of resource group, resource name, caller (puts service principal name) and creation time.

Sample Output:

My Personal Notes arrow_drop_up
Recommended Articles
Page :

Start Your Coding Journey Now!