Transparency logs (preview)
Important
This is a preview feature. This information relates to a prerelease feature that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Governments across the world want to use the benefits of the hyperscale cloud but require assurances that Microsoft as their cloud provider handles data in a manner that respects their sovereignty requirements and also allows them to audit Microsoft engineers' access to their cloud resources.
To earn the trust of sovereign customers, Microsoft uses transparency logs to provide customers with visibility into occasions when Microsoft engineers accessed customer resources using the Just-In-Time access service. These transparency logs give sovereign customers visibility above and beyond what the Azure commercial cloud currently provides.
On rare occasions, Microsoft engineers need to directly access customer resources. The access is typically required in response to customer support requests. In such situations, Microsoft engineers can be granted temporary access with valid business justification. Along with providing details of the access to customer resources, the transparency logs also inform you when there's no access, which is the most likely case.
What you can do with transparency logs
Transparency logs provide details of when Microsoft engineers accessed your resources, to assist with sovereign compliance and other regulatory requirements. The logs help answer the following questions related to the accessed resources and the Microsoft engineers who accessed them:
Resource details:
- Which subscriptions were accessed?
- When did the access occur?
- On what Azure service did the access occur?
Microsoft engineer details:
- What is the role of the engineer who accessed the resource?
- What is the assigned office location of the engineer?
- How long did the engineer have access to the resource?
Details covered in transparency logs
The following screenshot shows session details of a support engineer's access to the Azure kubernetes service in the customer environment.
Transparency logs typically contain the following details:
- Tenant ID: Unique identifier of the tenant for which the report was generated.
- Tenant name: Name of the tenant for which the report was generated.
- Session date: Date and time the access was granted.
- Duration: Maximum duration of access.
- Management group ID: Management group ID that the subscription belongs to. The value of this field might be Not available in cases where this detail isn't available.
- Management group name: Management group name that the subscription belongs to. The value of this field might be Not available in cases where this detail isn't available.
- Subscription ID: Unique identifier of the subscription that was accessed.
- Engineer role: Customer Support Engineer or DevOps Engineer.
- Engineer location: Assigned office location of the engineer that requested access.
- Service name: Public name of the Azure service.
Scope of transparency logs
The transparency logs are scoped to Microsoft Azure Services and your Azure tenant. The logs provide access details by Microsoft engineers within 90 days of the report generation date. You'll receive the updated logs on the first Wednesday of every month.
The report doesn't contain details of a Microsoft engineer's access to the following resources and services:
- Hardware in the Azure data center. To learn about the access privileges for Microsoft data center engineers, see Service-management-and-service-teams.
- Microsoft 365 services
- Microsoft Dynamics 365 services
- Microsoft Power Platform
The report also doesn't contain information about the following accesses and requests:
- Access by the customer's engineers or other identities. See Entra sign-in logs.
- Government requests for data. For more information on how Microsoft responds to government requests for data, see Law Enforcement Requests Report.
Enablement
To request access to this preview feature, follow these instructions:
Important
You must have the global administrator role assigned and a valid email associated with your user account for us to onboard you.
- To request access, create a support case as shown in the following screenshot. Alternatively, you can select the support link to help fill out the information for you.
Select Next to view the Additional details page of the support request and answer a few questions.
Ensure that Allow collection of advanced diagnostic information? is enabled and set to Yes (Recommended). Otherwise, we won't be able to onboard you.
- Select Create from the Review + create page to create a new onboarding support request.
FAQs on transparency logs
1. What do transparency logs add to the observability capabilities that Microsoft already offers?
Transparency logs provide customers with visibility into the operational activities of Microsoft engineers to support customer service and service reliability issues, including a record of such accesses to their resources via the the Just-In-Time access service. The access records augment the information available in other logs, such as activity logs, resource logs, security event logs, Microsoft Entra logs, and Customer Lockbox for Azure logs.
2. Who are the intended customers and users?
Transparency logs support public sector and regulated industry organizations. These customers have strict requirements around auditability and access control.
3. What is the difference between transparency logs and Customer Lockbox for Azure?
Customer Lockbox for Azure is a paid service that provides an interface for customers to review and approve or reject requests from Microsoft engineers to access customer data and resources. Transparency logs are free to eligible customers. They cover customer support scenarios where Lockbox isn't used and operational situations where a service team engineer needs to access a customer resource.
4. Is every customer support case represented in the transparency logs?
No. Most customer support cases are resolved without the need for the engineer to directly access the customer resources. So, transparency log records aren't created.