Azure Monitor records management operations for your Azure resources through the activity log feature. The activity log records operations like creating a virtual machine, changing a key vault access policy, or Resource Manager deployment errors. These management operations are also called control plane operations. Use the activity log to review or audit this information, or create an alert to be proactively notified when an event occurs.
In contrast to the activity log, Azure resource logs capture data plane operations performed within a resource. For example, these operations include getting a secret from a key vault or making a request to a database. Resource logs aren't collected by default and require configuration with a diagnostic setting.
Activity log entries
Azure Monitor collects activity log entries by default with no required configuration. The system generates these entries, and you can't change or delete them. Entries typically result from changes (create, update, and delete operations) or an action being initiated. The activity log doesn't typically capture read operations.
Activity log entries are usually available for analysis and alerting within 3 to 20 minutes of the event occurring. For a description of activity log categories, see Azure activity log event schema.
Retention period
Azure retains activity log events for 90 days and then deletes them. You aren't charged for entries during this time, regardless of volume. For more functionality, such as longer retention, create a diagnostic setting and collect the entries in another location based on your needs. One of the most common reasons to extend the retention period is to preserve resource creator information, which is only available in the activity log.
View and retrieve the activity log
View activity log events for a subscription, resource group, or an individual resource. Use the Azure portal or programmatically query them by using the Activity Log REST API.
The Azure portal provides the Activity log blade from most service menus. Each of these areas also support programmatic access with REST or through specific Azure CLI and Azure PowerShell commands.
Specify a time interval of events to retrieve. To retrieve events by using the REST API, you must include the $filter parameter along with at least an eventTimestamp start value. By default, the activity log retains events for 90 days. Make sure both the start and end of your time range fall within that 90-day window.
Activity log access scenarios
The following sections present common scenarios showing different ways to access and retrieve activity log events through the Azure portal, programmatically using Azure CLI and Azure PowerShell, or with REST calls:
Azure portal samples provide extra context around what kind of events to expect in that view.
Azure CLI samples highlight the specific commands available through the az monitor activity-log list command.
Azure PowerShell samples highlight the specific cmdlets available through the Get-AzActivityLog commandlet.
REST API samples show how to retrieve events by using the required $filter parameter with the Activity Log REST API.
The List activity log events for a resource group sample also demonstrates how to explicitly set a timeout for your client to match the maximum timeout period for the activity log REST API of 75 seconds by using the Prefer header.
Supported $filter patterns |
Details |
| default subscription with a time range |
$filter=eventTimestamp ge '{startTime}' and eventTimestamp le '{endTime}' |
| resource group |
$filter=eventTimestamp ge '{startTime}' and eventTimestamp le '{endTime}' and resourceGroupName eq '{resourceGroupName}' |
| specific resource |
$filter=eventTimestamp ge '{startTime}' and eventTimestamp le '{endTime}' and resourceUri eq '{resourceURI}' |
| resource provider |
$filter=eventTimestamp ge '{startTime}' and eventTimestamp le '{endTime}' and resourceProvider eq '{resourceProviderName}' |
| correlation ID |
$filter=eventTimestamp ge '{startTime}' and eventTimestamp le '{endTime}' and correlationId eq '{correlationID}' |
List activity log events for a subscription
Subscription level events capture events created directly by resource providers and is the default scope for listing activity log events. Tenant level and management group level events only capture Azure Resource Manager events in those hierarchies. These higher-level scopes do not include events generated directly by resource providers outside of Azure Resource Manager operations.
The following example retrieves activity log events for a subscription during a specific time range.
The menu you open Activity log from determines its initial filter. If you open it from the Monitor menu, the only filter selected by default is the subscription. This is the same as opening it from Subscriptions > select subscription > Activity Log.
Use the az monitor activity-log list Azure CLI command to retrieve activity log events for a subscription over a specified time range. By default, this command retrieves events for the subscription currently set in your Azure CLI context. To explicitly specify a subscription, use the --subscription parameter as shown in the examples below.
Explicit time range:
Azure CLI supports the same kind of explicit time range as REST by using --start-time and --end-time:
subscriptionId="aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
startTime="2026-04-01T00:00:00Z"
endTime="2026-04-14T23:59:59Z"
az monitor activity-log list \
--subscription "$subscriptionId" \
--start-time "$startTime" \
--end-time "$endTime"
Relative time range:
Azure CLI also supports relative time ranges by using --offset. For example, --offset 14d returns events from the last 14 days:
subscriptionId="aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
offset="14d"
az monitor activity-log list \
--subscription "$subscriptionId" \
--offset "$offset"
Note
Azure CLI commands use the Azure Resource Manager endpoint from the current CLI context, so management.azure.com doesn't need to be specified in the command syntax.
Azure PowerShell provides the Get-AzActivityLog cmdlet to retrieve activity log events for a subscription over a specified time range.
Explicit time range:
Azure PowerShell supports specifying an exact time range by using StartTime and EndTime, similar to REST:
$subscriptionId = "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
$startTime = [datetime]"2026-04-01T00:00:00Z"
$endTime = [datetime]"2026-04-14T23:59:59Z"
Set-AzContext -Subscription $subscriptionId
$getAzActivityLogParams = @{
StartTime = $startTime
EndTime = $endTime
}
Get-AzActivityLog @getAzActivityLogParams
Relative time range:
Azure PowerShell also supports querying a relative time range by using Get-Date expressions for StartTime and EndTime. The following example returns events from the last 14 days, ending at the time the command runs:
$subscriptionId = "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
$lookbackDays = 14
Set-AzContext -Subscription $subscriptionId
$getAzActivityLogParams = @{
StartTime = (Get-Date).AddDays(-$lookbackDays)
EndTime = Get-Date
}
Get-AzActivityLog @getAzActivityLogParams
Note
Azure PowerShell cmdlets use the Azure Resource Manager endpoint from the current Az context, so management.azure.com doesn’t need to be specified in the cmdlet syntax.
To list activity log events, use this GET request for the Activity Log REST API.
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Insights/eventtypes/management/values?api-version={apiVersion}&$filter=eventTimestamp ge '{startTime}' and eventTimestamp le '{endTime}'
List activity log events for a resource group
Add resourceGroupName to the $filter to scope Azure Monitor activity log results to a specific resource group.
The menu you open Activity log from determines its initial filter. If you open it from a resource's menu, the filter is set to that resource. Select Add Filter to add more properties to the filter. Here are the other properties you can filter by in the portal:
- Resource - Items that are part of your Azure solution, such as a database or virtual machine.
- Resource type – The category to which a resource belongs, such as virtual machines, web apps, or databases.
- Operation - An action or command, such as create, delete, and write, that affects Azure Resource Manager resources.
- Event initiated by – Filter events by the identity that initiated the event.
- Event category – Filter the event types for certain operations.
Note
The REST header Prefer: wait=75 doesn't have a direct equivalent in the Azure CLI command for this operation. This command issues the query directly and returns the matching Activity Log records.
Use the az monitor activity-log list command to retrieve activity log events scoped to a resource group. Specific Azure CLI commands reduce the complexity of the equivalent REST API call.
subscriptionId="aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
resourceGroupName="myResourceGroup"
offset="30d"
az monitor activity-log list \
--subscription "$subscriptionId" \
--resource-group "$resourceGroupName" \
--offset "$offset"
Note
Azure CLI commands use the Azure Resource Manager endpoint from the current CLI context, so management.azure.com doesn't need to be specified in the command syntax.
Note
The REST header Prefer: wait=75 doesn't have a direct equivalent in the Azure PowerShell cmdlet for this operation. This command issues the query directly and returns the matching Activity Log records.
Azure PowerShell provides the Get-AzActivityLog cmdlet to retrieve activity log events scoped to a resource group over a relative time range.
$subscriptionId = "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
$resourceGroupName = "myResourceGroup"
$lookbackDays = 30
Set-AzContext -Subscription $subscriptionId
$getAzActivityLogParams = @{
ResourceGroupName = $resourceGroupName
StartTime = (Get-Date).AddDays(-$lookbackDays)
EndTime = Get-Date
}
Get-AzActivityLog @getAzActivityLogParams
Note
Azure PowerShell cmdlets use the Azure Resource Manager endpoint from the current Az context, so management.azure.com doesn’t need to be specified in the cmdlet syntax.
To list activity log events scoped to a resource group using the Azure Resource Manager REST API, use a GET request with a $filter that includes both the time range and the resourceGroupName property. Optionally, include the Prefer header to specify a specific timeout for the request (maximum 75 wait time in seconds).
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Insights/eventtypes/management/values?api-version={apiVersion}&$filter=eventTimestamp ge '{startTime}' and eventTimestamp le '{endTime}' and resourceGroupName eq '{resourceGroupName}'
Prefer: wait=75
Return specific activity log properties
Use a parameter to return only specified properties, which reduces the response payload size. For more information, see Activity log schema property descriptions.
The Azure portal doesn't provide a way to limit the properties returned from activity log events directly. To reduce the amount of data viewed, use the Edit columns option in the Activity log blade to select which columns are displayed in the portal view.
Use the az monitor activity-log list command with the --select parameter to specify which properties to return from activity log events.
Use the --max-events parameter of az monitor activity-log list to limit the number of records returned.
subscriptionId="aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
offset="30d"
maxEvents=100
selectFields=(
eventName
operationName
status
eventTimestamp
correlationId
submissionTimestamp
level
)
az monitor activity-log list \
--subscription "$subscriptionId" \
--offset "$offset" \
--max-events "$maxEvents" \
--select "${selectFields[@]}"
Limit the properties returned from activity log events in Azure PowerShell by piping the results of Get-AzActivityLog to Select-Object and specifying the properties you want returned. This doesn't reduce the API response size since Select-Object only filters the properties in the output that PowerShell displays.
Use the -MaxRecord parameter of Get-AzActivityLog to limit the number of records returned.
$subscriptionId = "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
$lookbackDays = 30
$maxRecord = 100
$selectProperties = @(
"EventName"
"OperationName"
"Status"
"EventTimestamp"
"CorrelationId"
"SubmissionTimestamp"
"Level"
)
Set-AzContext -Subscription $subscriptionId
$activityLogParams = @{
StartTime = (Get-Date).AddDays(-$lookbackDays)
EndTime = Get-Date
MaxRecord = $maxRecord
}
Get-AzActivityLog @activityLogParams |
Select-Object -Property $selectProperties
To list activity log events with only specific properties returned using the Azure Resource Manager REST API, include the $select query parameter in the GET request with a comma-separated list of the properties you want returned.
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Insights/eventtypes/management/values?api-version={apiVersion}&$filter=eventTimestamp ge '{startTime}' and eventTimestamp le '{endTime}'&$select=eventName,operationName,status,eventTimestamp,correlationId,submissionTimestamp,level
List tenant-level activity log events
Tenant-level activity log events typically have limited entries but might include important events such as management group or subscription creation. These events are separate from subscription-level activity log events, but might contain duplicate resource management events.
Querying at this scope uses a different REST API than the subscription-level activity log events API. Azure CLI and Azure PowerShell don't provide dedicated commands.
Go to Monitor > Activity log in the Azure portal. Change the Activity pull down menu and select Directory Activity.
A dedicated Azure CLI command isn't available for tenant-level activity log events. The following example calls the REST API directly by using az rest:
apiVersion="2015-04-01"
startTime="2026-04-01T00:00:00Z"
endTime="2026-04-30T23:59:59Z"
providers="Microsoft.Insights/eventtypes/management/values"
resourceId="/providers/$providers"
filter="eventTimestamp ge '$startTime' and eventTimestamp le '$endTime'"
az rest \
--method get \
--uri "$resourceId?api-version=$apiVersion&\$filter=$filter"
A dedicated PowerShell cmdlet isn't available for tenant-level activity log events. The following example calls the REST API directly by using Invoke-AzRestMethod:
$apiVersion = "2015-04-01"
$startTime = "2026-04-01T00:00:00Z"
$endTime = "2026-04-30T23:59:59Z"
$providers = "Microsoft.Insights/eventtypes/management/values"
$resourceId = "/providers/$providers"
$filter = "eventTimestamp ge '$startTime' and eventTimestamp le '$endTime'"
$invokeAzRestMethodParams = @{
Path = "$resourceId?api-version=$apiVersion&`$filter=$filter"
Method = "GET"
}
Invoke-AzRestMethod @invokeAzRestMethodParams
To list tenant-level activity log events, use this GET request. Note that this request targets the tenant-level activity log endpoint, which is different from the subscription-level activity log API.
GET https://management.azure.com/providers/Microsoft.Insights/eventtypes/management/values?api-version={apiVersion}&$filter=eventTimestamp ge '{starTime}' and eventTimestamp le '{endTime}'
List management group-level activity log events
Management group-level activity log events capture events scoped to a specific management group, such as policy assignments and management group membership changes.
Note
- The following examples use the
2017-03-01-preview API version, which is required for management group-level activity log queries.
To view management group-level activity log events in the Azure portal, go to Management groups > select a management group > Activity log.
To list management group-level activity log events, use the az rest Azure CLI command. This command calls the Azure Resource Manager REST API directly to retrieve activity log events scoped to the specified management group.
apiVersion="2017-03-01-preview"
managementGroupId="myManagementGroup"
startTime="2026-04-01T00:00:00Z"
endTime="2026-04-30T23:59:59Z"
providers="Microsoft.Insights/eventtypes/management/values"
resourceId="/providers/Microsoft.Management/managementGroups/$managementGroupId/providers/$providers"
filter="eventTimestamp ge '$startTime' and eventTimestamp le '$endTime'"
az rest \
--method get \
--url "$resourceId?api-version=$apiVersion&\$filter=$filter"
A dedicated PowerShell cmdlet isn't available for management group-level activity log events. The following example calls the REST API directly by using Invoke-AzRestMethod.
$apiVersion = "2017-03-01-preview"
$managementGroupId = "myManagementGroup"
$startTime = "2026-04-01T00:00:00Z"
$endTime = "2026-04-30T23:59:59Z"
$providers = "Microsoft.Insights/eventtypes/management/values"
$resourceId = "/providers/Microsoft.Management/managementGroups/$managementGroupId/providers/$providers"
$filter = "eventTimestamp ge '$startTime' and eventTimestamp le '$endTime'"
$invokeAzRestMethodParams = @{
Method = "GET"
Path = "$resourceId?api-version=$apiVersion&`$filter=$filter"
}
Invoke-AzRestMethod @invokeAzRestMethodParams
To list management group-level activity log events, use this GET request against the Azure Resource Manager REST API. Replace {managementGroupId} with the ID of the management group you want to query, and specify the time range in the $filter query parameter.
GET https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.Insights/eventtypes/management/values?api-version={apiVersion}&$filter=eventTimestamp ge '{startTime}' and eventTimestamp le '{endTime}'
The following table describes the parameters used in the preceding examples.
| Variable |
Example value |
Purpose |
| host |
management.azure.com |
Implicit ARM endpoint |
| subscriptionId |
aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e |
User input |
| resourceGroupName |
myResourceGroup |
User input |
| managementGroupId |
myManagementGroup |
User input |
| apiVersion |
• 2015-04-01
• 2017-03-01-preview (for management group-level) |
Reference |
View change history
For some events, you can view the change history, which shows what changes happened during that event time. Select an event from the activity log that you want to look at more deeply. Select the Change history tab to view any changes on the resource up to 30 minutes before and after the time of the operation.
If any changes are associated with the event, the portal shows you a selectable list of changes. Selecting a change opens the Change history page. This page displays the changes to the resource.
The following example shows that the VM changed sizes. The page displays the VM size before the change and after the change. To learn more about change history, see Get resource changes.
Activity log insights
Activity log insights is an Azure Monitor workbook that provides a set of dashboards that monitor the changes to resources and resource groups in a subscription. The dashboards also present data about which users or services performed activities in the subscription and the activities' status.
To enable activity log insights, export the activity log to a Log Analytics workspace as described in Export activity log. This process sends events to the AzureActivity table, which activity log insights uses.
You can open activity log insights at the subscription or resource level. For the subscription, select Activity Logs Insights from the Workbooks section of the Monitor menu.
For an individual resource, select Activity Logs Insights from the Workbooks section of the resource's menu.
Export activity log
Create a diagnostic setting to send activity log entries to other destinations for extra retention time and functionality.
In the Azure portal, select Activity log on the Azure Monitor menu and then select Export Activity Logs. For more information and other methods for creating diagnostic settings, see Diagnostic settings in Azure Monitor. Make sure you disable any legacy configuration for the activity log.
The following sections provide details on each configurable destination for resource logs.
Send the activity log to a Log Analytics workspace for the following functionality:
There are no data ingestion charges for activity logs. Retention charges for activity logs apply only to the period extended past the default retention period of 90 days. You can increase the retention period to up to 12 years.
Activity log data in a Log Analytics workspace is stored in a table called AzureActivity. The structure of this table varies depending on the category of the log entry.
For example, to view a count of activity log records for each category, use the following query:
AzureActivity
| summarize count() by CategoryValue
To retrieve all records in the administrative category, use the following query:
AzureActivity
| where CategoryValue == "Administrative"
Important
In some scenarios, values in fields of AzureActivity might have different case from otherwise equivalent values. When querying data in AzureActivity, use case-insensitive operators for string comparisons, or use a scalar function to force a field to a uniform casing before any comparisons. For example, use the tolower() function on a field to force it to always be lowercase or the =~ operator when performing a string comparison.
Send the activity log to Azure Event Hubs to send entries outside of Azure, for example, to a third-party SIEM or other log analysis solutions. Activity log events from event hubs are consumed in JSON format with a records element that contains the records in each payload. The schema depends on the category and is described in Azure activity log event schema.
The following sample output data is from event hubs for an activity log:
{
"records": [
{
"time": "2019-01-21T22:14:26.9792776Z",
"resourceId": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841",
"operationName": "microsoft.support/supporttickets/write",
"category": "Write",
"resultType": "Success",
"resultSignature": "Succeeded.Created",
"durationMs": 2826,
"callerIpAddress": "111.111.111.11",
"correlationId": "aaaa0000-bb11-2222-33cc-444444dddddd",
"identity": {
"authorization": {
"scope": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841",
"action": "microsoft.support/supporttickets/write",
"evidence": {
"role": "Subscription Admin"
}
},
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee/",
"iat": "1421876371",
"nbf": "1421876371",
"exp": "1421880271",
"ver": "1.0",
"http://schemas.microsoft.com/identity/claims/tenantid": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "aaaa0000-bb11-2222-33cc-444444dddddd",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "admin@contoso.com",
"puid": "1003BFFD8EC002D4",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Smith",
"name": "John Smith",
"groups": "bbbb1111-cc22-3333-44dd-555555eeeeee,aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb,cccc2222-dd33-4444-55ee-666666ffffff",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": " admin@contoso.com",
"appid": "00001111-aaaa-2222-bbbb-3333cccc4444",
"appidacr": "2",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
"http://schemas.microsoft.com/claims/authnclassreference": "1"
}
},
"level": "Information",
"location": "global",
"properties": {
"statusCode": "Created",
"serviceRequestId": "bbbbbbbb-1111-2222-3333-cccccccccccc"
}
}
]
}
Send the activity log to an Azure Storage account if you want to retain your log data longer than 90 days for audit, static analysis, or backup. If you need to retain your events for 90 days or less, you don't need to set up archival to a storage account.
When you send the activity log to storage, a storage container is created in the storage account as soon as an event occurs. The blobs in the container use the following naming convention:
insights-activity-logs/resourceId=/SUBSCRIPTIONS/{subscription ID}/y={four-digit numeric year}/m={two-digit numeric month}/d={two-digit numeric day}/h={two-digit 24-hour clock hour}/m=00/PT1H.json
For example, a particular blob might have a name similar to:
insights-activity-logs/resourceId=/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/y=2020/m=06/d=08/h=18/m=00/PT1H.json
Each PT1H.json blob contains a JSON object with events from log files that were received during the hour specified in the blob URL. During the present hour, events are appended to the PT1H.json file as they're received, regardless of when they were generated. The minute value in the URL, m=00 is always 00 as blobs are created on a per hour basis.
Each event is stored in the PT1H.json file with the following format. This format uses a common top-level schema but is otherwise unique for each category, as described in Activity log schema.
{ "time": "2020-06-12T13:07:46.766Z", "resourceId": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/MY-RESOURCE-GROUP/PROVIDERS/MICROSOFT.COMPUTE/VIRTUALMACHINES/MV-VM-01", "correlationId": "bbbb1111-cc22-3333-44dd-555555eeeeee", "operationName": "Microsoft.Resourcehealth/healthevent/Updated/action", "level": "Information", "resultType": "Updated", "category": "ResourceHealth", "properties": {"eventCategory":"ResourceHealth","eventProperties":{"title":"This virtual machine is starting as requested by an authorized user or process. It will be online shortly.","details":"VirtualMachineStartInitiatedByControlPlane","currentHealthStatus":"Unknown","previousHealthStatus":"Unknown","type":"Downtime","cause":"UserInitiated"}}}
Export management group activity logs
When you create a diagnostic setting for a management group, it exports Azure Monitor activity log events for that management group in addition to all management groups under it in the hierarchy. If multiple management groups in the hierarchy have diagnostic settings, you receive duplicate events. You only need a diagnostic setting on the highest level management group to capture all events for the hierarchy.
The management group also collects many of the same events as any subscriptions under it. If the subscription and management group both have diagnostic settings, you receive duplicate events. Azure Resource Manager includes a hierarchy property when writing events, but it's not a required field. Resource providers outside Azure Resource Manager don't populate it, so their events don't propagate up the hierarchy. Because of this, getting duplicate events is better than missing events.
For example, if you have MG1 which contains MG2 which contains Subscription1, a diagnostic setting on MG1 captures all activity log events for MG1, MG2, and many of the events collected by a diagnostic setting on Subscription1. In this case, no diagnostic setting is needed on MG2 since it would just collect duplicate events.
If you have duplicate events, combine them by using a query that uses a hash of all fields to identify unique records. The following example Kusto query shows a sample for logs collected in a Log Analytics workspace:
AzureActivity
| extend Hash = hash(dynamic_to_json(pack_all()))
| summarize arg_max(TimeGenerated, *) by Hash
Export the activity log to a file
Select Download as CSV to export the activity log to a CSV file in the Azure portal.
Important
Exporting a large number of log entries can take a long time. To improve performance, reduce the time range of the export. In the Azure portal, set the Timespan setting.
You can export the activity log programmatically by using Azure CLI.
subscriptionId="aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
startTime="2026-04-01T00:00:00Z"
endTime="2026-04-14T23:59:59Z"
maxItems=1000
outputFile="./activity-log.json"
az monitor activity-log list \
--subscription "$subscriptionId" \
--start-time "$startTime" \
--end-time "$endTime" \
--max-items "$maxItems" \
> "$outputFile"
You can export the activity log programmatically by using Azure PowerShell.
$subscriptionId = "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
$startTime = "2026-04-01T00:00:00Z"
$endTime = "2026-04-14T23:59:59Z"
$outputFile = "./activity-log.csv"
Set-AzContext -SubscriptionId $subscriptionId
$getAzActivityLogParams = @{
StartTime = $startTime
EndTime = $endTime
}
Get-AzActivityLog @getAzActivityLogParams |
Export-Csv -Path $outputFile -NoTypeInformation
The following example PowerShell script exports the activity log to CSV files in one-hour intervals, each saved to a separate file.
# Parameters
$subscriptionId = "Subscription ID here" # Replace with your subscription ID
$startTime = [datetime]"2025-05-08T00:00:00" # Adjust as needed
$endTime = [datetime]"2025-05-08T12:00:00" # Adjust as needed
$outputFolder = "\Logs" # Change path as needed
# Ensure output folder exists
if (-not (Test-Path $outputFolder)) {
New-Item -Path $outputFolder -ItemType Directory
}
# Set subscription context
Set-AzContext -SubscriptionId $subscriptionId
# Loop through 1-hour intervals
$currentStart = $startTime
while ($currentStart -lt $endTime) {
$currentEnd = $currentStart.AddHours(1)
$timestamp = $currentStart.ToString("yyyyMMdd-HHmm")
$csvFile = Join-Path $outputFolder "ActivityLog_$timestamp.csv"
Write-Host "Fetching logs from $currentStart to $currentEnd..."
Get-AzActivityLog -StartTime $currentStart -EndTime $currentEnd |
Export-Csv -Path $csvFile -NoTypeInformation
$currentStart = $currentEnd
}
Write-Host "Export completed. Files saved to $outputFolder."
Identify resource creation
Use the activity log to find out when the system created a resource and who created it. The activity log is the only place that stores the creator of a resource. Because the activity log only retains data for 90 days by default, you must export the logs to a location that allows you to extend the retention period, like a Log Analytics workspace. Then find the creator of a resource by querying the AzureActivity table. The data is retained for the duration you specified in the retention period for this table.
Related content
